Data Privacy and
Information Security

Basic Concept

Our services facilitate the management and use of data that includes private customer information, such as that on companies and individual users. We position the handling and protection of personal information and other vital information assets as our most critical management concern. In addition, convenience and security often come into conflict in developing cloud services. Yet it is vital to maintain the best possible balance between these two elements when increasing efficiency and productivity. Balancing security and convenience is a premise of our corporate philosophy. In addition to ensuring convenience, we minimize security risks by having all employees take every possible measure to protect data privacy and information security, etc., to ensure the stable provision of highly secure services.

Major Initiatives

Security Management System

Our services facilitate the management and use of data that includes private customer information, such as that on companies and individual users. We position the handling and protection of personal information and other vital information assets as our most critical management concern. Having formulated policies for protecting personal information and information security, we rigorously manage information assets and take every possible measure to minimize risk. In our security system, to be able to respond quickly and in all directions to privacy and security risks, executive officers themselves assume the roles of CISO*1, DPO*2, and Personal Information Protection Manager. We have also set up the CSIRT*3, a department specializing in information security across Sansan. Since our founding in 2007, we have maintained a Personal Information Protection Management System as a measure to protect data, establishing an environment to deal with such protection within the company. We have also built a system that can continually monitor key data by fully leveraging the latest security technology.

  1. *1 CISO: Chief Information Security Officer
    This role has responsibility and authority for the security and risk management of information systems. The person oversees information security risk measures and management methods.
  2. *2 DPO: Data Protection Officer
    This role’s main duty is to monitor compliance with the EU General Data Protection Regulation (GDPR). The person oversees the organization’s management activities regarding data protection in accordance with legal regulations.
  3. *3 CSIRT: Computer Security Incident Response Team
    CSIRT is our group that gathers information on events that potentially threaten information security and system vulnerabilities, monitors signs of cyberattacks and other risks, and formulates response measures and procedures.

Education on Information Security

All officers and employees must acquire certification as a Protection of Individual Information Person, and our target for the fiscal year ending May 2030 is to maintain the qualified rate of at least 80%. Salary increases are, in principle, suspended if an employee does not pass the exam after a certain period, and until they do pass. Information security and personal information protection training is provided upon hiring and then annually. These opportunities help ensure employees correctly understand the Act on the Protection of Personal Information and have systematic knowledge of safe data management. We also have strict information asset handling procedures, and a specialized department audits each employee on internal information systems and personal information protection issues.

Third-Party Certifications

We are committed to obtaining third-party security-related certifications and have received various accreditations.


PrivacyMark is a system certifying that entities such as businesses have established appropriate protection measures for personal information. Certified groups can use PrivacyMark in connection with their business activities. We obtained this certification in 2007.

SOC 2 Type 2

SOC 2 reports are performed following Trust Services Criteria established by the American Institute of Certified Public Accountants. In these reports, which are not limited to financial matters, auditors express their opinions on internal controls. Areas examined include either security, availability, processing integrity, confidentiality, or privacy. Deloitte Touche Tohmatsu LLC has issued a report on internal controls for Type 2 security at Sansan.

ISO/IEC 27001 and ISO/IEC 27017

In May 2022, Sansan and Bill One acquired ISO/IEC 27001 certification, an international standard for information security management systems. At the same time, Sansan also acquired ISO/IEC 27017 certification, an international standard for cloud security applicable to cloud service provision and use.

Legal Requirements for Electronic Transaction Software Certification

The Japan Image and Information Management Association administers the Legal Requirements for Electronic Transaction Software Certification System. The certification checks whether software and software services that create and electronically exchange national tax-related documents meet the requirements of Article 7 of the Electronic Book Storage Act. In April 2022, Bill One and Contract One obtained the 2021 legal revision of the certification.

Technical Initiatives

We implement a variety of security measures, including vulnerability assessments, which third-party organizations and specialized in-house departments perform.

Vulnerability Assessments by Security Specialists

We test and strengthen our systems’ security level by having hackers from outside agencies conduct intentional cyberattacks on our company.

Encryption of All Data Center Transmissions

All external transmissions to our data center are highly encrypted using user-authenticated HTTPS.

Images Deleted from Device After Scanning

After business cards, invoices, and other paper documents are scanned, the image data is deleted from the device.

High Service Availability

All our servers are load-balanced through multiplexed network equipment. Services can be promptly restored in the event of a failure. Additionally, our data centers are redundantly configured to minimize the risk of functional and service outages in the event of a disaster.