Our services facilitate the management and use of data that includes private customer information, such as that on companies and individual users. We position the handling and protection of personal information and other vital information assets as our most critical management concern. In addition, convenience and security often come into conflict in developing cloud services. Yet it is vital to maintain the best possible balance between these two elements when increasing efficiency and productivity. Balancing security and convenience is a premise of our corporate philosophy. In addition to ensuring convenience, we minimize security risks by having all employees take every possible measure to protect data privacy and information security, etc., to ensure the stable provision of highly secure services.
Our services facilitate the management and use of data that includes private customer information, such as that on companies and individual users. We position the handling and protection of personal information and other vital information assets as our most critical management concern. Having formulated policies for protecting personal information and information security, we rigorously manage information assets and take every possible measure to minimize risk. In our security system, to be able to respond quickly and in all directions to privacy and security risks, executive officers themselves assume the roles of CISO*1, DPO*2, and Personal Information Protection Manager. We have also set up the CSIRT*3, a department specializing in information security across Sansan. Since our founding in 2007, we have maintained a Personal Information Protection Management System as a measure to protect data, establishing an environment to deal with such protection within the company. We have also built a system that can continually monitor key data by fully leveraging the latest security technology.
All officers and employees must acquire certification as a Protection of Individual Information Person. Salary increases are, in principle, suspended if an employee does not pass the exam after a certain period, and until they do pass. Information security and personal information protection training is provided upon hiring and then annually. These opportunities help ensure employees correctly understand the Act on the Protection of Personal Information and have systematic knowledge of safe data management. We also have strict information asset handling procedures, and a specialized department audits each employee on internal information systems and personal information protection issues.
We are committed to obtaining third-party security-related certifications and have received various accreditations.
PrivacyMark is a system certifying that entities such as businesses have established appropriate protection measures for personal information. Certified groups can use PrivacyMark in connection with their business activities. We obtained this certification in 2007.
SOC 2 reports are performed following Trust Services Criteria established by the American Institute of Certified Public Accountants. In these reports, which are not limited to financial matters, auditors express their opinions on internal controls. Areas examined include either security, availability, processing integrity, confidentiality, or privacy. Deloitte Touche Tohmatsu LLC has issued a report on internal controls for Type 1 security at Sansan.
In May 2022, Sansan and Bill One acquired ISO/IEC 27001 certification, an international standard for information security management systems. At the same time, Sansan also acquired ISO/IEC 27017 certification, an international standard for cloud security applicable to cloud service provision and use.
The Japan Image and Information Management Association administers the Legal Requirements for Electronic Transaction Software Certification System. The certification checks whether software and software services that create and electronically exchange national tax-related documents meet the requirements of Article 7 of the Electronic Book Storage Act. In April 2022, Bill One and Contract One obtained the 2021 legal revision of the certification.
We implement a variety of security measures, including vulnerability assessments, which third-party organizations and specialized in-house departments perform.
We test and strengthen our systems’ security level by having hackers from outside agencies conduct intentional cyberattacks on our company.
All external transmissions to our data center are highly encrypted using user-authenticated HTTPS.
After business cards, invoices, and other paper documents are scanned, the image data is deleted from the device.
All our servers are load-balanced through multiplexed network equipment. Services can be promptly restored in the event of a failure. Additionally, our data centers are redundantly configured to minimize the risk of functional and service outages in the event of a disaster.