July 1, 2011
i3 Systems, Inc.
Tsutomu Sasaki, President

As a software platform vendor engaging in the development and provision of services based on information technology, i3 Systems has a strong awareness that personal information is each individual's personal property. To properly acquire, utilize, and provide such personal information in compliance with laws and regulations, we have developed a Personal Information Protection Management System to prevent the leakage of personal information, correct leakage if it occurs and continuously improve the System. We will properly acquire, utilize, and provide personal information. When acquiring information, we specify the purpose of use wherever possible, take measures to prohibit the handling of personal information beyond the scope necessary for the achievement of the purpose of use, and in principle do not provide personal data to any third party without the relevant individual's consent.

• The prevention and correction of personal data leakage: We prevent leakage, loss, or damage of personal data through a reasonable safety management system according to the importance of personal data. If data leaks, we will make corrections in consideration of internal and external opinions and suggestions.
• Compliance with personal information-related laws, regulations, and other norms: We will carefully adhere to laws, regulations, national guidelines, and other norms such as the "Act on the Protection of Personal Information" as well as new legislation and revisions.
• Continuous improvement of the Personal Information Protection Management System: We will continue to review and improve our Personal Information Protection Management System through the appointment of a Personal Information Protection Supervisor with the responsibility and authority to implement and operate the Personal Information Protection Management System and the appointment of a Personal Information Protection Auditor.
• Contact: We properly respond to personal information-related inquiries and complaints. For inquiries regarding our personal information handling and Personal Information Protection Management System, please use the email address at the bottom of this page.
• If i3 Systems provides personal information to a third party based on the consent of the customer in 4 above and outsources its business processing, it enters into a contract with the third party or outsourcee to prevent leakage or the re-provision of the customer's personal information and has such third party or outsourcee conduct proper management.

Code as of July 1, 2011
i3 Systems, Inc.
Tsutomu Sasaki, President

Chapter 1 General Provisions

Article 1.Purpose

This code defines how i3 Systems handles personal data.

Article 2.Limitation of Handlers

• The Personal Data Administrator appointed by the General Manager of each Division shall define the role and responsibility of the personal data handler at the Division and publicize it in-house.
• The Personal Data Administrator appointed by the General Manager of each Division shall limit the personal data handlers at the Division to those who need to handle such data in the course of business only.

Article 3.Restriction of Handling of Sensitive Information

Among the personal information, the personal data handler must not handle the information regarding political opinion, religion (this refers to religion, thought, and creed), labor union membership, race/ethnicity, family lineage/permanent address, health/medical/sexual matters, and criminal record ("sensitive information"), except when:

• Ordered by law
• Acquiring, utilizing, providing, and storing the family register or other identification document containing sensitive information in order to identify the individual
• Handling information based on the individual's consent to ensure proper business operation
• It is necessary to protect human life, limb, or property
• It is especially necessary to enhance public health or promote the sound growth of children
• It is necessary to cooperate with any State organ or local government or its delegatee for the purpose of conducting legally-prescribed clerical work

Article 4.Method of Acquiring the Consent of Individuals in the Handling of Sensitive Information

• Consent of the individual in the preceding article (3) shall basically be obtained in writing.
• Even when handling sensitive information with the individual's consent based on preceding article (3), the personal data handler shall obtain information within the minimum scope necessary for conducting business.
• If personal data obtained by mail or other means contains sensitive information, the personal data handler basically shall immediately return the information to the individual by the method specified by the individual or discard of it, unless the individual's consent is obtained. However, if other pieces of information in the document are necessary in the course of business, the personal data handler shall obtain such information with the sensitive information made illegible.

Article 5.Limitation of Personal Data Handled

The Personal Data Administrator shall limit the personal data handled to the minimum required for business.

Article 6.Procedure for Device and Recording Medium Management

• The Personal Data Administrator shall designate the location for the installation of the devices and recording media that save the personal data handled, set the administrative classification and privilege, and change them as needed.
• The personal data handler shall properly store the devices and recording media that save personal data according to the designation and setting in the preceding paragraph.
• The Personal Information Protection Supervisor shall inspect the personal data management status accordingly and make a regular report to the Personal Information Protection Manager.

Article 7.Personal Data Access Control

In order to control access to the personal data handled, the Personal Data Administrator shall take the following measures regarding the personal data storage devices and media.

• Provide a personal data access authority feature.
• Maintain strict control over IDs and passwords used to handle personal data.
• Restrict access to the the space where the devices and recording media that save personal data are kept.
• Properly manage personal data on incoming mail and facsimile.

Article 8.Personal Data Access Log and Analysis

If necessary, the Personal Data Administrator shall acquire access and other system operational status records in personal data handling, store such records for the necessary period, and analyze them to prevent personal data leakage.

Article 9.Measures on Taking Personal Data Out of the Controlled Area

• The Personal Information Protection Supervisor shall define handlers' roles and responsibilities regarding the taking of personal data out of the controlled area (predesignated in consideration of the sphere of business) and publicize it within the organization.
• The Personal Data Administrator shall limit handlers taking personal data out of the controlled area to the minimum required.
• The Personal Data Administrator shall limit the personal data allowed to be taken out of the controlled area to the minimum required for business.
• The personal data handler intending to take personal data out of the controlled area shall apply to the Personal Data Administrator for prior approval.
• The Personal Data Administrator shall confirm that the persons taking out personal data are limited to the personal data handlers in the second paragraph. The Personal Data Administrator shall also confirm that the personal data to be taken out is within the scope of limitation in the third paragraph.
• When taking personal data out of the controlled area, the amount of such personal data shall be limited as separately specified, and the personal data handler shall properly manage each device and medium that contains such personal data at all times.
• When taking personal data out of the controlled area, the personal data handler shall properly report to the Personal Data Administrator and record the status of the personal data taken out, according to the data type and form, as needed.
• In order to prevent personal data leakage, the Personal Data Administrator shall check the status reported and recorded, if necessary.

Article 10.Procedure for Application and Approval regarding Irregular Handling

When handling personal data other than specified in this code, the personal data handler shall apply to the Personal Information Protection Supervisor via the Personal Data Administrator for prior approval from the Personal Information Protection Supervisor.

Chapter 2 Acquisition and Input Phase

Article 1.Definition

• "Acquisition" refers to obtaining personal information from an individual or a third party by physical and electronic means.
• "Input" refers to physically and electronically entering acquired personal data into a database or other information system.

Article 2.Recording and Analysis of Acquisition and Input Status

• When acquiring and inputting personal information, the personal data handler shall record the status of acquisition and input properly as needed, according to the information type and form.
• In order to prevent personal information leakage, the Personal Data Administrator checks the recorded status as needed.

Article 3.Cross-Check and Verification Procedure at Acquisition and Input

• When acquiring personal information, the personal data handler shall identify the information provider and check the authority.
• When creating personal data, the personal data handler shall confirm the accuracy of the input data.

Chapter 3 Utilization and Processing Phase

Article 1.Definition

• "Utilization" refers to the handling of personal data within the scope of utilization purpose.
• "Processing" refers to the updating of personal data or the creation of a new database utilizing personal data.

Article 2.Recording and Analysis of Utilization and Processing Status

• When utilizing and processing personal information, the personal data handler shall record the status of utilization and processing properly as needed, according to the information type and form.
• In order to prevent personal information leakage, the Personal Data Administrator checks the recorded status as needed.

Article 3.Cross-Check and Verification Procedure at Utilization and Processing

• The personal data handler shall check if the personal data to be utilized is the correct target data.
• The personal data handler shall make a check against the original data to see if the personal data utilized have been processed correctly.

Chapter 4 Transfer and Transmission Phase

Article 1.Definition

• "Transfer" refers to the moving of personal data to a different location or person by physical means.
• "Transmission" refers to the moving of personal data to a different location or person by electronic means.

Article 2.Recording and Analysis of Storage and Saving Status

• When transferring or transmitting personal data, the personal data handler shall record the status of transfer and transmission properly as needed, according to the data type and form.
• In order to prevent personal data leakage, the Personal Data Administrator checks the record in the preceding paragraph as needed.

Article 3.Cross-Check and Verification Procedure at Transfer and Transmission

When transferring or transmitting personal data, the personal data handler shall cross-check and verify the transfer or transmission destination for correctness.

Chapter 5 Storage and Saving Phase

Article 1.Definition

• "Storage" refers to the managing of personal data by physical means.
• "Saving" refers to the managing of personal data by electronic means.

Article 2.Recording and Analysis of Storage and Saving Status

• When storing and saving personal data, the personal data handler shall record the status of storage and saving properly as needed, according to the data type and form.
• In order to prevent personal data leakage, the Personal Data Administrator checks the record in the preceding paragraph as needed.

Article 3.Recording and Analysis of Storage and Saving Status

• "Erasure" refers to the deleting of personal data on the medium saving the personal data by electronic and other means.
• "Disposal" refers to the physical disposal of the medium that saves personal data.

Article 4.Recording and Analysis of Erasure and Disposal Status

• When erasing and disposing personal data, the personal data handler shall record the status of erasure and disposal properly as needed, according to the data type and form.
• In order to prevent personal data leakage, the Personal Data Administrator checks the record in the preceding paragraph as needed.

Article 5. Cross-Check and Verification Procedure at Erasure and Disposal

• Before erasing or disposing of personal data, the personal data handler shall cross-check the retention period or confirm the reason for erasure/disposal based on the personal data control ledger.
• The personal data handler shall erase or dispose of personal data by a method appropriate for the device and recording medium on which the data are saved.

Code as of July 1, 2011