Ministry of Internal Affairs and Communications Guidelines Cloud services
Safety and Reliability Information Disclosure Guidelines

Ministry of Internal Affairs and Communications Information Disclosure Guidelines Regarding the Safety and Reliability of Cloud Services

No.typeService level items exampleRegulationsRequired/Optional
(Note 1)
Contents
1Time of disclosureDisclosure DateDate of disclosure (Gregorian calendar)RequiredFebruary 25, 2025
Office/Business
2Overview of business establishments, etc.Business nameOfficial name of the business (trade name)RequiredCIMTOPS Corporation.
Corporate numberRequired2013201002720
3Date of EstablishmentDate of establishment of the business (Gregorian calendar)Required1991/10/01
4OfficeHead office location of the businessRequired1410021
Shin-Meguro Tokyu Building, 10th floor, 2-25-2 Kami-Osaki, Shinagawa-ku, Tokyo
Company websiteRequiredhttps://www.cimtops.co.jp/
5Project OverviewOverview of main businessOverview of the operator's main businessRequiredDevelopment and sales of DIRECTOR, a production scheduler and process control system for individual order-based production factories
Development and sales of ConMas i-Reporter, a tablet-based paperless on-site document recording, reporting, and viewing solution
Development and sales of BOP process editor MPPCreator
Development and sales of production management related software
Development and sales of engineering-related software
System integration and system consultation related to the above
Human Resources
6executiverepresentativeRepresentative nameRequiredTakashi Mizuno
Representative background (date of birth, educational background, work history, qualifications, etc.)RequiredApril 20, 1962, Nagoya Institute of Technology, Department of Industrial Engineering
Representative Director CIMTOPS Corporation.
7board memberNumber of officerschoice4
8employeeNumber of EmployeesNumber of full-time employees (non-consolidated basis)Required71
Financial Status
9Financial DataSalesSales of business operators (non-consolidated basis)Required¥1,680,016,137
11capitalCapital of the operator (standalone basis)Required¥16,500,000
12Equity ratioCompany equity ratio (non-consolidated basis)choice73%
compliance
22organizational structureStatus of organizational structure regarding information securityWhether or not there is a person in charge of information security, and if so, the name and position of that personRequiredInformation Security Manager Kami Mikami
Existence of an organizational structure for information securityRequiredYes
23personal informationHandling of Personal InformationWhether or not there are any regulations regarding the handling of personal information, and if so, where they are describedRequired▼Basic Information Security Policy
https://cimtops.com/security/
▼Privacy Policy
https://cimtops.com/privacypolicy
24ConfidentialityConfidentiality AgreementWhether or not there is a confidentiality agreement or clauseRequiredEmployee: Work regulations, etc.
Business partner (agency): Concluded through a negotiated transaction
Whether there is a penalty clause in case of breach of confidentiality obligationRequiredEmployee: Work regulations, etc.
Business partner (agency): Concluded through a negotiated transaction
25Employee education, etc.Status of security education for employeesStatus of efforts to provide security education to employeesRequiredWe conduct annual training and information security operation checks three times a year as part of our ISMS annual plan.
26Status of confidentiality obligations to employeesStatus of efforts to comply with confidentiality obligations for employeesRequiredThis is included in the work regulations and employment contracts.
27consignmentDisclosure of entrusted informationWhether or not information on contractors (subcontractors) involved in the provision of services can be disclosed, and if so, the conditions under which it can be disclosedRequiredWe disclose the use of Microsoft Azure infrastructure as a subcontractor (IaaS).
28Management status of subcontractorsWhether or not your company has regulations for complying with personal information protection guidelinesRequiredThis is stipulated in the work regulations, employment contract, and ISMS implementation guidelines.
Whether or not information can be provided regarding the status of personal information protection at the contractor (subcontractor), and if so, the conditions, etc.RequiredWe will investigate the personal information in advance and respond if it is applicable.
Status of confidentiality obligations with subcontractors (re-contractors)RequiredWe have concluded a contract with the contractor.
Management method for contractors (subcontractors)RequiredIn addition to program-specific management, we also adopt outsourced management measures based on ISMS plans, grasp the situation, and conduct reviews.
29DocumentsEstablishment of regulations regarding information securityStatus and names of documents such as basic policies, regulations, manuals, and risk assessment results regarding information securityRequiredWe have prepared ISMS documents such as the Information Security Basic Policy, ISMS manual, and information security implementation guidelines.
30Establishment of rules for business continuityWhether or not there are basic policies, regulations, manuals, etc. regarding business continuity, and if yes, the names of the documentsRequiredYes
This has been established as a management measure within the information security implementation guidelines.
Whether or not to disclose BCP response plans and operational procedures, etc., and if so, the conditions under which they can be disclosedRequiredBCP-related information is not publicly available
31Establishment of regulations regarding risk managementWhether or not there are basic policies, regulations, manuals, etc. regarding risk management, and if so, the names of those documentsRequiredYes
We carry out asset inventories and risk assessments based on the ISMS annual manual, risk assessment procedures, information security implementation guidelines, etc.
32Establishment of regulations regarding solicitation, sales, and disputesWhether or not there are basic policies, regulations, manuals, etc. regarding solicitation and sales, and if yes, the names of the documentsRequirednone
Whether or not there are documents containing information on how to respond in the event of a dispute, such as rules regarding disputes and the court of jurisdiction, and if so, the names of those documentsRequiredYes
The i-Reporter Cloud Service Terms of Use clearly state that the Tokyo District Court shall have jurisdiction.
33Establishment of regulations regarding handling complaints about ASP and SaaSWhether or not there are basic policies, regulations, manuals, etc. regarding complaint handling for ASP/SaaS, and if so, the names of those documentsRequiredYes
Whether or not there are basic policies, regulations, manuals, etc. regarding complaint handling is not disclosed.
Whether or not there is a document describing the scope of liability and warranty coverage of the ASP/SaaS provider, and if so, the name of the documentRequiredYes
This is stated in the i-Reporter Cloud Service Terms of Use.
34Establishment of rules to prevent and deter users from making improper settingsWhether or not there are basic policies, regulations, manuals, etc. to prevent users from making improper settings when providing services, and if so, what are the names of these documents?When creating documents such as policies, it is a good idea to refer to the countermeasures items in the "Guidelines for Appropriate Settings in the Use and Provision of Cloud Services."RequiredYes
The i-Reporter cloud version service provides users with multiple manuals, including setting examples. Users can view the manuals at their convenience on the support website.
Basic service performance
35Service DetailsService NameName of this ASP/SaaS serviceRequiredi-Reporter cloud version service
(hereinafter referred to as "this service")
36Service launch dateDate of service start for this ASP/SaaS (Gregorian calendar)Required2013
Whether or not there have been any major changes made to the service since its launch and the time of application, and if so, the date of the change (Gregorian calendar) Date of change: February 18, 2020
37Content and scope of servicesContents and features of this ASP/SaaS serviceRequiredPaperless on-site document solution
Familiar paper forms used on-site can be digitized as they are, making it easy for anyone to use.
Electronic documents can be easily created and modified without no-code.
Eliminates the hassle of double-checking and transcription, as well as mistakes and omissions that are inherent to paper documents.
Whether or not there is service collaboration between other businesses, and if so, what is the content?RequiredIt is published on the website
https://i-reporter.jp/functions_cat/datalinkage/
38Service hoursService hoursRequired24 hours a day, 365 days a year
39Service customization rangeScope of application customization (if it depends on the contract contents, please state that)RequiredCustomization is not supported
40Transition supportWhether or not migration support from existing systems is provided when using this service (if it depends on the cancellation details, please state this)RequiredWe do not provide support for migrating from existing systems to this system.
Please use the SE services of the dealership.
42Changes and Termination of ServicesAdvance notice of changes or termination of services (businesses)Timing of notification to users (describe the timing of advance notification in units of 1 month, 3 months, 6 months, 12 months, etc.)RequiredWe will notify you at least 3 months in advance
Announcement methodRequiredContact from distributors, announcements via support web, emails to customer administrators
43Responses and alternative measures after changes or termination of services (businesses)Whether or not there is a basic policy for response and alternative measures, and if so, a summaryRequirednone
Customers can export data used in the i-Reporter cloud service in Excel, PDF, CSV, XML, or other stored object formats via API and use it in general-purpose systems.
44Termination of contract, etc.Return, deletion, and disposal of informationWhether or not there is a responsibility to return information assets (user data, etc.) at the end of the contract, and the conversion method, file format, costs, etc. of the entrusted informationRequiredWith this service, the management of customer data is the customer's own responsibility. Terms and Conditions Article 14, Paragraph 1
With this service, customer data can be exported to Excel, PDF, CSV, XML, and other object formats for use in other systems. There is no charge.
Whether or not information can be deleted or disposed of, and if so, the conditions under which it can be deleted or disposed ofRequiredThis service uses a virtual environment on Microsoft Azure, so a "deletion operation" is performed.
For information on actual data deletion, please refer to the data handling information published by Azure: https://www.microsoft.com/ja-jp/trust-center/privacy/data-management
Providing proof of deletion or disposalRequiredA certificate can be issued for the deletion operation.
45Service FeePricingInitial cost amountRequired¥50,000
Monthly usage feeRequired¥37,500
Minimum contract periodRequirednone
46Whether or not to pay a penalty upon cancellationWhether or not there is a cancellation penalty (for the user) and, if so, the amountRequirednone
47Deadline for advance contract acceptance from usersWhether or not users can cancel their service, and if so, what the deadline is (how many days or months in advance)RequiredYes
There is a time limit for accepting service cancellations.
Cancellation acceptance period for the next month: Closing date is the 25th of the current month
48Quality of ServiceService operational settingsService availability targetRequiredIt is not publicly available.
Actual service availability rateRequiredJanuary 2025 100%
History of service outagesRequiredSix times in fiscal 2024, with an average of 16 minutes
50Certification and auditingWhether or not you have acquired the Privacy Mark (JIS Q 15001), ISMS (JIS Q 27001, etc.), ITSMS (JIS Q 20000-1, etc.), or have prepared Auditing Standards Committee Statement No. 18 (US auditing standards SSAE16, International Standards on Auditing ISAE3402), and if yes, the name of the certification or auditchoiceWe are certified with JIS Q 27001:2023 (ISO/IEC 27001:2022)
https://isms.jp/lst/ind/CR_JUSE-IR-412.html
51Vulnerability AssessmentWhether or not a vulnerability assessment was conducted, and if so, what was assessed (application, OS, hardware, etc.) and an outline of the countermeasureschoiceYes
Undergoing application diagnostics
54Backup measuresUser data backup intervalRequiredDaily, weekly, and monthly backups are taken
Generation backup (describe how many generations back)RequiredPreserving two generations
55Service continuityA system that ensures service does not stop (redundancy, load balancing, etc.)RequiredI'm using a high availability environment
Whether or not DR (Disaster Recovery) measures are in place, and if so, a summary of those measuresRequiredNo DR (disaster recovery/non-stop recovery) measures
56Awards and commendationsHistory of receiving various awards related to ASP and SaaSchoiceBest Software in Japan 2022, 2023, 2024 Award Winner
Winner of seven awards at the ITreview Grid Award 2025 Winter
57SLA (Service Level Agreement)Whether the SLA for this service is attached to the contractRequiredSLA not published
58Number of subscribersNumber of companies subscribing to this ASP/SaaS servicechoice4,200 companies
Applications etc.
59alignmentProviding information on collaboration with other services and businessesWhether or not there is collaboration with other services or businesses, and if so, the conditions for providing information, etc.RequiredPublished on the homepage
https://i-reporter.jp/functions_cat/software/
60Safety featuresLife and death monitoringWhether or not there is life monitoring, and if so, what is the target of life monitoring?RequiredYes
All service environments are monitored for their availability.
61Time SynchronizationWhether or not time synchronization is supported, and if so, howRequiredYes
Synchronized with a trusted national time server
62AntivirusPresence or absence of antivirus softwareRequiredYes
63Administrative privilege managementAre there procedures for registering and deleting administrator privileges for the system operations department?Required 
64ID and password managementThe status of regulations regarding the operation and management of IDs and passwords when assigning IDs and passwords to users on the business sideRequiredFor the i-Reporter cloud version service, the customer administrator can register users, and users can set their own passwords.
ID and password management must be conducted in accordance with company policies and rules.
65Records (logs, etc.)The status of obtaining records (logs, etc.) of the user's usage, the retention period, and whether or not they can be provided to the userRequiredUser access status can be viewed and exported by customer administrators.
Whether or not logs related to system operation are collected, and if so, the retention periodRequiredYes
Stored for over a year
Presence or absence of measures to prevent log tamperingRequiredWe grant appropriate access rights and store the information in an area that cannot be accessed from the outside.
66Security Patch ManagementPatch management status, patch update intervals, and patch application policyRequiredWe regularly collect and evaluate vulnerability information from vendors and public institutions, and if deemed necessary, we apply it to the production environment after confirming its operation in a test environment. We are implementing these procedures as quickly as possible.
67Encryption measuresWhether or not encryption measures (database) are implemented, and if so, a summary of the measuresRequiredThe database is stored in encrypted storage and is encrypted in its entirety
68Measures to prevent improper settingsThe existence or nonexistence of measures to prevent misconfigurations for each of the items in "Evaluation item a. Types of security configuration items and measures in the cloud" in the "Guidelines for appropriate configuration in the use and provision of cloud services" that apply to the service applied for. If "yes," please provide an outline of the items and measures to prevent misconfigurations.Requirednone
No user-defined security settings
network
69Center side networkLineDedicated line (including VPN), internet, etc.RequiredInternet connection
70BandwidthData communication speed range, availability of bandwidth guaranteeRequiredNo bandwidth guarantee
71Safety featuresFirewallAre there measures to prevent unauthorized access, such as the installation of a firewall?RequiredWe do not have a standalone firewall; we provide comprehensive support through Microsoft Defender for Cloud, etc.
72Intrusion DetectionWhether or not unauthorized packets or unauthorized server intrusions have been detected, and if so, how to respondRequiredYes
We implement comprehensive detection measures using Microsoft Defender for Cloud, DDoS Protection, etc.
74User AuthenticationAuthentication methods for managing user access, methods for authenticating connections from specific locations and devices, etc.RequiredSource IP address restriction (IP filtering) is available as an option.
75Countermeasures against spoofing (business side)Whether or not measures are in place to prevent third-party spoofing of websites, and if so, the authentication methodRequiredYes
Prevention by server certificate
76Encryption measuresWhether or not encryption measures (network) are supported, and if so, a summary of the measuresRequiredYes
All i-Reporter communications are encrypted using SSL (TSL1.2).
78PC side networkRecommended lineDedicated line (including VPN), internet, etc.RequiredGeneral-purpose internet line
Scope of responsibility of ASP/SaaS providers regarding user connection linesRequiredThe service is not responsible for the user's connection line.
79Recommended BandwidthWhether or not there is a recommended bandwidth, and if so, the range of data communication speedsRequiredThere is no recommended bandwidth. We recommend using a broadband connection.
Terminal
80PC etc. (operation terminal)Recommended devicesType of device (PC, smartphone, tablet, thin client, etc.), OS, etc.RequiredPlease refer to the operating environment information
https://cimtops-support.com/i-Reporter/ir_manuals/jp/windows/iReporter_FunctionCorresponding_jp.pdf
The type of browser you useRequiredGoogle Chrome, Microsoft Edge, Safari, etc.
Housing (server installation location)
81Facility BuildingsBuilding typeIs the building a dedicated data center?RequiredThe data center is a dedicated building
82locationCountry name, or regional block name in the case of Japan (e.g. Kanto, Tohoku)RequiredLocated in Eastern and Western Japan
83Earthquake-resistant and seismic isolation structureEarthquake resistance figuresRequiredprivate
Presence or absence of seismic isolation or vibration control structuresRequiredCombined use of earthquake-resistant and seismic isolation
84Emergency power equipmentuninterruptible power supplyWhether or not you have an uninterruptible power supply (UPS) and, if so, the duration of power supplyRequiredYes
Power supply time is approximately 72 hours (varies depending on congestion conditions)
85Power supply routeWhether or not two or more power supply routes (systems) via different substations are secured (excluding private generators and UPS)RequiredThe power receiving route is redundant.
86Emergency power supplyWhether or not there is an emergency power source (private generator) and, if so, the number of continuous operating hoursRequiredYes
Approximately 72 hours (varies depending on congestion)
87Fire extinguishing equipmentFire extinguishing equipment in the server roomWhether or not there is an automatic fire extinguishing system, and if so, whether or not it is a gas-based systemRequiredYes
The type is not disclosed
88Fire detection and alarm systemsFire detection systemRequiredYes
89Lightning protection equipmentDirect lightning strike protectionPresence or absence of measures against direct lightning strikesRequiredYes
90Countermeasures against induced lightningPresence or absence of countermeasures against induced lightningRequiredYes
91Air conditioning equipmentAir conditioning equipmentDetails of air conditioning equipment (floor-blowing air conditioning, individual air conditioning for computers, etc.)RequiredYes
Packaged air conditioning for data centers and other uses
92Safety featuresEntrance and exit management, etc.Whether or not entry and exit records are available, and if so, how long they will be keptRequiredYes
Retention period is not disclosed
Presence or absence of surveillance camerasRequiredYes
Presence or absence of personal authentication systemRequiredYes
Service Support
95Service desk (complaints and inquiries)contact addressContact information such as telephone/fax, web, and emailRequiredSupport is available from 9:30 to 18:00 (excluding weekends and holidays) via the support website, phone, or email.
Whether or not there is a contact for an agency, and if so, the name of the agency, the address and contact for the agency's head officeRequiredSee our published list of agencies
https://i-reporter.jp/agent/
96Business days and hoursBusiness days and business hours (reception hours)RequiredSupport reception: 24 hours a day, 365 days a year (support website)
Other reception hours: 9:30 to 18:00, excluding weekends and holidays
97Support scope and meansSupport methods (telephone, email replies, etc.)RequiredSupport Web, phone, email
98Service Notifications, Reporting, and Incident ResponseAdvance notice of temporary service suspensions such as maintenanceTime of notification to users (describe in units of 1 month, 3 months, 6 months, 12 months, etc.)RequiredMore than 2 weeks ago
Announcement methodRequiredSupport web, email to customer administrator
99Notification in the event of a failure or disasterWhether or not to notify users when a problem occurs, and if so, how and when to notify usersRequiredYes
Support web, email to customer administrator
100Security Incident ResponseResponse in the event of a security incident (notification, prevention of damage expansion, temporary response, full response, etc.)RequiredIn the event of a security incident, we will take action according to the incident response plan as stated in the i-Reporter Cloud Service Terms of Use and notify the customer.
101Regular reportWhether or not regular reports are provided to users (monitoring results of applications, servers, platforms, and other devices, service availability rates, SLA implementation results, etc.)RequiredThe server operating status is displayed in the ConMas Manager.

Note 1: "Required" indicates items for which information disclosure is required. "Optional" indicates items for which information disclosure is optional.

Note 2: For cloud services that have already disclosed information in accordance with the "Information Disclosure Guidelines for the Safety and Reliability of ASP/SaaS (Second Edition)" or "Information Disclosure Guidelines for the Safety and Reliability of IoT Cloud Services (ASP/SaaS Edition)" of the "Information Disclosure Guidelines for the Safety and Reliability of Cloud Services" (October 2018 Edition), it is acceptable to disclose only the differences from the "Information Disclosure Guidelines for the Safety and Reliability of Cloud Services Using AI Functions."

Over 4,000 companies have adopted it!
No. 1 share in paperless apps

3分で分かる資料ダウンロード 現場帳票のデジタル化相談してみる