Compliance

This policy clarifies the basic policy for building the information security management system (hereinafter referred to as ISMS) of our company, SystemSquare Corporation. We will place this document as a base for information security from now on.

" In order to comply with and thoroughly comply with the Charter of Corporate Behavior, we declare to establish, maintain and improve the Information Security Management System (ISMS). We also will establish "Information Security Basic Policy" (hereinafter referred to as basic policy) in order to ensure and maintains confidentiality, integrity and availability, and to ensure the business continuity."

Information security is defined as maintaining confidentiality, integrity, and availability of information. Confidentiality, integrity, and availability have the following meanings.

Confidentiality: A property that makes information unusable or undisclosed for unauthorized individuals, entities (eg, an organization) or processes.

Integrity: A property that protects the accuracy and completeness of assets.

Availability: A property that makes information accessable and usable when requested by an authorized entity (eg, an organization).

(1) To protect all information assets we handle, including information accumulated on business and information we received, from various threats for the sake of our customers and stakeholders.

(2) To raise awareness of information security of all employees and improve their awareness of its importance by implementing periodic information security training.

(3) To enhance the business continuity plan.

(4) To handle properly in accordance with the evaluation value of information assets.

We organize the environment (situation) surrounding our company such as internal and external issues of our organization, needs and expectations from stakeholders, and determine the scope of application of ISMS.

The scope of application shall be applied to the information assets related to all business activities under our control. For details, see "Applicable scope of information security".

Company shall establish Information Security Committee.

The Information Security Committee appoints from each division and strives to promote ISMS in each department.

Furthermore, Company shall endeavor to develop ISMS company-wide from each department.

Information security management officials will promote the implementation of the basic policy through appropriate provisions and implementation procedures. Officers and all employees (regular employees, cooperating companies, contract employees, part-time workers) must act in accordance with "Information Security Provisions" and each Information security procedure which Companyre formuated to maintain the basic policy.

They are also required to report incidents, accidents and identified Companyaknesses of the information assets.

The Information Security Committee identifies all the information assets in scope, evaluates the value of the asset, and identifies the risk by analyzing threats and vulnerabilities.

The Committee shall take optimal information security control measures for the identified risk, and aim to mitigate all the risks below the defined acceptable risk levels.

(1)Personal information protection

Company shall manage personal information in accordance with the Personal Information Protection Act.

(2)Confidential information management

Company shall manage the confidential information of customers and our company in accordance with the Unfair Competition Prevention Law.

(3)Copyright protection

Company shall manage the copyrighted work in accordance with the copyright law.

Information security awareness building activities and training shall be promoted by the Information Security Committee under the direction of top executives. Officers and employees (regular employees, cooperating companies, contract employees) are obliged to participate in education and training of information security.

If intentional acts that compromise the protection of our information assets are carried out, they are subject to disciplinary action or legal action according to penalty provisions of the employment regulations.

Company review and evaluate the basic policy in the management reviews conducted eriodically, and always try to improve to better one.