Advanced Information Security and Privacy Protection
Security
Goals and KPI
2030
- Goal
- Establish and operate security infrastructure appropriate for social infrastructure
- KPIs
-
- Formulate security strategies in response to social conditions and business strategies related to information security, and enhance security management throughout the entire company
- Establish and operate an independent audit system to monitor security functions
- Acquire and operate sophisticated information security certification, such as the international security certification SOC2*1
- Major security incidents: 0
2024
- Goal
- Build information security that is positioned as an important management function for the entire kubell Group
- KPIs
-
- Enhance PSIRT/CSIRT*2 system
- Optimized security training program participation rate (development, corporate): 100% of relevant staff
- Implement security measures in the software supply chain
- Implement SAST/DAST for automatic early vulnerability detection
- Major security incidents: 0
- Initiatives
-
-
Enhance PSIRT/CSIRT system
- Establish a security incident system in preparation for emergencies and communicate regularly with the staff in charge
-
Optimized security training program participation rate (development, corporate): 100% of relevant staff
- Conduct security training for all employees
-
Implement security measures in the software supply chain
- Conduct risk assessment for the software and SaaS being used, and implement risk mitigation measures for services that store important information
- Conduct interviews on matters such as authentication mechanisms and vulnerabilities; monitor installation state of software
-
Implement SAST/DAST*3 for automatic early vulnerability detection
- Introduce vulnerability detection tools and carry out monitoring
-
Major security incidents: 0
- 0
-
Enhance PSIRT/CSIRT system
- *1 SOC2: Service Organization Control Type 2, a cybersecurity compliance framework developed by the Association of International Certified Professional Accountants (AICPA)
- *2 PSIRT: Product Security Incident Response Team, an organization that improves the level of security and responds to incidents for products and services manufactured and developed in-house; CSIRT: Computer Security Incident Response Team, an organization that responds when an incident occurs that is perceived as a security problem
- *3 SAST: Static Application Security Testing, analyzing source code to detect vulnerabilities that make an organization’s applications vulnerable to attack; DAST: Dynamic Application Security Testing, detecting application vulnerabilities by simulating external attacks while the application is running
Approach and System
Approach to Information Security
We develop and provide cloud-based business chat services that streamline and revitalize business to our customers, exceeding 914,000 companies*1 with 1,197,000 DAUs*2. We are entrusted with important information assets and confidential information by our customers. We have positioned information security as our most important management issue as the reliable protection of this information is a prerequisite for business continuity. We established our “Basic Policy on Information Security” in January 2013 and are working to ensure information security throughout the company.
We recognize the importance of protecting information assets from risks such as leakage, damage, and loss. All workers—including executives and employees—observe this basic policy and conduct activities to maintain information security in terms of the confidentiality, integrity, and availability of information assets.
View this page for the “Basic Policy on Information Security”
- *1 As of the end of March 2025
- *2 Median number of Daily Active Users for weekdays (excluding Saturdays/Sundays/holidays) as of the end of March 2025
Information Security Structure
We have established the Security Group as an organization for promoting information security measures for the entire Group. It is comprised of the Security Management Team, which is in charge of information security management and corporate security, as well as the Security Engineering Team, which is in charge of cybersecurity.
We have also appointed personnel who possess advanced expertise in information security to respond to the changing security environment.
In addition, we are strengthening our security level improvements and responses to incidents for products and services manufactured and developed in-house by establishing our Product Security Incident Response Team (PSIRT). Similarly, we have established our Computer Security Incident Response Team (CSIRT) to immediately respond when an incident that is perceived as a security problem occurs. We have put in place a security incident structure in preparation for emergencies by linking these organizations, and we strengthen this structure through regular communication between the relevant staff.
We have implemented reporting rules where departments and Group companies report to the Security Group when an incident occurs. These rules are thoroughly made known, putting in place a structure that can immediately grasp and respond to risks in our operations.
Information Security Structure Chart
Main Initiatives
Initiatives to Ensure Information Security
1) Acquisition of International Certifications for Information Security
All operations of kubell Co., Ltd., kubell storage Co., Ltd., and kubell partner Co., Ltd. have been audited by third party organizations. Through this process, we have acquired the ISO/IEC 27001:2022:2024 and JIS Q 27001:2023 (ISMS) international certification standards for information security as well as the ISO/IEC 27017:2015 and JIS Q 27017:2016 international certification standards for the appropriate protection of personal and related privacy information.
In addition, kubell Co., Ltd. and kubell storage Co., Ltd. have acquired the ISO/IEC 27017:2015 and JISQ 27017:2016 international certification standards applicable to the provision and use of cloud services. We carry out system development and operation in accordance with strict security standards.
ISMS Certification Acquisition Status
| Certification Name | Scope | Date of Acquisition |
|---|---|---|
| ISO/IEC 27001:2013 / JIS Q 27001:2014 | kubell Co., Ltd. kubell storage Co., Ltd. kubell partner Co., Ltd. |
#1: March 21, 2013 #11: February 26, 2025 |
| ISO/IEC 27017:2015 | kubell Co., Ltd. kubell storage Co., Ltd. |
#1: April 10, 2018 #5: April 26, 2022 |
| ISO/IEC 27701:2019 | kubell Co., Ltd. kubell storage Co., Ltd. kubell partner Co., Ltd. |
#11: February 26, 2025 |
Acquired Certification Standards for Information Security
2) Measures Against External Attacks
The environment surrounding information security is changing rapidly. As a result, the risk of information leakage is rising each year due to increasingly sophisticated cyber-attacks and other external attacks. To respond to this risk, we are working on security measures from both product development and corporate management perspectives.
In terms of product development, we are implementing measures such as preventing and blocking unauthorized access, introducing WAF*, managing vulnerabilities to evaluate and confirm those that exist in middleware and libraries used for development, conducting security training to ensure secure development, and carrying out periodic vulnerability assessments. We have also established a Security Engineering Team dedicated to product security measures, and have established and operate a security consultation desk and security risk reporting form where employees can consult and report on information security. We are also continuously working on developing secure products through measures such as regularly implementing risk management inventories, in which critical risks are evaluated and identified from risk incidents identified through security risk reporting forms and other means, and countermeasures are discussed.
In terms of corporate security, we are enhancing security measures at endpoints, such as the end information devices of executives and employees.
* WAF: Web Application Firewall, a security measure to protect web applications from unauthorized access, such as by blocking attacks
Primary Measures Against External Attacks
| Initiative | Overview | Frequency |
|---|---|---|
| Vulnerability assessment | Conduct annual vulnerability assessments to enhance application security | Once/year |
| Security consultation desk | A security consultation service where developers can consult about implementation from the design stages to prevent vulnerabilities from being embedded in applications; also operates as a place where developers can easily report security incidents or the possibility of such incidents | As appropriate |
3) Measures to Prevent Internal Information Leaks
When developing products, we conduct reviews to prevent information leaks during development and have built systems whereby only the minimum necessary personnel can access the minimum necessary information to prevent unauthorized access and tempering. In addition, we carefully store important data including service access, usage, and data communication history (logs) for service maintenance and security measures, building and operating systems to monitor access to information systems. We regularly check whether these systems are being operated properly and conduct internal audits. We also take measures to prevent information leakage from those who have left the company.
In terms of ensuring corporate security, we provide information security education to all employees, set minimum access privileges for important information, manage system accounts, and store system logs. We also centrally manage the security settings of laptop computers and other terminal devices, and have introduced MDM*, which deletes all data in the event of loss, to prevent information leakage. In addition, we manage the status of the personal information entrusted to third parties and conduct security checks.
* MDM: A method to manage system settings and other aspects of terminal devices such as smartphones and laptops used for business in an integrated and efficient manner. It also refers to the software and information systems that enable this.
Primary Measures Against Internal Information Leaks Initiative
| Initiative | Overview | Frequency |
|---|---|---|
| Implementation of training for executives and employees |
|
Upon entering company, once/yea |
| System account management with minimum authorization for critical information assets |
|
As necessary |
| Implementation of MDM terminal management |
|
As necessary |
4) Other Initiatives to Improve Information Security
As the risk of information leaks increases, there are limits to the measures that can be taken by individual companies. Therefore, in October 2022, we established the “SaaS Security Community” in collaboration with SaaS providers as a forum for companies that develop and operate SaaS services for BtoB to exchange information on security measures. We did this to strengthen security measures through collaboration with companies that offer similar services. The community, currently consisting of 30 companies as of February 2025, encourages the exchange of information and vulnerability assessments to strengthen security measures.
Privacy Protection
Our Privacy Protection Approach and Efforts
It is critical to ensure that the private information entrusted to us is properly protected and managed in accordance with the information protection regulations of each country and region in order to provide convenient and reliable IT services to all of our users.
Therefore, we have established a privacy protection policy and regularly provide training to all relevant executives and employees to ensure compliance with this policy. In addition, we acquired the ISO 27701* international certification for privacy protection in April 2022, and are working to enhance our management.
View this page for details on our privacy policy.
* ISO/IEC 27701:2019: An international standard established in 2019 and positioned as an add-on (extension) standard to ISO/IEC 27001 and ISO/IEC 27002. In addition to requirements for ISMS, it specifies requirements and guidelines for protecting privacy that may be affected by the processing of personal information.
Reproduction, duplication, or alteration of this image is prohibited
Main Initiatives in Fiscal Year 2024
Information Security Training
We establish the most appropriate training program to ensure information security.
In 2024, we conducted information security training for all employees.
| Training | Training Content | Scope |
|---|---|---|
| Group-wide information security training |
|
All employees |
| New employee training |
|
Mid-career hires New graduates |
Strengthening of System for Early Discovery of Vulnerabilities
To respond to a situation where new vulnerabilities occur on a daily basis, we introduced vulnerability detection tools to quickly identify and respond to vulnerabilities. By implementing several vulnerability detection tools and carrying out continuous monitoring, we improve detection accuracy and can respond to a wide range of vulnerabilities.
Number of Major Security Incidents
In fiscal year 2024, there were no cases of major security incidents.