Ministry of Internal Affairs and Communications Guidelines Cloud services
Safety and Reliability Information Disclosure Guidelines
Downloads
Ministry of Internal Affairs and Communications Information Disclosure Guidelines Regarding the Safety and Reliability of Cloud Services
| No. | type | Service level items example | Regulations | Required/Optional (Note 1) | Contents |
|---|---|---|---|---|---|
| 1 | Time of disclosure | Disclosure Date | Date of disclosure (Gregorian calendar) | Required | February 25, 2025 |
| Office/Business | |||||
| 2 | Overview of business establishments, etc. | Business name | Official name of the business (trade name) | Required | CIMTOPS Corporation. |
| Corporate number | Required | 2013201002720 | |||
| 3 | Date of Establishment | Date of establishment of the business (Gregorian calendar) | Required | 1991/10/01 | |
| 4 | Office | Head office location of the business | Required | 1410021 Shin-Meguro Tokyu Building, 10th floor, 2-25-2 Kami-Osaki, Shinagawa-ku, Tokyo | |
| Company website | Required | https://www.cimtops.co.jp/ | |||
| 5 | Project Overview | Overview of main business | Overview of the operator's main business | Required | Development and sales of DIRECTOR, a production scheduler and process control system for individual order-based production factories Development and sales of ConMas i-Reporter, a tablet-based paperless on-site document recording, reporting, and viewing solution Development and sales of BOP process editor MPPCreator Development and sales of production management related software Development and sales of engineering-related software System integration and system consultation related to the above |
| Human Resources | |||||
| 6 | executive | representative | Representative name | Required | Takashi Mizuno |
| Representative background (date of birth, educational background, work history, qualifications, etc.) | Required | April 20, 1962, Nagoya Institute of Technology, Department of Industrial Engineering Representative Director CIMTOPS Corporation. | |||
| 7 | board member | Number of officers | choice | 4 | |
| 8 | employee | Number of Employees | Number of full-time employees (non-consolidated basis) | Required | 71 |
| Financial Status | |||||
| 9 | Financial Data | Sales | Sales of business operators (non-consolidated basis) | Required | ¥1,680,016,137 |
| 11 | capital | Capital of the operator (standalone basis) | Required | ¥16,500,000 | |
| 12 | Equity ratio | Company equity ratio (non-consolidated basis) | choice | 73% | |
| compliance | |||||
| 22 | organizational structure | Status of organizational structure regarding information security | Whether or not there is a person in charge of information security, and if so, the name and position of that person | Required | Information Security Manager Kami Mikami |
| Existence of an organizational structure for information security | Required | Yes | |||
| 23 | personal information | Handling of Personal Information | Whether or not there are any regulations regarding the handling of personal information, and if so, where they are described | Required | ▼Basic Information Security Policy https://cimtops.com/security/ ▼Privacy Policy https://cimtops.com/privacypolicy |
| 24 | Confidentiality | Confidentiality Agreement | Whether or not there is a confidentiality agreement or clause | Required | Employee: Work regulations, etc. Business partner (agency): Concluded through a negotiated transaction |
| Whether there is a penalty clause in case of breach of confidentiality obligation | Required | Employee: Work regulations, etc. Business partner (agency): Concluded through a negotiated transaction | |||
| 25 | Employee education, etc. | Status of security education for employees | Status of efforts to provide security education to employees | Required | We conduct annual training and information security operation checks three times a year as part of our ISMS annual plan. |
| 26 | Status of confidentiality obligations to employees | Status of efforts to comply with confidentiality obligations for employees | Required | This is included in the work regulations and employment contracts. | |
| 27 | consignment | Disclosure of entrusted information | Whether or not information on contractors (subcontractors) involved in the provision of services can be disclosed, and if so, the conditions under which it can be disclosed | Required | We disclose the use of Microsoft Azure infrastructure as a subcontractor (IaaS). |
| 28 | Management status of subcontractors | Whether or not your company has regulations for complying with personal information protection guidelines | Required | This is stipulated in the work regulations, employment contract, and ISMS implementation guidelines. | |
| Whether or not information can be provided regarding the status of personal information protection at the contractor (subcontractor), and if so, the conditions, etc. | Required | We will investigate the personal information in advance and respond if it is applicable. | |||
| Status of confidentiality obligations with subcontractors (re-contractors) | Required | We have concluded a contract with the contractor. | |||
| Management method for contractors (subcontractors) | Required | In addition to program-specific management, we also adopt outsourced management measures based on ISMS plans, grasp the situation, and conduct reviews. | |||
| 29 | Documents | Establishment of regulations regarding information security | Status and names of documents such as basic policies, regulations, manuals, and risk assessment results regarding information security | Required | We have prepared ISMS documents such as the Information Security Basic Policy, ISMS manual, and information security implementation guidelines. |
| 30 | Establishment of rules for business continuity | Whether or not there are basic policies, regulations, manuals, etc. regarding business continuity, and if yes, the names of the documents | Required | Yes This has been established as a management measure within the information security implementation guidelines. | |
| Whether or not to disclose BCP response plans and operational procedures, etc., and if so, the conditions under which they can be disclosed | Required | BCP-related information is not publicly available | |||
| 31 | Establishment of regulations regarding risk management | Whether or not there are basic policies, regulations, manuals, etc. regarding risk management, and if so, the names of those documents | Required | Yes We carry out asset inventories and risk assessments based on the ISMS annual manual, risk assessment procedures, information security implementation guidelines, etc. | |
| 32 | Establishment of regulations regarding solicitation, sales, and disputes | Whether or not there are basic policies, regulations, manuals, etc. regarding solicitation and sales, and if yes, the names of the documents | Required | none | |
| Whether or not there are documents containing information on how to respond in the event of a dispute, such as rules regarding disputes and the court of jurisdiction, and if so, the names of those documents | Required | Yes The i-Reporter Cloud Service Terms of Use clearly state that the Tokyo District Court shall have jurisdiction. | |||
| 33 | Establishment of regulations regarding handling complaints about ASP and SaaS | Whether or not there are basic policies, regulations, manuals, etc. regarding complaint handling for ASP/SaaS, and if so, the names of those documents | Required | Yes Whether or not there are basic policies, regulations, manuals, etc. regarding complaint handling is not disclosed. | |
| Whether or not there is a document describing the scope of liability and warranty coverage of the ASP/SaaS provider, and if so, the name of the document | Required | Yes This is stated in the i-Reporter Cloud Service Terms of Use. | |||
| 34 | Establishment of rules to prevent and deter users from making improper settings | Whether or not there are basic policies, regulations, manuals, etc. to prevent users from making improper settings when providing services, and if so, what are the names of these documents?When creating documents such as policies, it is a good idea to refer to the countermeasures items in the "Guidelines for Appropriate Settings in the Use and Provision of Cloud Services." | Required | Yes The i-Reporter cloud version service provides users with multiple manuals, including setting examples. Users can view the manuals at their convenience on the support website. | |
| Basic service performance | |||||
| 35 | Service Details | Service Name | Name of this ASP/SaaS service | Required | i-Reporter cloud version service (hereinafter referred to as "this service") |
| 36 | Service launch date | Date of service start for this ASP/SaaS (Gregorian calendar) | Required | 2013 | |
| Whether or not there have been any major changes made to the service since its launch and the time of application, and if so, the date of the change (Gregorian calendar) | Date of change: February 18, 2020 | ||||
| 37 | Content and scope of services | Contents and features of this ASP/SaaS service | Required | Paperless on-site document solution Familiar paper forms used on-site can be digitized as they are, making it easy for anyone to use. Electronic documents can be easily created and modified without no-code. Eliminates the hassle of double-checking and transcription, as well as mistakes and omissions that are inherent to paper documents. | |
| Whether or not there is service collaboration between other businesses, and if so, what is the content? | Required | It is published on the website https://i-reporter.jp/functions_cat/datalinkage/ | |||
| 38 | Service hours | Service hours | Required | 24 hours a day, 365 days a year | |
| 39 | Service customization range | Scope of application customization (if it depends on the contract contents, please state that) | Required | Customization is not supported | |
| 40 | Transition support | Whether or not migration support from existing systems is provided when using this service (if it depends on the cancellation details, please state this) | Required | We do not provide support for migrating from existing systems to this system. Please use the SE services of the dealership. | |
| 42 | Changes and Termination of Services | Advance notice of changes or termination of services (businesses) | Timing of notification to users (describe the timing of advance notification in units of 1 month, 3 months, 6 months, 12 months, etc.) | Required | We will notify you at least 3 months in advance |
| Announcement method | Required | Contact from distributors, announcements via support web, emails to customer administrators | |||
| 43 | Responses and alternative measures after changes or termination of services (businesses) | Whether or not there is a basic policy for response and alternative measures, and if so, a summary | Required | none Customers can export data used in the i-Reporter cloud service in Excel, PDF, CSV, XML, or other stored object formats via API and use it in general-purpose systems. | |
| 44 | Termination of contract, etc. | Return, deletion, and disposal of information | Whether or not there is a responsibility to return information assets (user data, etc.) at the end of the contract, and the conversion method, file format, costs, etc. of the entrusted information | Required | With this service, the management of customer data is the customer's own responsibility. Terms and Conditions Article 14, Paragraph 1 With this service, customer data can be exported to Excel, PDF, CSV, XML, and other object formats for use in other systems. There is no charge. |
| Whether or not information can be deleted or disposed of, and if so, the conditions under which it can be deleted or disposed of | Required | This service uses a virtual environment on Microsoft Azure, so a "deletion operation" is performed. For information on actual data deletion, please refer to the data handling information published by Azure: https://www.microsoft.com/ja-jp/trust-center/privacy/data-management | |||
| Providing proof of deletion or disposal | Required | A certificate can be issued for the deletion operation. | |||
| 45 | Service Fee | Pricing | Initial cost amount | Required | ¥50,000 |
| Monthly usage fee | Required | ¥37,500 | |||
| Minimum contract period | Required | none | |||
| 46 | Whether or not to pay a penalty upon cancellation | Whether or not there is a cancellation penalty (for the user) and, if so, the amount | Required | none | |
| 47 | Deadline for advance contract acceptance from users | Whether or not users can cancel their service, and if so, what the deadline is (how many days or months in advance) | Required | Yes There is a time limit for accepting service cancellations. Cancellation acceptance period for the next month: Closing date is the 25th of the current month | |
| 48 | Quality of Service | Service operational settings | Service availability target | Required | It is not publicly available. |
| Actual service availability rate | Required | January 2025 100% | |||
| History of service outages | Required | Six times in fiscal 2024, with an average of 16 minutes | |||
| 50 | Certification and auditing | Whether or not you have acquired the Privacy Mark (JIS Q 15001), ISMS (JIS Q 27001, etc.), ITSMS (JIS Q 20000-1, etc.), or have prepared Auditing Standards Committee Statement No. 18 (US auditing standards SSAE16, International Standards on Auditing ISAE3402), and if yes, the name of the certification or audit | choice | We are certified with JIS Q 27001:2023 (ISO/IEC 27001:2022) https://isms.jp/lst/ind/CR_JUSE-IR-412.html | |
| 51 | Vulnerability Assessment | Whether or not a vulnerability assessment was conducted, and if so, what was assessed (application, OS, hardware, etc.) and an outline of the countermeasures | choice | Yes Undergoing application diagnostics | |
| 54 | Backup measures | User data backup interval | Required | Daily, weekly, and monthly backups are taken | |
| Generation backup (describe how many generations back) | Required | Preserving two generations | |||
| 55 | Service continuity | A system that ensures service does not stop (redundancy, load balancing, etc.) | Required | I'm using a high availability environment | |
| Whether or not DR (Disaster Recovery) measures are in place, and if so, a summary of those measures | Required | No DR (disaster recovery/non-stop recovery) measures | |||
| 56 | Awards and commendations | History of receiving various awards related to ASP and SaaS | choice | Best Software in Japan 2022, 2023, 2024 Award Winner Winner of seven awards at the ITreview Grid Award 2025 Winter | |
| 57 | SLA (Service Level Agreement) | Whether the SLA for this service is attached to the contract | Required | SLA not published | |
| 58 | Number of subscribers | Number of companies subscribing to this ASP/SaaS service | choice | 4,200 companies | |
| Applications etc. | |||||
| 59 | alignment | Providing information on collaboration with other services and businesses | Whether or not there is collaboration with other services or businesses, and if so, the conditions for providing information, etc. | Required | Published on the homepage https://i-reporter.jp/functions_cat/software/ |
| 60 | Safety features | Life and death monitoring | Whether or not there is life monitoring, and if so, what is the target of life monitoring? | Required | Yes All service environments are monitored for their availability. |
| 61 | Time Synchronization | Whether or not time synchronization is supported, and if so, how | Required | Yes Synchronized with a trusted national time server | |
| 62 | Antivirus | Presence or absence of antivirus software | Required | Yes | |
| 63 | Administrative privilege management | Are there procedures for registering and deleting administrator privileges for the system operations department? | Required | ||
| 64 | ID and password management | The status of regulations regarding the operation and management of IDs and passwords when assigning IDs and passwords to users on the business side | Required | For the i-Reporter cloud version service, the customer administrator can register users, and users can set their own passwords. ID and password management must be conducted in accordance with company policies and rules. | |
| 65 | Records (logs, etc.) | The status of obtaining records (logs, etc.) of the user's usage, the retention period, and whether or not they can be provided to the user | Required | User access status can be viewed and exported by customer administrators. | |
| Whether or not logs related to system operation are collected, and if so, the retention period | Required | Yes Stored for over a year | |||
| Presence or absence of measures to prevent log tampering | Required | We grant appropriate access rights and store the information in an area that cannot be accessed from the outside. | |||
| 66 | Security Patch Management | Patch management status, patch update intervals, and patch application policy | Required | We regularly collect and evaluate vulnerability information from vendors and public institutions, and if deemed necessary, we apply it to the production environment after confirming its operation in a test environment. We are implementing these procedures as quickly as possible. | |
| 67 | Encryption measures | Whether or not encryption measures (database) are implemented, and if so, a summary of the measures | Required | The database is stored in encrypted storage and is encrypted in its entirety | |
| 68 | Measures to prevent improper settings | The existence or nonexistence of measures to prevent misconfigurations for each of the items in "Evaluation item a. Types of security configuration items and measures in the cloud" in the "Guidelines for appropriate configuration in the use and provision of cloud services" that apply to the service applied for. If "yes," please provide an outline of the items and measures to prevent misconfigurations. | Required | none No user-defined security settings | |
| network | |||||
| 69 | Center side network | Line | Dedicated line (including VPN), internet, etc. | Required | Internet connection |
| 70 | Bandwidth | Data communication speed range, availability of bandwidth guarantee | Required | No bandwidth guarantee | |
| 71 | Safety features | Firewall | Are there measures to prevent unauthorized access, such as the installation of a firewall? | Required | We do not have a standalone firewall; we provide comprehensive support through Microsoft Defender for Cloud, etc. |
| 72 | Intrusion Detection | Whether or not unauthorized packets or unauthorized server intrusions have been detected, and if so, how to respond | Required | Yes We implement comprehensive detection measures using Microsoft Defender for Cloud, DDoS Protection, etc. | |
| 74 | User Authentication | Authentication methods for managing user access, methods for authenticating connections from specific locations and devices, etc. | Required | Source IP address restriction (IP filtering) is available as an option. | |
| 75 | Countermeasures against spoofing (business side) | Whether or not measures are in place to prevent third-party spoofing of websites, and if so, the authentication method | Required | Yes Prevention by server certificate | |
| 76 | Encryption measures | Whether or not encryption measures (network) are supported, and if so, a summary of the measures | Required | Yes All i-Reporter communications are encrypted using SSL (TSL1.2). | |
| 78 | PC side network | Recommended line | Dedicated line (including VPN), internet, etc. | Required | General-purpose internet line |
| Scope of responsibility of ASP/SaaS providers regarding user connection lines | Required | The service is not responsible for the user's connection line. | |||
| 79 | Recommended Bandwidth | Whether or not there is a recommended bandwidth, and if so, the range of data communication speeds | Required | There is no recommended bandwidth. We recommend using a broadband connection. | |
| Terminal | |||||
| 80 | PC etc. (operation terminal) | Recommended devices | Type of device (PC, smartphone, tablet, thin client, etc.), OS, etc. | Required | Please refer to the operating environment information https://cimtops-support.com/i-Reporter/ir_manuals/jp/windows/iReporter_FunctionCorresponding_jp.pdf |
| The type of browser you use | Required | Google Chrome, Microsoft Edge, Safari, etc. | |||
| Housing (server installation location) | |||||
| 81 | Facility Buildings | Building type | Is the building a dedicated data center? | Required | The data center is a dedicated building |
| 82 | location | Country name, or regional block name in the case of Japan (e.g. Kanto, Tohoku) | Required | Located in Eastern and Western Japan | |
| 83 | Earthquake-resistant and seismic isolation structure | Earthquake resistance figures | Required | private | |
| Presence or absence of seismic isolation or vibration control structures | Required | Combined use of earthquake-resistant and seismic isolation | |||
| 84 | Emergency power equipment | uninterruptible power supply | Whether or not you have an uninterruptible power supply (UPS) and, if so, the duration of power supply | Required | Yes Power supply time is approximately 72 hours (varies depending on congestion conditions) |
| 85 | Power supply route | Whether or not two or more power supply routes (systems) via different substations are secured (excluding private generators and UPS) | Required | The power receiving route is redundant. | |
| 86 | Emergency power supply | Whether or not there is an emergency power source (private generator) and, if so, the number of continuous operating hours | Required | Yes Approximately 72 hours (varies depending on congestion) | |
| 87 | Fire extinguishing equipment | Fire extinguishing equipment in the server room | Whether or not there is an automatic fire extinguishing system, and if so, whether or not it is a gas-based system | Required | Yes The type is not disclosed |
| 88 | Fire detection and alarm systems | Fire detection system | Required | Yes | |
| 89 | Lightning protection equipment | Direct lightning strike protection | Presence or absence of measures against direct lightning strikes | Required | Yes |
| 90 | Countermeasures against induced lightning | Presence or absence of countermeasures against induced lightning | Required | Yes | |
| 91 | Air conditioning equipment | Air conditioning equipment | Details of air conditioning equipment (floor-blowing air conditioning, individual air conditioning for computers, etc.) | Required | Yes Packaged air conditioning for data centers and other uses |
| 92 | Safety features | Entrance and exit management, etc. | Whether or not entry and exit records are available, and if so, how long they will be kept | Required | Yes Retention period is not disclosed |
| Presence or absence of surveillance cameras | Required | Yes | |||
| Presence or absence of personal authentication system | Required | Yes | |||
| Service Support | |||||
| 95 | Service desk (complaints and inquiries) | contact address | Contact information such as telephone/fax, web, and email | Required | Support is available from 9:30 to 18:00 (excluding weekends and holidays) via the support website, phone, or email. |
| Whether or not there is a contact for an agency, and if so, the name of the agency, the address and contact for the agency's head office | Required | See our published list of agencies https://i-reporter.jp/agent/ | |||
| 96 | Business days and hours | Business days and business hours (reception hours) | Required | Support reception: 24 hours a day, 365 days a year (support website) Other reception hours: 9:30 to 18:00, excluding weekends and holidays | |
| 97 | Support scope and means | Support methods (telephone, email replies, etc.) | Required | Support Web, phone, email | |
| 98 | Service Notifications, Reporting, and Incident Response | Advance notice of temporary service suspensions such as maintenance | Time of notification to users (describe in units of 1 month, 3 months, 6 months, 12 months, etc.) | Required | More than 2 weeks ago |
| Announcement method | Required | Support web, email to customer administrator | |||
| 99 | Notification in the event of a failure or disaster | Whether or not to notify users when a problem occurs, and if so, how and when to notify users | Required | Yes Support web, email to customer administrator | |
| 100 | Security Incident Response | Response in the event of a security incident (notification, prevention of damage expansion, temporary response, full response, etc.) | Required | In the event of a security incident, we will take action according to the incident response plan as stated in the i-Reporter Cloud Service Terms of Use and notify the customer. | |
| 101 | Regular report | Whether or not regular reports are provided to users (monitoring results of applications, servers, platforms, and other devices, service availability rates, SLA implementation results, etc.) | Required | The server operating status is displayed in the ConMas Manager. | |
Note 1: "Required" indicates items for which information disclosure is required. "Optional" indicates items for which information disclosure is optional.
Note 2: For cloud services that have already disclosed information in accordance with the "Information Disclosure Guidelines for the Safety and Reliability of ASP/SaaS (Second Edition)" or "Information Disclosure Guidelines for the Safety and Reliability of IoT Cloud Services (ASP/SaaS Edition)" of the "Information Disclosure Guidelines for the Safety and Reliability of Cloud Services" (October 2018 Edition), it is acceptable to disclose only the differences from the "Information Disclosure Guidelines for the Safety and Reliability of Cloud Services Using AI Functions."
