1. Purpose

Micoworks, Inc. and its group companies (hereinafter referred to as "the Group") uses a large amount of information assets in the operation of its services and management of its employees (hereinafter referred to as “Business”), and therefore, it is essential to properly realize information security and protect information assets in order to promote business activities based on the trust of society. The Group recognizes that it is an indispensable requirement to promote corporate activities based on the trust of society as well as a serious social responsibility. Therefore, in light of the importance of information security, The Group has established this Information Security Policy (hereinafter referred to as the “Policy”) and will establish, implement, maintain, and improve an information security management system to specifically implement the Policy.

2. Definition of Information Security

Information security is defined as the maintenance of confidentiality, integrity, and availability.
(1) Confidentiality
The protection of information assets from unauthorized access and leakage to unauthorized persons (not allowing unauthorized individuals, entities, or processes to use or disclose information).
(2) Integrity
Information assets are protected from falsification or error and are maintained accurate and complete (accuracy and completeness).
(3) Availability
Information assets are protected from loss, damage, or system outage, and are available when needed (being accessible and usable by authorized entities upon request).

3. Scope

This Policy applies to all information assets under the control of the Group. The scope of information assets is not limited to electronic devices and electronic data, but includes all forms of information assets, including paper.
(1) Organization
Micoworks, Inc. and its group companies
(2) Business
Design, development, operation, and support of cloud services for enterprises to promote communication with end users.
(3) Assets
Documents, data, information systems and networks related to the above operations and various services

4. Implementation Items

In accordance with this policy and the Group’s information security management system, it will implement the following items (policy groups).
(1) Information Security Objectives
The Group will establish information security objectives that are consistent with this policy and take into account applicable information security requirements and the results of risk assessment and risk response, disseminate them to all employees, and review them from time to time in response to changes in its environment, and periodically even if there is no change.
(2) Handling of Information Assets
　a)　Access privileges will be granted only to those who need them for business purposes.
　b)　Information assets will be managed in accordance with legal and regulatory requirements, contractual requirements, and the provisions of the Group’s information security management system.
　c)　Information assets will be appropriately classified and managed based on their value, confidentiality, integrity, and availability, according to their importance.
　d)　Continuous monitoring will be conducted to ensure that information assets are properly managed.
(3)　Risk Assessment
　a)　Risk assessments will be carried out, and appropriate risk responses and control measures will be implemented for information assets deemed most critical based on the nature of the business.
　b)　The causes of incidents related to information security will be analyzed, and recurrence prevention measures will be taken.
(4)　Business Continuity Management
The Group will minimize the interruption of its Business due to disasters and technical breakdowns, and ensure business continuity.
(5)　Education
The Group will provide all employees with information security education and training.
(6)　 Compliance with Regulations and Procedures
The Group will comply with the rules and procedures of the information security management system.
(7)　Compliance with Legal, Regulatory, and Contractual equirements
The Group will comply with legal, regulatory, and contractual requirements related to information security.
(8)　Continuous Improvement
The Group will continuously improve its information security management system.

5. Responsibilities, Obligations and Penalties.

The responsibility for the information security management system, including this Policy, shall be assumed by the Representative Director, and employees within the scope of application shall be obligated to comply with the established regulations and procedures. Employees who fail to comply with their obligations and commit violations will be punished in accordance with the employment regulations. Employees of subcontractors will be dealt with in accordance with individually defined contracts.

6. Periodic Review

The information security management system shall be reviewed, maintained and managed on a regular and as-needed basis.

Enacted July 1, 2019
Revised August 19, 2019
Revised October 19, 2019
Revised August 3, 2020
Revised July 8, 2021
Revised July 1, 2023
Revised April 1, 2025

Osamu Yamada
Representative Director, Micoworks, Inc.