Chapter 1: General Provisions

Article 1 (Purpose)

This policy establishes the basic principles and operational guidelines for information security in business operations as a sole proprietor, aiming to ensure proper management and protection of confidential and personal information.

Article 2 (Scope)

This policy applies to information assets (confidential and personal information) handled by Susumu Tomita (hereinafter "the Operator") in business operations. When external collaborators (subcontractors, etc.) are engaged, the Operator requires them to maintain equivalent management standards.

Article 3 (Definitions)

• "Confidential information" refers to trade secrets, technical information, customer information, and other non-public information disclosed by clients.
• "Personal information" refers to information as defined in Article 2 of the Act on the Protection of Personal Information.
• "Personal data" refers to personal information that constitutes a personal information database.

Chapter 2: Basic Security Principles

Article 4 (Basic Principles)

• The Operator appropriately protects information assets and strives to maintain and improve information security.
• The Operator complies with legal and contractual requirements.
• The Operator continuously improves knowledge and skills related to information security.
• The Operator establishes preventive measures and rapid response systems for information security incidents.

Chapter 3: Personal Information Protection

Article 5 (Privacy Policy)

• The Operator establishes and publishes a Privacy Policy on the website.
• The Privacy Policy includes purposes of use, third-party disclosure, procedures for disclosure/correction/deletion requests, and contact information.

Article 6 (Proper Handling of Personal Data)

• Personal data is acquired through lawful and fair means.
• Personal data is used within the scope of specified purposes.
• Personal data is stored only for necessary periods with appropriate security measures.
• Third-party disclosure of personal data is limited to cases required by law or with consent.

Article 7 (Disposal of Personal Information)

Disposal of personal information (return, deletion, erasure, destruction, etc.) follows these rules:

• Electronic data: Completely erased using irreversible methods
• Paper media: Disposed of by shredding or dissolution
• Storage media: Physically destroyed or processed by specialized vendors

Article 8 (Regular Review)

• Self-audits of personal information handling are conducted at least annually.
• Necessary improvements are implemented based on audit results.

Chapter 4: Access Management

Article 9 (Access Rights Management)

• Access rights to files, systems, and databases containing confidential or personal information are limited to what is necessary for business operations.
• Access rights are configured based on the principle of least privilege.
• Access rights are promptly revoked or disabled upon project or contract completion.

GitHub Operations:

• Repositories containing client information are set to Private by default
• Repositories or organizations are separated by client
• Secrets (API keys, credentials, etc.) are managed via GitHub Secrets or 1Password, never hardcoded
• Client information is logically separated from personal projects; client-specified requirements (managed accounts, etc.) take priority

Article 10 (Access Logs and Authentication)

• Multi-factor authentication (MFA/2FA) is required for critical services (GitHub, Google, AWS, etc.).
• Passwords are strong and unique per service (password manager recommended).
• Suspicious login attempts or access are promptly investigated and addressed.
• Where possible, security notifications (suspicious logins, authentication changes, access token issuance, etc.) are enabled and regularly reviewed.

Chapter 5: Physical Security

Article 11 (Work Environment)

• Work involving sensitive information is performed in environments protected from shoulder surfing.
• Handling of confidential information in public places is minimized, with privacy screens used when necessary.

Article 12 (Clear Desk / Clear Screen)

• Computer screens are locked when stepping away.
• Paper documents containing confidential or personal information are stored in locked locations or properly disposed of after use.

Chapter 6: Technical Security

Article 13 (Malware Protection)

• Business devices have OS-standard or reputable malware protection enabled.
• OS and applications are kept up to date (automatic updates recommended).
• Suspicious emails, files, and links are not opened.

Article 14 (Network Security)

• Home network routers are configured with appropriate passwords and firmware is kept current.
• Vulnerability information is monitored and promptly addressed when affecting used software/services.

Article 15 (Remote Access)

• VPN is used when accessing confidential information from untrusted networks (public Wi-Fi, etc.).
• Client-specified remote access methods are followed when applicable.

Chapter 7: Device Management

Article 16 (Business Device Management)

Business devices are managed by the Operator and must meet the following requirements:

• Storage encryption (FileVault / BitLocker, etc.)
• Auto-lock (short timeout) with strong authentication (biometrics + passcode, etc.)
• Automatic OS / browser updates
• Malware protection (including OS built-in features)
• MFA for critical services (GitHub, Google, etc.)
• Remote lock/wipe capability (Find My Mac, etc.)

In case of device loss or theft, remote lock/wipe is immediately executed and the client is notified.

Article 17 (External Information Sharing)

External sharing of confidential or personal information (email forwarding, cloud storage sharing, chat attachments, etc.) is limited to what is permitted by client instructions and contracts.

When sharing is necessary, the following measures are taken:

• Encryption or password protection
• Access restrictions (specific recipients only)
• Expiration dates
• Prompt deletion after purpose is fulfilled

Chapter 8: Self-Audit

Article 18 (Regular Self-Audit)

The Operator conducts self-audits at least annually on compliance with this policy, applicable laws, and client requirements, making improvements as necessary.

Chapter 9: Incident Response

Article 19 (Incident Response Procedures)

When information security incidents (data leaks, unauthorized access, malware infection, device loss, etc.) occur or are suspected, the following procedures are followed:

• Initial Response: Take measures to prevent spread (network disconnection, device isolation, password changes, remote lock, etc.)
• Investigation/Analysis: Investigate causes and identify scope of impact
• Reporting: Prioritize reporting to the client; reporting to regulatory authorities or affected individuals is conducted per legal requirements, contracts, and client instructions (or performed by the client)
• Recovery: Restore systems and implement security enhancements
• Prevention: Develop and implement recurrence prevention measures based on root cause analysis

Chapter 10: Liability

Article 20 (Liability for Violations)

If this policy is violated and information leakage occurs due to intent or gross negligence, the Operator bears responsibility including damages, contract termination, and recurrence prevention measures under applicable contracts and laws.

Chapter 11: Exclusion of Anti-Social Forces

Article 21 (Basic Policy)

• The Operator severs all relationships with anti-social forces.
• Unreasonable demands from anti-social forces are firmly refused.
• No business transactions are conducted with anti-social forces.
• No funding or benefits are provided to anti-social forces.

Article 22 (Verification and Response)

• Business partners are verified at contract initiation and periodically to ensure they are not anti-social forces.
• Contact from anti-social forces is reported to police and handled in coordination with external experts.

Chapter 12: Consent to Third-Party Disclosure

Article 23 (Information Disclosure to Third Parties)

The Operator consents to providing personal information to clients when necessary for business operations. This includes identity verification documents, certifications, and other documents required for business execution.

Chapter 13: Identity Verification

Article 24 (Submission of Identity Documents)

When clients request identity verification documents (driver's license, My Number Card, etc.) or other necessary documents for contract execution, the Operator complies with such requests.

Chapter 14: Miscellaneous

Article 25 (Amendments)

This policy may be amended by the Operator as necessary. Amendment history is reflected in the last updated date on this page.

Article 26 (Effective Date)

This policy is effective from January 22, 2026.

Contact

For inquiries regarding this policy, please contact us at: