Information Security Policy

TIMEWELL Inc. (hereinafter "the Company") aims to create an enriching community space where people can freely take on challenges, through our Challenge Infrastructure business that supports challengers. Under the leadership of management, the Company hereby declares its commitment to ensuring and enhancing the confidentiality, integrity, and availability of all information assets in its possession (including customer information, service-related data, systems, networks, etc.), complying with applicable laws and regulations, and systematically and continuously improving information security. Furthermore, the Company shall appropriately comply with domestic and international standards, including JIS Q 27001 (Information Security Management Systems) and JIS Q 15001 (Personal Information Protection Management Systems), and shall maintain rigorous information security management practices.

The Company shall comply with domestic and international laws and regulations relating to information security, the government's cybersecurity strategies and related guidelines, and various standards, regulations, and industry best practices, including JIS Q 27001 and JIS Q 15001. Rules and procedures reflecting these requirements shall be clearly defined in internal regulations and shall be reliably executed and maintained.

The Company shall appoint an Information Security Manager and establish an organizational structure for information security in order to properly and safely manage its information assets. Through these measures, the Company shall implement the following:

• ・Development, maintenance, and review of security policies and operational procedures
• ・Establishment of a rapid incident response framework (including emergency response manuals and incident handling procedures)
• ・Execution of technical and organizational measures, including classification of information assets, protection level settings, access control, authentication and authorization, and log monitoring

The Company shall ensure that all personnel (including full-time employees, temporary staff, and outsourced contractors) deeply understand the importance of information security and are able to put it into practice, through the following measures:

• ・Regular security education, training, and awareness activities
• ・Practical training such as anti-phishing exercises
• ・Enhancement of organization-wide security literacy through sharing of the latest threat trends and technical information

The Company shall identify and assess potential threats and vulnerabilities that may affect its information assets using risk assessment methodologies. Based on the results, the Company shall plan and implement necessary controls and verify the effectiveness of countermeasures. The Company shall also continue regular reviews and improvements to address the increasing sophistication of cyberattack methods and technological advancements.

The Company shall establish and operate an ISMS based on relevant standards, including JIS Q 27001 and JIS Q 15001. Through internal and external audits and certification, the Company shall verify and evaluate that the ISMS is functioning effectively and efficiently, and shall sustain continuous improvement of information security levels through the PDCA cycle.

The Company shall appropriately collaborate with stakeholders, including regulatory authorities, industry associations, security firms, partner companies, and customers, to share the latest cyber threat intelligence and countermeasure expertise. Through these efforts, the Company shall also contribute to resolving societal challenges related to information security and enhancing trust.

In the event of legal violations, contractual breaches, or incidents related to information security, the Company shall respond appropriately and work to prevent recurrence.

This policy applies to all information assets handled by the Company and all personnel associated with the Company. Each individual is responsible for understanding and complying with this policy and related regulations. Appropriate disciplinary action shall be taken against violations, and measures to prevent recurrence shall be implemented.