Basic Policy on Information Security

(hereinafter referred to as “AICC”) regards the appropriate protection of all information assets used in its activities as an important management issue, in light of the impact on our business activities in response to the recent increase in information security risks. We are committed to managing information security risks and ensuring that all executives, employees, and collaborators comply with the Information Security Policy, the Cloud Security Policy, and the separate Personal Information Protection Policy, which are based on our basic principles and in line with the following content.

Basic Philosophy
We conduct our business based on our VISION, “A world where all people can live and die with dignity and satisfaction. We conduct our business based on our VISION, “A world where all people can live with dignity and satisfaction and live to the end of their lives. We provide online medical services for medical institutions and pharmacies, develop digital therapeutics, digital solutions for clinical development, and develop and provide insurance services. The information assets we handle in our business, including customer information, are extremely important to our business foundation. We recognize the importance of compliance with this policy and protection of information assets by those who handle information assets, including directors and employees, and will practice activities to maintain information security, such as confidentiality, integrity, and availability of information assets.
Basic Policy on Information Security

1. compliance with laws, regulations, and customer contracts
In order to protect our information assets, we shall establish an information security policy, conduct our business in accordance with this policy, and comply with laws, regulations, and other rules related to information security, as well as with the terms of our contracts with our customers.

2. scope of application
This policy applies to “information assets” that we handle in the course of our business activities. Information assets are defined as information, data, information systems, networks, and facilities that we own, operate, and manage, whether tangible or intangible, and all items that we deem necessary in the course of our business activities.

3.Protection of information assets
We will clarify the criteria for analyzing and assessing the risk of leakage, damage, loss, etc. of information assets, establish a systematic risk assessment method, and conduct regular risk assessments. Based on the results, we will implement necessary and appropriate security measures.

4.Establishment of information security system We will establish an information security system led by management and clarify the authority and responsibility for information security.

5.Education and Training
We will regularly educate, train, and enlighten all employees to ensure that they recognize the importance of information security and handle information assets appropriately.

6. implementation of periodic inspections and audits
Regular inspections and audits shall be conducted on the status of compliance with the information security policy and the handling of information assets, and corrective actions shall be promptly taken for any deficiencies or improvement items found.

7.Handling of Security Incidents and Incidents
In addition to taking appropriate measures against the occurrence of information security events and incidents, we shall establish in advance a response procedure to minimize damage in the event of such events and incidents, and shall respond promptly and take appropriate corrective measures in the event of an emergency.

8. business continuity management
We will ensure the continuity of our business by establishing a framework for managing incidents that may lead to business interruption, and by periodically reviewing the framework.

9. measures against violations of this basic policy
All employees of the Company shall act in accordance with the Basic Policy, and any violation of the Policy shall be subject to disciplinary action in accordance with the Rules of Employment.

10. continuous improvement
We will establish and implement an information security management system that sets goals to realize our basic principles, and continuously review and improve the system.

Cloud Security Basic Policy

1. design and implementation of cloud services
Information security requirements applicable to the design and implementation of cloud services shall be established, and service design and implementation shall be carried out.

2. management of internal stakeholder risks
Appropriate control measures will be implemented for the risks identified in the risk assessment.

3. isolation of user data in virtual environments
Logically isolate and provide cloud computing environments using virtualized environments provided by cloud service providers.

4. restriction of access to user assets by employees
Except for work required for the provision of services, access to user assets is prohibited. Employees who have access to the assets will be identified and limited to the minimum number necessary.

5.Access Control
Appropriate authentication methods will be applied to the cloud service management screen.

6.Notification of changes to users
Notification of changes to cloud services that affect users will be provided through notification functions, etc.

7. access control and protection of data
Appropriate access control and protection of data handled by cloud services will be implemented based on the scope of responsibility.

8. account management Users are responsible for managing their accounts in accordance with the terms of use of Cloud Service.

9. information sharing
We will notify users of any information security violations that affect them. We will also conduct an investigation into the details of the breach and report the results as necessary.

Revised: October 30, 2024

AICC Corporation
Representative Director Kojiro Kii