Nulab’s Security System (Version 3)
Security, Audit and Certificate
Nulab is audited and certified by a competent third party in its information security system. Nulab’s services are designed, developed and operated under the strict management of information.
To voluntarily ensure to observe the policy and procedures for security, privacy, consistency and compliance, Nulab receives, every year, an audit by a third party who is an internationally recognised auditing.
Certificates obtained by Nulab
ISO/IEC 27001 is a comprehensive information security management system called as the Information Security Management System (a suitability assessment system, “ISMS”), which protects information assets from all sorts of threats and decreases risks.
What is the ISMS Cloud Security Certificate
Subject to obtaining the JIS Q 27001:2014 (ISO/IEC 27001:2013) certificate, the ISMS Cloud Security Certificate is given to the organizations who meet the requirements provided in the guideline of ISO/IEC 27017:2015, of the management of information security in providing or using the cloud services to which JIS Q 27001:2014 (ISO/IEC 27001:2013) is applicable.
The ISO/IEC 27017:2015 is the standard guideline additionally providing the information management and practices that are uniquely for cloud services, while JIPDEC provides ‘the requirements of the JIP-ISMS517-1.0 for the ISMS cloud security certificate based on the ISO/IEC 27017:2015’ as the new standards of certification for ISMS cloud security. Any party who wishes to obtain the ISMS cloud security certificate, therefore, is required to practice the cloud information security system in accordance with the standards of the ISO/IEC 27017:2015 as well as the ISO/IEC 27001:2013 and the JIP-ISMS517-1.0.
What is the ISO/IEC 27018
The ISO/IEC 27018 is the standards, by which the best practices of the personal information management in the virtual space based on the ISO/IEC 27002 which is an international standards widely applied in the information security management practices, is secured in the following points:
- The public cloud service provider that deals with PII, supports to comply with laws and meet with the users’ expectations;
- Transparency has been enhanced so that the user may choose the public cloud services under well controlled; and
- The users are offered the system that guarantees to have the public cloud service providers comply with legal obligations for the personal information protection.
Nulab operates the following security systems.
- Security system for the Nulab’s Services
- Protection of the user’s data stored in the Nulab’s Services
- Security system for the middleware, OS and other infrastructures that are used in providing the Nulab’s Services
The User is to conduct the following security practices.
- To appropriately hold the password given to the User
- To appropriately hold the user’s account with the Nulab’s Services (registration, deletion, grant of authority as the manager)
Supplementary terms for privacy and security in the Nulab’s Services
These rules are to supplement (“Supplementary Terms”) the Terms to use the Nulab’s Services provided by Nulab. The User may use the Services subject to the Supplementary Terms as well as the Terms. The words used in the Supplementary Terms mean the same meaning as those used in the Terms unless otherwise provided herein.
- Definition of words
“User’s Data” means any data that is provided to Nulab by the User or the User’s representative through the Services such as text files, audio files or image files. “End User” means an individual person who makes access to the Services.
- Compliance with laws for privacy Nulab will comply with laws for data protection and privacy, which are to be generally applicable to the Services. Nulab is not, however, obligated to comply with laws for data protection and privacy that are to be applicable to the data in particular categories, or the User or the User’s industry; and that are not applicable to the information technology service providers.
- Use of the User’s Data Nulab will deal with the User’s Data according to the provisions in the Supplementary Terms unless otherwise provided in the contracts, agreements or memorandums etc. with the User. Nulab will not: (a) hold the ownership of the User’s Data, (b) use or disclose the User’s Data for any purpose other than those stipulated hereunder. Nulab will use the User’s Date for the following purposes:
- to provide the Services including to use for the troubleshooting so as to prevent, detect and repair problems that may influence the operation of the Services, and to use to detect threats that may appear and spread (malware or spam) and to enhance the ability to protect the User.
- Nulab will not disclose the User’s Data to the law enforcement agency unless a law requires to do so. If the law enforcement agency requests Nulab to disclose the User’s Data, Nulab will reply to the law enforcement agency that it must request the User directly. In the course of such procedure, Nulab may inform the law enforcement agency of the User’s contact information. If the law enforcement agency forces Nulab to disclose the User’s Data, Nulab will make reasonable efforts to give a notice to the User according to business customs, before such disclosure is made.
- Deletion of the User’s Data Where the term to use the Services is expired or where the User ends the use of the Services, Nulab will delete the User’s Data. When to delete and what information to delete are provided as follows:
(When to delete)
The use for charge: after 30 days from the next day of the date of termination of the Services and after 180 days from the date of suspension where Nulab suspends the User from using the Services.
The trial use: after 180 days from the date when the User ends the use.
The use for free charge (free plan): upon the User’s request or if the Services is not used for more than 180 days and the User fails to confirm the User’s intention to continue to use the Services when Nulab requests to confirm so.
The User’s account with Nulab: upon the User’s request.
(What to delete)
Where the manager of Backlog, Cacoo or Typetalk terminates the contract, all information in them will be deleted upon the termination. The User’s account with Nulab may, however, be deleted only by the User and the Email address and name used in the User’s account with Nulab will be deleted upon the request by the User.
- End User’s request Where the End User of the User makes requests in relation to data protection and privacy without the User’s written consent, Nulab will not practically accommodate such requests.
- Forwarding the User’s Data The User’s Data that may be dealt with by Nulab on behalf of the User may be forwarded to, and stored and dealt with in, the USA or other countries where Nulab or Nulab’s affiliates or contractors have facilities. The User shall appoint Nulab to forward the User’s Data to such countries and store and deal with them in there.
- Employees of Nulab Nulab’s employees will not deal with the User Data without being authorised by Nulab. Nulab’s employees are obligated to keep the User Data confidential, which will continue even after they leave Nulab.
- Contractors of Nulab Nulab may contract out particular Services such as providing supports to the User. The contractors are permitted to have access to the User Data only to such extent as to provide the services that Nulab requests, and prohibited from using the User Data for any other purpose. Nulab is liable for having the contractors comply with the obligations for the privacy and security under the Terms and the Supplementary Terms. Any and all contractors to whom Nulab forwards the User Data, are to agree in writing that they are obliged to protect privacy of the personal data. The User is to consent that Nulab may forward to the contractors the User Data under the conditions provided in the Supplementary Terms. Unless the preceding provisions allow, Nulab will not forward any personal data that may be provided by the User in using the Services to a third party (not even for the purpose to store information).
- User’s Responsibility
- The User is to meet with legal requirements that are applicable to privacy, data protection and confidentiality of telecommunications in using the Services.
- Where the User provides an account to the End User, the User is to consent that Nulab may use the End User’s information provided by the User so that Nulab can make contact with the End User and provide the End User with products of Nulab and tips and advices for most productive ways to use the Services or the information on other information and products suggested by Nulab. Before Nulab makes contacts with the End User in such way, Nulab will ask permission to do so from the End User. If such permission is not given beforehand, Nulab will provide the measures reasonable in commercial customs to stop such contacts.
- Technical and Organizational Security System Nulab has in place and will maintain, a technical and organizational system, an internal management system and information security routines so as to protect the User Data from incidental loss, damage or change, unauthorised disclosure or access, or illegal destruction. Such security system indicates that Nulab’s responsibility is only for security of the User Data in dealing with it, and Nulab’s confidentiality obligation for the User Data will be subject to the Terms.
- Security Incident
- If an illegal access to the User Data that is stored in the devices or facilities of Nulab, or a deletion, disclosure or change of the User Data (each of them will constitute a security incident) that has caused by an unauthorised access to the devices or facilities of Nulab, is found, Nulab will (a) notify the occurrence of the security incident, (b) investigate the security incident and report the outcome to the User, and (c) exercise an appropriate measures to decrease the effect of the security incident and mitigate loss or damage.
- The User is to agree to the following:
- The provision herein will not applicable to any alleged security incident that does not constitute a security incident. Such alleged security incident means an incident that does not involve an unauthorised access to the User Data or the devices or facilities of Nulab in which the User Data is stored, for example a ping attack or broadcast attack against firewall or edged server, a portscan, a failed attempt to logon, a declining attack against services, packet sniffing (or other unauthorised access to the traffic data that has not been intercepted except for IP address or header).
- The preceding provisions as to Nulab’s responsibility for reporting and dealing with security incidents do not bring any liability for negligence or damages on the part of Nulab for a security incident.
- If a security incident happens, it will be informed to the manager of the User within 72hours by single or multiple measures including Email, depending on the choice of Nulab. The User is, at its own responsibility, to register an accurate contact information of the manager of the User on the service portal according to the Terms.
- Certification and Audit Nulab establishes and maintains the security system based on the ISO/IEC 27000 standards series and the ISO 27001,27017,27018 standards. The User is, on its own, to understand the content of the documents on the Services that are separately prepared by Nulab, and to decide whether or not the Services meet the conditions of the User.
Nulab uses Amazon Web Services who is highly trusted and solid in its services in general; provides paths protected by the security system that is available when data goes through the infrastructure by using multiple encryption systems, protocol and algorithm at the same time; and secures the confidentiality of data stored in the infrastructure.
- Secure Sockets Layer (TLS/SSL) Encrypt telecommunications exchanged on the network by using a symmetry encryption system.
- Internet Protocol Security (IPsec) It is a standard set of protocol in the industry, which is used to provide the recognition, consistency and confidentiality of data at the level of IP packet, which is transmitted on the network.
Backlog: About backing up data
Cacoo: About backing up data
Typetalk: About backing up data
- holds the data base for the past 2 weeks
- stores the data in a dedicated service operation server of Amazon Web Services
Protection of Log
Logs are stored on Amazon Web Services and only staff engaged in specific works has access to them.
- access log (IP, URL, time)
- for almost indefinite period of time
- Deposit of information (including personal information)collected in the Services
Table of the services, in which information (including personal information) collected in the Services is deposited
・Amazon Web Services
・G Suite / Google Analytics
Countries where information (including personal information) collected in the Services is deposited
(Note) Information deposited in the USA will be subject to the US laws.