Information Security Policy

This policy applies to all parties engaged in the Company’s operations, including its officers, employees, and contractors.

To appropriately maintain the confidentiality, integrity, and availability of information assets, the Company implements technical and organizational measures.

The Company grants access privileges to information assets and to its various cloud services only within the scope necessary for operations (the principle of least privilege). When privileges become unnecessary due to a change of personnel, retirement, departure from a project, or the like, it promptly removes them.

For major business systems such as GitHub, Google Workspace, and Slack, the Company makes multi-factor authentication mandatory in principle and works to prevent unauthorized access. In particular, for the key systems that form the Company’s foundation, it adopts phishing-resistant authentication methods compliant with FIDO2 (passkeys).

The Company manages confidential information such as passwords, API keys, and private keys by appropriate methods. Specifically, it uses password managers, environment variables, and the like, and avoids the unnecessary sharing, recording, or storage of such information.

The Company restricts access to production environments and production data to the minimum necessary. Privileges to view or operate production environments are, in principle, limited to those who need them for their work, such as the Representative Director and the relevant team’s tech lead; and as for production data, the Company does not, in principle, dump it to or take it out onto local devices.

The Company uses external services within the scope necessary to carry out its operations and may outsource the handling of personal information, etc. In such cases, it appropriately selects, manages, and supervises contractors and works to ensure the necessary security control measures.

To detect signs of unauthorized access, incidents, and the like, and to enable subsequent tracing, the Company obtains and reviews logs as necessary.

If an information security incident (including the risk of a leak) occurs or may have occurred, the Company works to prevent the spread of damage, investigate the cause, and prevent recurrence. External communications and responses are, in principle, carried out responsibly by the Representative Director, and the Company takes appropriate measures, such as contacting relevant parties, as necessary.

The Company requires all relevant parties to be informed of and to comply with this policy and related rules, and provides education and awareness activities as necessary.

The Company reviews this policy and related rules and operations as necessary, and works toward the continuous improvement of information security.

As part of objectively assuring and continuously strengthening its information security management framework, the Company is working toward certification of an information security management system (ISMS / ISO/IEC 27001).

For inquiries regarding this policy, please contact us below.

Ainobi Inc.
Email: contact@ainobi.co.jp