Sansan, Inc. (“the Company;” TSE Prime: 4443), a provider of AX services that change the way people work, announces that it has received a one-star rating for the second consecutive year in the Cyber Index Corporate Survey 2025 conducted by the Information Technology Federation of Japan (the “ITrenmei”).

This survey evaluates companies in the Nikkei 500 Component Index for their commitment to cybersecurity, and commends companies that demonstrate excellent initiatives and information disclosure. The one-star rating this time is in recognition of the Company’s security management systems, enhanced employee training, and initiatives in data privacy protection systems.

■Cyber Index Corporate Survey 2025
The Cyber Index Corporate Survey (*1) is conducted by ITrenmei to survey companies included in the Nikkei 500 Stock Average on their cybersecurity initiatives, with the aim of promoting information disclosure regarding cybersecurity measures by private companies. It aggregates disclosed information such as securities reports and corporate governance reports, along with questionnaire and diagnostic tool survey results, and commends companies that demonstrate an outstanding commitment and information disclosure. This year, 18 companies with particularly outstanding ongoing efforts were awarded two stars, and 54 companies with outstanding efforts were awarded one star.

■Basic approach to information security and data privacy
Because the services provided by the Company facilitate the management and utilization of various user data, the handling and protection of information is the most important management issue (materiality) (*2). Moreover, considering the advancement of data utilization and trends in related laws and regulations, the protection of data privacy is also positioned as an important management issue.

In many cases, security and convenience in cloud services are contradictory. However, the Company views it as important to achieve a high-level balance between these two aspects while managing and utilizing internal data and designing provided services, and it has set balancing security and convenience as a premise for conducting business activities in its corporate philosophy. It aims to minimize risk and provide highly secure services by ensuring convenience and taking all possible measures to protect data privacy and information security.

■Main initiatives regarding information security and data privacy

(1) Security management system with monitoring 24 hours a day, 365 days a year
To enable rapid and comprehensive response to privacy risks and security risks, directors themselves serve as CISO (Chief Information Security Officer), DPO (Data Protection Officer), and Personal Information Protection Managers. There are regular reports on security and risk status at management meetings, and important decisions regarding information security and cybersecurity are made at the executive level.
In addition, the Information Security Department has the function of CSIRT (*3) and also operates in-house SOC (*4) to regularly monitor and analyze threats. A product security team has also been established to strengthen the security of the Company’s products and address vulnerabilities.

(2) Security training, including mandatory acquisition of the “Protection of Individual Information Person” certification
All officers and employees must acquire the “Protection of Individual Information Person” certification. Salary increases are, in principle, suspended if an employee does not pass the exam after a certain period.
In addition, training on information security and personal information protection is conducted for all officers and employees, and topics on security are presented by the CISO at company-wide meetings as part of efforts to promote a correct understanding of the Act on the Protection of Personal Information and safety management through regular employee education opportunities, thereby enhancing security awareness company-wide.

(3) Strengthening privacy and security systems through ISMAP-LIU accreditation and ISMS-PIMS certification
The business database Sansan is a service that centrally manages and utilizes a variety of data, including business cards and other customer contact information and business meeting history, as corporate assets. Based on these characteristics, in order to strengthen the system to properly manage and protect data containing personal information, the Company was certified as the first ISMAP-LIU in 2024 under the newly established ISMAP, a government-run security evaluation system for cloud services (*5). Furthermore, in 2025, in addition to the Information Security Management System (ISMS: ISO 27001), it obtained ISMS-PIMS certification based on ISO/IEC 27701, the international standard for privacy information management systems (*6). By obtaining this certification, the Company has developed and strengthened its management system and operational processes for the handling of personal information in line with international standards, enabling it to provide more reliable services.

Please see below for more information on the Company’s information security initiatives.

▼Data privacy and information security
https://www.corp-sansan.com/sustainability/society/information-security/

▼Annual Report 2025
https://ir.corp-sansan.com/en/ir/library/report.html

The Company will continue to provide services that combine a high level of safety and convenience, and strive for the enhancement of sustainable corporate value.

*1: Information Technology Federation of Japan, “Release of Cyber Index Corporate Survey 2025” (released on January 20, 2026)
*2: Sansan, Inc., “Sustainability Management – Material Issues, Targets and Results”
*3: Abbreviation for Computer Security Incident Response Team. It gathers information on potential information security threats, system vulnerabilities, and signs of a cyber attack and develops a response plan and steps.
*4: Abbreviation for Security Operation Center. It monitors networks and systems 24 hours a day, 365 days a year, collects and analyzes logs, and proposes countermeasures in the event of an incident.
*5: Sansan, Inc., “Sales DX Service Sansan Certified as the First Under the Government’s New Security Evaluation System ISMAP-LIU” (announced September 13, 2024)
*6: Sansan, Inc., “Sales DX Service Sansan Obtains ISMS-PIMS Certification” (announced May 30, 2025)

(End)

■About Sansan, Inc.
With its mission of “Turning encounters into innovation,” Sansan provides its namesake Sansan business database, Eight business card app for individual professionals, Bill One for cloud-based invoice management, Contract One business transaction management transaction solution, and Sansan Data Intelligence data quality management solution.

Established: June 11, 2007
Website: https://corp-sansan.com
Head office: Shibuya Sakura Stage 28F, 1-1 Sakuragaoka-cho, Shibuya-ku, Tokyo 150-6228, Japan
Capital: 7,291 million yen (as of November 30, 2025)
Business: Planning, development, and sales of cloud-based solutions that promote AI transformation and reshape how we work
Sansan 　https://jp.sansan.com/
Eight 　https://8card.net/
Bill One 　https://bill-one.com/
Contract One　https://contract-one.com/
Sansan Data Intelligence　https://jp.sansan.com/sansan-data-intelligence/

■Contact
Sansan, Inc.
IR and Sustainability Department
Mail: sustainability@sansan.com