METI Guidelines Cloud Service Level Checklist
Downloads
- i-Reporter Cloud Service Level Overview
- Ministry of Internal Affairs and Communications Guidelines for Cloud Service Safety and Security
Guidelines for disclosure of information related to reliability
Ministry of Economy, Trade and Industry cloud service level
Checklist version
| No. | type | Service level items example | Regulations | correspondence/ Possibility | Contents |
|---|---|---|---|---|---|
| Application Operations | |||||
| 1 | availability | Service downtime | Service hours (including planned downtime for inspection/maintenance of facilities, networks, etc.) | ○ | There will be maintenance shutdowns (planned shutdowns) of approximately two hours per month from 1:00 AM to 3:00 AM, and unscheduled maintenance may be performed if a critical vulnerability is detected. |
| 2 | Planned outage notification | Confirmation of advance notice regarding scheduled maintenance outages (including a description of the timing/method of advance notice) | ○ | We will notify you via the support web page and by email to your customer representative. | |
| 3 | Advance notice when service provision ends | Confirmation of advance notice in case of termination of service provision (including description of timing/method of advance notice) | ○ | This is stated in the service terms and conditions. We will notify you at least three months before the service ends. | |
| 4 | What to do when service is suddenly suspended | Whether or not measures such as depositing programs and various setting data for the system environment are in place | ○ | We always protect customer data, but in the event of a sudden service outage, we will do our best to restore the system. We ask that you back up your data at your own risk. | |
| 5 | Service availability | Probability of service availability ((Planned service time - Outage time) / Planned service time) | It is not publicly available. January 2025 occupancy rate: 100% | ||
| 6 | Disaster Recovery | System recovery/support system in the event of a disaster | Non-disruptive disaster recovery is not supported. | ||
| 7 | Alternatives in the event of a major failure | Alternative measures if early recovery is not possible | No alternative methods are provided. i-Reporter devices (iPads and other devices can be used to enter data offline). | ||
| 8 | Data format provided by alternative treatment | Describes the definition of the data format provided in the alternative measures | ○ | Customer data can be downloaded in CSV, XML, PDF, or Excel format via ConMas Manager, ConMas Designer, or API at the customer's own risk. You are responsible for storing your data. | |
| 9 | Upgrade Policy | Version upgrade/change management/patch management policy | ○ | Product updates are carried out several times a year. Security maintenance is carried out on scheduled maintenance days after vulnerability information is collected and evaluated. However, if a public institution notifies us that a security update must be applied immediately and it is determined that this will have an impact on service provision, we may carry out security maintenance with a separate notice. | |
| 10 | Reliability | Mean Time to Repair (MTTR) | Average time from failure occurrence to repair completion (sum of repair time / number of failures) | Not set. | |
| 11 | Recovery Time Objective (RTO) | Target time for resuming service after an outage | Not set. | ||
| Recovery Point Objective (RPO) | Target time for backup generation management to resume service provision after a failure occurs | ○ | We will restore your data using backup data up until 1:00 AM on the day of restoration or 1:00 AM on the day before that. However, if the backup has not been completed by that time, we may use data up until 11:59 PM on the previous Saturday. | ||
| 12 | Number of failures | Number of failures that occurred in a year / Number of failures that took a long time (more than one day) to resolve in a year | The number of occurrences in the past year is 0 (zero). | ||
| 13 | System Audit Standards | Monitoring based on the system monitoring standards (monitoring content/monitoring and notification standards) | It does not support system monitoring standards. | ||
| 14 | Fault Notification Process | Contact process in case of failure (notification destination/method/route) | ○ | In the event of a service outage, our staff will be notified and take action. We will notify and report the situation to the customer's registered staff via email. | |
| 15 | Failure notification time | The time it takes to notify designated contacts after an anomaly is detected | There are no rules, but we will notify you as soon as possible. | ||
| 16 | Fault monitoring interval | The time interval for collecting and aggregating failure incidents | ○ | We are constantly monitoring it. | |
| 17 | Service status report/interval | Service delivery status reporting method/time interval | ○ | If a service outage occurs, we will notify you via the support website and by email to the person in charge of registration. | |
| 18 | Obtaining logs | Types of logs that can be provided to users (access logs, operation logs, error logs, etc.) | ○ | Customer usage status of the i-Reporter system can be obtained from ConMas Manager. As a general rule, we do not provide server system logs. | |
| 19 | performance | Response time | Processing response time | It is not publicly available. | |
| 20 | delay | Duration of delay in processing response time | It is not publicly available. | ||
| 21 | Batch Processing Time | Batch processing response time | There is no batch processing. | ||
| 22 | Scalability | Customizability | Items that can be customized (changed), scope, specifications, etc., and information required for customization | In principle, customization is not supported. | |
| 23 | External Connectivity | Connection specifications (API, development language, etc.) with existing systems and external systems such as other cloud computing services | ○ | We offer an optional API that allows you to use the i-Reporter system functions from external services. | |
| 24 | Number of simultaneous connected users | The number of online users who can simultaneously connect and use the service | ○ | There is no limit to the number of simultaneous users. | |
| 25 | Resource limits | Disk space limit/page view limit | ○ | The storage capacity is determined at the time of contract. There is a limit to the storage capacity that can be used. (It can be increased with an additional fee.) | |
| support | |||||
| 26 | Service hours (failure response) | Time for accepting inquiries when responding to a malfunction | ○ | We are available 24 hours a day, 365 days a year (email and inquiry form). | |
| 27 | Service hours (general inquiries) | Hours during which inquiries are accepted for general inquiries | ○ | Support is available 24 hours a day, 365 days a year, via the support form on our website. Normal support hours are 9:30-18:00 on weekdays (excluding public holidays, New Year's holidays, and other company holidays). We will review your inquiry and respond within three business days. | |
| Data Management | |||||
| 28 | How to back up | How your data is handled, including backup details (number of backups, recovery methods, etc.), data storage location/format, and your access rights to your data | ○ | Data for the entire system is backed up to a remote data center within the country on a daily, weekly, or monthly basis, but this data is not accessible to customers. | |
| 29 | Timing of obtaining backup data (RPO) | When backing up data and ensuring data | ○ | When the backup finishes at 1:00 AM on the current day, the previous two days' worth of data will be backed up. If the backup has not yet finished at the time of recovery, the data will be backed up to the previous week. | |
| 30 | Backup data retention period | The period for which data backup media is to be stored | ○ | It will be stored for the duration of your contract. | |
| 31 | Data erasure requirements | After service termination, the method of erasing data owned by the user, such as whether/when data will be erased, whether/when storage media will be destroyed, and data migration | ○ | Any data used in the i-Reporter system must be deleted from ConMas Manager/ConMas Designer at the customer's own responsibility. Data across the entire infrastructure system will be deleted or destroyed in accordance with the NIST 800-88 Guidelines for Media Sanitation standard, as published by Microsoft. Physical deletion verification is not supported. | |
| 32 | Number of backup generations | Guaranteed number of generations | ○ | We do not guarantee data backup. Customers are responsible for downloading and backing up data. However, as a necessary measure for system operation, our company performs daily backups at 1:00 every day, and stores two generations of data: the current day and the previous day. In addition, daily backup images taken on the first Sunday of each month and the first Sunday of each month are stored separately as weekly and monthly backup images. | |
| 33 | Encryption requirements for data protection | Is there a requirement for encryption to protect the data? | ○ | The internet connection is encrypted with TLS 1.2. | |
| 34 | Key Management Requirements for Multi-Tenant Storage | Whether there are any key management requirements for multi-tenant storage, and what those are | ○ | It is managed by a logical identifier. | |
| 35 | Compensation/insurance for data leakage and destruction | Whether or not there is compensation/insurance in case of data leakage or destruction | We are not covered by liability insurance. Our service terms and conditions state that you are responsible for managing your data. For details on compensation, please refer to the "Scope of Compensation" section of the service terms and conditions overview and the main text of the terms and conditions. | ||
| 36 | Data portability upon termination | When a contract is terminated, the original data is promptly returned in its entirety or a system is in place to responsibly erase the data, eliminating the risk of data leaks to the outside. | ○ | You are responsible for downloading any data used in the cloud service before canceling your subscription, and for deleting it afterwards. We will carry out data deletion operations. | |
| 37 | Verification of the integrity of the deposited data | A method for verifying data integrity has been implemented, and verification reports have been reviewed. | ○ | It is the customer's responsibility to verify the data content. | |
| 38 | Input data format restriction function | Whether or not there is a function to restrict input data format | ○ | You can use the input data restriction function provided by i-Reporter. | |
| Safety features | |||||
| 39 | Requirements for obtaining official certification | How your data is handled, including backup details (number of backups, recovery methods, etc.), data storage location/format, and your access rights to your data | ○ | Separate from customer data, server storage is backed up daily, weekly, and monthly and stored in a remote data center within Japan. However, you do not have access to this data. | |
| 40 | Third-party evaluation of the application | Third-party web application vulnerability assessment | ○ | At least once a year, we undergo vulnerability testing by a third party, receive reports, and then evaluate and respond to those reports. | |
| 41 | Information handling environment | The period for which data backup media is to be stored | ○ | Backup data will be stored for the duration of your contract. | |
| 42 | Communication encryption level | The encryption strength of communications to and from the system | ○ | Communication is encrypted using SSL. | |
| 43 | Confirmation of information security-related matters in accounting audit reports | When auditing information security-related matters in accounting audit reports, the following documents will be provided to the person in charge: "Latest SAS70 Type 2 Audit Report" and "Latest No. 18 Audit Report" | Not supported. | ||
| 44 | Security measures in a multi-tenant environment | Information isolation between different user companies, localization of the impact of failures, etc. | ○ | We operate in a data area separated by contract space using a logical identifier for each customer. | |
| 45 | Restrictions on Data Handlers | The users who can access the user's data are limited, and the same restrictions as those stipulated by the user organization are realized. | ○ | In accordance with ISO27001 certification standards, access rights are limited and the scope of access is determined for each individual. Access within our company, including physical access, is logged and audited. | |
| 46 | Traceability in the event of a security incident | The unit of ID assignment, whether the ID can be used for log searches, whether the log storage period is appropriate and whether it is provided within the period in an acceptable manner according to the needs of the user. | ○ | Customers can check the access log to the i-Reporter system from ConMas Manager. Logs can be obtained and records can be checked for the entire system at regular intervals, but customers cannot access them directly. | |
| 47 | Virus Scan | Virus scan frequency | ○ | We regularly check for viruses. | |
| 48 | Secondary storage media safety measures | Backup media etc. must always be stored in an encrypted state, all data must be completely erased and verified before disposal, and measures such as disabling USB ports and restricting data extraction must be taken. | ○ | No secondary storage media is used and backups are made between data centers. | |
| 49 | External data storage policy | Are you aware of the restrictions on data handling and use under the various legal systems in the locations where the data is stored? | ○ | I understand. | |
