(Basic Policy on Information Security and Cybersecurity)
At our company, information assets (including information and information systems) are our most critical assets, forming the foundation of our cloud services business.Protecting the information entrusted to us by our customers is our social responsibility and one of our top management priorities.
We recognize the increasing sophistication and complexity of cyberattacks as a significant management risk. For our customers—including financial institutions—who entrust us with critical information, we will continuously strengthen our measures in both information security and cybersecurity to live up to their trust.
Under this policy, we have established the following security objectives and will faithfully implement various measures to achieve them.
We comply with applicable laws, regulations, and contractual security requirements with our customers. Based on international standards such as ISO/IEC 27001 (ISMS), we implement security management practices that also meet the security requirements for financial institutions.
We ensure the confidentiality, integrity, and availability of information assets and provide continuous protection against threats. We are committed to ensuring the confidentiality, integrity, and availability of information assets and protecting them from all threats. We guarantee the security of information by conducting risk assessments based on established standards for all information assets and implementing optimal security measures in accordance with the results.
The CEO serves as the chief executive officer, and a Chief Security Officer designated by senior management will be appointed. An Information Security Committee will be established to deliberate on, decide, and oversee security measures. The security status will be reported to the Board of Directors on a regular basis.
We have established a CSIRT (Computer Security Incident Response Team) to provide specialized response to technical cyberattacks (such as unauthorized access, malware infections, ransomware, and vulnerability exploitation).The CTO/CPO will oversee CSIRT operations and direct the technical response team, ensuring a rapid response in accordance with the structure outlined in the contingency plan. In the unlikely event of a serious incident, we will promptly and appropriately notify and report to our customers and relevant authorities in accordance with applicable laws and contracts.
We regularly conduct risk assessments based on threat scenarios simulating cyberattacks and implement countermeasures. We collaborate with external security experts to continuously gather the latest information on cyber threats.
We continuously collect and evaluate vulnerability information and prioritize remediation based on severity. We verify the effectiveness of our countermeasures through regular external penetration tests.
We will establish security requirements for external contractors, specify them in our contracts, and ensure they are properly managed.
We will conduct regular security training and simulations of cyberattacks for all employees.
We will periodically review the implementation of this policy and continue to improve it in response to changes in the threat landscape and applicable laws and regulations. We will ensure that all employees are made aware of this policy and require their compliance.
End
Revised May 20, 2026
UPWARD Co., Ltd.
UPWARD Co., Ltd. has obtained certification for the international standard "ISO/IEC 27001:2022 / JIS Q 27001:2023" regarding Information Security Management Systems (ISMS). This ISMS certification confirms, through a third-party audit by a registered certification body, that our company has established an appropriate information management system in terms of security. The details of the certification are as follows.
