Security Policy

This Security Policy (the "Policy") sets forth the basic information security policy for the websites, web applications, and other related services provided by TOKOSEKI ("we," "us," or "our") (collectively, the "Services"). Contractors and users who use the Services shall use the Services after understanding the content of this Policy.

Article 1 (Purpose)

The purpose of this Policy is to set forth our basic security management policy for properly protecting information assets handled by the Services and reducing risks related to information security, including unauthorized access, leakage, alteration, loss, damage, and other risks.

Article 2 (Scope)

1. This Policy applies to the provision, operation, maintenance, support, incident response, security response, and other operations related to the Services.
2. Information covered by this Policy includes contractors' and users' account information, workspace information, member information, reservation information, seat, equipment, and layout settings, User Content, billing and payment information, operation logs, audit logs, security logs, device and communication information, and other information necessary for providing and operating the Services.
3. The handling of personal information and related information is governed by this Policy as well as the Privacy Policy.

Article 3 (Management Structure)

1. We appoint a person responsible for information security and endeavor to manage security in the development, operation, maintenance, and support of the Services.
2. Taking information security risks into account, we review management procedures, permissions, operational methods, and the usage status of external services as necessary.
3. We provide persons involved in operating the Services with necessary information security awareness, permission management, and confidentiality confirmation to the extent necessary.

Article 4 (Access Management)

1. We endeavor to limit access to the administrative screens, servers, databases, cloud services, and other environments necessary for operating the Services to the scope necessary for business operations.
2. We appropriately manage accounts, authentication information, and permissions, and delete or disable permissions that are no longer necessary within a reasonable period and scope.
3. Only when we reasonably determine it necessary for requests from contractors, support, incident investigation, security response, legal compliance, or other operational needs, persons granted prescribed authority by us may access data to the extent necessary.

Article 5 (Authentication and Communication Protection)

1. We endeavor to perform appropriate authentication and permission checks for login, administrative operations, and other important operations in the Services.
2. We implement encryption and other protection measures for communications of the Services to the extent reasonably necessary.
3. Contractors and users shall manage their account information, passwords, passkeys, authentication devices, and other information necessary for authentication at their own responsibility.

Article 6 (Data Protection)

1. We endeavor to implement necessary and appropriate security management measures for information handled by the Services, including access control, encryption of communications, backups, log collection, and management of external services.
2. We may store backups and logs to the extent reasonably necessary for disaster recovery, audits, security, legal compliance, dispute handling, and other operational needs.
3. We do not use User Content for machine learning or model training purposes. However, we may process User Content to the extent necessary for providing and operating the Services, including feature provision, display, conversion, analysis, incident investigation, and security response.

Article 7 (Log Collection and Auditing)

1. We may collect, store, and review operation logs, access logs, audit logs, security logs, and other necessary logs for stable operation of the Services, prevention of unauthorized use, incident investigation, security response, audits, legal compliance, and dispute handling.
2. We reasonably determine the retention period, retention scope, and review methods for logs based on purposes of use, risks, laws, system constraints, and other circumstances.

Article 8 (Vulnerability and Incident Response)

1. If we detect vulnerabilities, misconfigurations, unauthorized access, leakage, alteration, failures, or other information security issues affecting the Services, we will conduct investigation, fixes, configuration changes, access restrictions, usage restrictions, notifications, public announcements, and other necessary responses based on the scope of impact, urgency, and cause.
2. If we reasonably determine that an information security issue may materially affect contractors or users, we will notify or publicly announce it to contractors or users to the extent required by law or operations.
3. We may review logs, settings, User Content, and other information related to the Services to the extent necessary for preventing damage expansion, investigating causes, preventing recurrence, legal compliance, and other necessary purposes.

Article 9 (External Services and Vendor Management)

1. We may use cloud services, payment services, authentication services, delivery services, monitoring services, analytics services, and other external services to provide and operate the Services.
2. When using external services or vendors, we select and manage them within a reasonable scope, taking into account service content, handled information, countries of location, security level, contractual terms, terms of use, and other circumstances.
3. All or part of the Services may become unavailable due to failures, suspension, specification changes, security issues, or other circumstances involving external services that are outside our reasonable control.

Article 10 (Cooperation by Contractors and Users)

1. Contractors and users shall implement reasonable security measures when using the Services, including proper management of account information, review of permission settings, deletion of unnecessary accounts, management of devices and browsers, and phishing countermeasures.
2. If contractors or users discover vulnerabilities, unauthorized use, information leakage, or other information security issues related to the Services, they shall promptly contact us, in principle through the "Contact" form at the bottom of the page.
3. Contractors and users shall not analyze, reverse engineer, investigate vulnerabilities in, or otherwise conduct security checks on the Services without our prior approval.

Article 11 (Scope of Warranty)

1. We endeavor to implement reasonable security management measures for the Services, but do not warrant that the Services will be completely protected from all threats, vulnerabilities, unauthorized access, failures, loss of data, or damage to data.
2. Disclaimers and limitations of liability relating to use of the Services are governed by the Terms of Service.

Article 12 (Relationship with This Policy, Terms of Service, and Privacy Policy)

1. Information security and data security management are governed by this Policy as well as the Terms of Service and Privacy Policy.
2. Matters not provided in this Policy shall be governed by the Terms of Service and Privacy Policy.

Article 13 (Changes to This Policy)

1. We may change this Policy due to changes in laws, changes in business operations, changes in the specifications of the Services, changes in external services, information security needs, or other circumstances.
2. The changed Policy will take effect when notified or disclosed by posting on the Services, posting on our website, or by any other method we deem appropriate. However, if separate procedures are required by law, those procedures will be followed.

Article 14 (Contact Window)

Inquiries regarding this Policy shall, in principle, be submitted through the "Contact" form at the bottom of the page.

Article 15 (Last Updated)

Last updated: 2026/05/01