Data Privacy and
Information Security

Basic Concept

Our services facilitate the management and use of data that includes private customer information, such as that on companies and individual users. We position the handling and protection of personal information and other vital information assets as our most critical management concern. In addition, convenience and security often come into conflict in developing cloud services. Yet it is vital to maintain the best possible balance between these two elements when increasing efficiency and productivity. Balancing security and convenience is a premise of our corporate philosophy. In addition to ensuring convenience, we minimize security risks by having all officers and employees take every possible measure to protect data privacy and information security, etc., to ensure the stable provision of highly secure services.

Major Initiatives

Security Management System

In our security system, to be able to respond quickly and in all directions to privacy and security risks, directors themselves assume the roles of CISO*1, DPO*2, and Personal Information Protection Managers. We have also set up Information Security Department dedicated to information security and cyber security across our group. Our Information Security Department has the function of CSIRT*3 and also operates in-house SOC*4 to regularly monitor and analyze threats. In addition, we have set up a product security team to strengthen the security of our products and address vulnerabilities. Since our founding in 2007, we have maintained a Personal Information Protection Management System as a measure to protect data, establishing an environment to deal with such protection within the company. We have also built a system that can continually monitor key data by fully leveraging the latest security technology.
The Information Security Department and persons responsible for developing each product report directly to CISO and are under his supervision. CISO participates in management meetings to regularly report security and risk status and makes important decisions on information security and cybersecurity at the management level. CISO has also established an information security privacy committee as his advisory body and meet with Head of Information Security Department and Head of General & Legal Affairs in charge of privacy compliance once in two weeks to analyze threats of the environment surrounding the Company and take measures against them and to consider and review various risk control measures.

  1. *1 CISO: Chief Information Security Officer
    This role has responsibility and authority for the security and risk management of information systems. The person oversees policies and management methods for information security risks.
  2. *2 DPO: Data Protection Officer
    This role’s main duty is to monitor compliance with the EU General Data Protection Regulation (GDPR). The person oversees the organization’s management activities regarding data protection in accordance with legal regulations.
  3. *3 CSIRT: Computer Security Incident Response Team
    It is a team that gathers information on events that potentially threaten information security and system vulnerabilities, monitors signs of cyberattacks and other risks, and formulates response measures and procedures.
  4. *4 SOC: Security Operation Center
    SOC monitors networks and systems at all times to collect and analyze data logs and proposes measures in the event of an incident.
System Chart
Career summary of Kenji Shiomi, the CISO

Kenji Shiomi

Kenji Shiomi who serves as CISO co-founded the Company in 2007 and has consistently led the development of its products since then. Now as Engineering Division Head with his abundant experience and expertise, he oversees the engineering organization. He also serves as CEO of Sansan Global Development Center, Inc., our overseas subsidiary, focusing on building a diverse organization.
In 2023, he assumed the position of Chief Information Security Officer (CISO). Since then, he has been striving to enhance security in our group by strengthening product security, promoting zero trust security model, and taking the lead in the event of an incident. He also contributes to the security enhancement of the entire industry by making a speech at external conferences. Furthermore, to promote the protection of data privacy and compliance as Data Protection Officer (DPO), he has developed and implemented data protection strategies for the entire organization and is leading our group both in terms of security and privacy.

Establishment and Objectives of Regulations

We are strengthening our management and control systems against anticipated risks such as information leakage and cyberattacks by establishing regulations and rules on information security and providing guidelines for each service. The regulations, rules, and guidelines are reviewed annually to keep them up-to-date.

Regulations for the protection of personal information

The regulations stipulate procedures for appropriate handling of personal information in order for the Company to meet JIS Q 15001.

Rules on management of information systems

The rules stipulate the procedures on information system management operations handling our information assets.

Rules on information asset management

The rules stipulate the procedures on information asset management in order to properly and safely manage information assets and effectively use them.

List of rules on technical safety management of information systems

They stipulate the rules on technical safety management of information systems.

Guidelines on product security

They stipulate the guidelines for each service on security functions to be included and their operations.

Strengthening the Management of Personal Information

We are taking the following measures in response to the revision, enactment and enforcement of laws regarding the protection of personal information in various countries.

Along with the amendment of the Act on the Protection of Personal Information, we have revised our internal rules, including our basic regulations for the protection of personal information, and changed and tightened relevant procedures.

We take safety management measures for the protection of personal information in our overseas subsidiaries while understanding the related systems in Singapore, the Philippines, and Thailand where the subsidiaries are located.

As for overseas contractors, we have conducted surveys on legal systems in more than 30 countries such as the Philippines, Myanmar, Vietnam, Bangladesh, and Thailand to evaluate safety management measures of the contractors from organizational, human, physical, and technical perspectives.

Education on Information Security

We promote correct understanding of the Act on the Protection of Personal Information and the safe management of the information among all officers and employees through various measures to raise company-wide security awareness.

Acquisition of Certification as a Protection of Individual Information Person

All officers and employees must acquire Protection of Individual Information Person qualifications. Salary increases are, in principle, suspended if an employee does not pass the exam after a certain period.

Regular Learning Opportunities

Information security and personal information protection training is provided upon hiring and then annually.

Raising Awareness of Officers and Employees

The Director serving as CISO updates all our officers and employees monthly on security initiatives and topics.

Ensuring Strict Information Asset Handling Procedures

Clarifying the classification of information assets according to confidentiality, we define management measures based on the risk of each category. To ensure the implementation of management measures, security committee members are appointed from among employees to conduct mutual security auditing.

Ensuring and Developing Security Personnel

Ensuring Security Personnel
Hiring Dedicated Security Personnel

We globally recruit human resources by evaluating security knowledge, skills, experience, responses, and expertise in specific areas.

Training Dedicated Security Personnel Internally

We select persons who have specialized knowledge, experience, and excellent skills in specific areas and are expected to handle a wide range of security areas, and provide them with one-on-one on-the-job training (OJT) by experts to develop their expertise.

Engineers who Serve on CSIRT

Some engineers who provide services also serve on CSIRT with the aim of strengthening security awareness through work and developing security personnel with the ability to implement necessary and sufficient security measures while gaining experience.

Developing Advanced Security Personnel
Personnel Development System

We encourage our employees to get advanced security certifications designated by the Company as part of efforts to secure advanced security personnel and to promote knowledge acquisition through self-learning.

Holders of Advanced Security Certifications*5
As of May 31, 2024
Holders of Advanced Security Certifications 9 people
Personnel Development through On-the-Job Training (OJT)

We develop personnel until they are able to independently carry out their security-related roles within the Company while experiencing one-on-one on-the-job training (OJT) by experts.

  1. *5 We aggregate the number of holders of security advanced certifications in the Information Security Department. The certifications include the following:
    RISS (Registered Information Security Specialist)
    CISSP (Certified Information Systems Security Professional)
    CEH (Certified Ethical Hacker)
    OSCP (Offensive Security Certified Professional)
    CISA (Certified Information Systems Auditor)
    CISM (Certified Information Security Manager)

Third-Party Certifications

We are committed to obtaining third-party security-related certifications and have received various accreditations.

PrivacyMark

The operation of our personal information protection management system (PMS) is assessed based on the assessment criteria specified by“JIS Q 15001: 2017 Personal Information Protection Management System – Requirements.” In 2007, we obtained PrivacyMark. By introducing the PMS, we work to strengthen our management system by minimizing risk of exposure to personal information breaches, developing the structure and response procedures in the event of incidents, and taking appropriate measures to emergencies and recurrence prevention measures.

ISO/IEC 27001 and ISO/IEC 27017

We have acquired ISO/IEC 27001 certification, an international standard for information security management systems and ISO/IEC 27017 certification, an international standard for cloud security applicable to cloud service provision and use. Sansan aims to acquire ISO/IEC 27701 certification and is building a world standard privacy protection management system.

Legal Requirements for Electronic Transaction Software Certification

The Japan Image and Information Management Association administers the Legal Requirements for Electronic Transaction Software Certification System. The certification checks whether software and software services that create and electronically exchange national tax-related documents meet the requirements of Article 7 of the Electronic Book Storage Act. In April 2022, Bill One and Contract One obtained certification under criteria of the 2021 revision and later.

Defense System against Threats

We have built a robust system to support defense and monitoring activities in order to combat threats to complicated cybersecurity and information security and to provide safe and secure services to users entrusting us with their important data.
We have adopted a defense-in-depth architecture including network communication control, and have established a system that uses our SOC to promptly investigate and respond to abnormalities when detected with EDR*6 installed in each terminal. In addition, the newly established Product Security Team is working to bolster security consistently from the development of each service. We also have set up CSIRT and developed a system to ensure immediate response to an incident.

24/7 Monitoring Activities by Internal and External SOCs

We work with external vendors to conduct 24/7 monitoring activities against cyberattacks and make quick investigation and response of abnormalities when detecting them. We also conduct monitoring activities to prevent unauthorized access to internal information equipment.

Conducting Regular Vulnerability Assessments and Penetration Testing

We test and strengthen the security levels for each service and our systems by having hackers from outside agencies conduct intentional cyberattacks on our company. In such cases, penetration testing is conducted in the internal environment and training for targeted attack emails and BCP*7 is provided to our officers and employees.

Number of Vulnerability Assessments and Penetration Testing Conducted by Outside Security Specialists 
(Unit: times) FY2020 FY2021 FY2022 FY2023
Vulnerability Assessment 1 1 1 1
Penetration Testing 1 1 1 1
Vulnerability Assessment Results
Penetration Testing Results
  1. *6 EDR: Endpoint Detection and Response
    EDR is a technology to continuously monitor and respond to threats at terminals and devices such as PCs and servers connected to communication networks.
  2. *7 BCP: Business Continuity Plan

Technical Initiatives

We implement a variety of security measures, including vulnerability assessments, which third-party organizations and specialized in-house departments perform.

Encryption of All Data Center Transmissions

All external transmissions to our data center are highly encrypted using user-authenticated HTTPS.

Images Deleted from Device After Scanning

After business cards, invoices, and other paper documents are scanned, the image data is deleted from the device.

High Service Availability

All our servers are load-balanced through multiplexed network equipment. Services can be promptly restored in the event of a failure. Additionally, our data centers are redundantly configured to minimize the risk of functional and service outages in the event of a disaster.

Adopting Zero Trust Security

We have adopted zero trust security across the company to safely do our work inside and outside the internal network and conduct business activities by ensuring the safety of all the mechanisms that allow access to the information assets to be protected. As a measure to promote zero trust security, we are building an environment that applies zero-trust-based management measures to allow us to work from any locations. The key functions include the following:

  • Developing IDaaS*8 (Integrated Authentication Infrastructure) allows for secure authentication based on a unified security policy when accessing internal systems.
  • Installing EDR prevents malware and other cyberattacks and intrusion activities at the endpoints from continuing.
  • UEBA*9 allows us to detect unusual behaviors and to quickly identify and respond to unknown cyberattacks that have not been included in our rules.
  • SIEM*10 infrastructure allows us to collect a wide range of logs to detect abnormalities, thereby establishing a system for early detection of signs of server attacks and attack blocking.
  • Encryption of disks in terminals protects information assets.
  • Information in terminals is backed up to the cloud continuously when online. In addition, terminals are locked and the data in the terminals are deleted remotely in the event of loss or theft.
  1. *8 IDaaS: Identity as a Service
    The IDaaS technology provides services that allow integrated management of ID authentication, single sign-on (SSO), and access control as well as IDs and passwords registered for multiple services.
  2. *9 UEBA: User and Entity Behavior Analytics
    It is a cyber security technology that analyzes user behaviors and detects unusual behaviors based on traffic patterns on the network by applying advanced analysis.
  3. *10 SIEM: Security Information and Event Management
    It is a technology that identifies security threats and problems at an early stage by consolidating logs of IT devices such as security and network devices, and analyzing them in real time.

Initiatives to Address Risks

We have established the standard for risk assessment to perform risk assessment and management.

Step 1: Assess the likelihood of risks

Risk assessment is performed with “threat agent factors” and “vulnerability factors,” and likelihood of risks (probability of emerging risks) is quantitatively calculated and evaluated on three levels: high, medium, and low.

Step 2: Assess factors to anticipate risk impact

Risk assessment is performed with “technical impact factors considering confidentiality, integrity, and availability” and “business impact factors,” and impact of risks (magnitude of impact when risks emerge) is quantitatively calculated and evaluated on three levels: high, medium, and low.

Step 3: Assess severity and manage risks

Risk severity is assessed based on the values calculated at Steps 1 and 2. Risks are classified as critical, high, medium, low, and info, and risk acceptance decisions are made and managed.

Initiatives and Principles of Information Security Department

Balancing security and convenience is a premise of our corporate philosophy. Apart from ensuring convenience, the Information Security Department minimizes security risks by implementing measures to ensure our officers and employees maintain data privacy and information security, and aims to provide highly safe and stable services. It also seeks to lead the SaaS industry as its vision. In addition, it pursues improving the security level of the entire industry not only by raising the Company’s security level to the highest in the industry, but also by actively sharing and circulating best practices and learning internally and externally.
In 2023, we newly established Product Security Team as a new initiative. In the development process of each service and function, the security team is involved not only in vulnerability assessments at the final testing stage, but also in design processes from early stages under the concept of Security by Design*11 to promote the development of safe and secure services with no vulnerabilities. In addition, we completed our annual penetration testing in 2023 without virtually tolerating any intrusions. Accordingly, we are proud that our detection and protection capabilities are among the best in the industry, not allowing even the most prominent white hat hackers in Japan to break into our systems.
Since the COVID-19 pandemic, security risks have increased across society as a whole, with companies rapidly promoting digital transformation (DX). Strong security not only reassures customers and business partners, but also is essential for the development of the digital society and brings great benefits to society as a whole beyond the framework of companies. We will promote proactive security measures and continue to provide safe and reliable services. To this end, we believe that our initiatives will support DX across society and become a driving force to create a sustainable future.

  1. *11 Security by Design refers to an approach to ensure product security from the planning and designing stages.