LoiLoNote School

Security Whitepaper

Efforts for Personal Information Protection and Security

Last Revised: September 25, 2023

Personal Information Protection Policy

Our company recognizes that protecting the personal information of our customers and employees in our software development, operation, and maintenance of business is a serious social responsibility. We have a philosophy of "Information protection is the foundation of service" and have built a personal information protection management system to implement and maintain the policies shown below. We declare that our entire company will work on continuous improvement.

  • Our company will acquire, use, and provide appropriate personal information limited to the necessary scope for software development, operation, maintenance of business, as well as the employment and personnel management of employees. In addition, we will not handle personal information beyond the scope necessary to achieve the specified purpose of use (use outside the purpose) and will take measures to achieve this.
  • Our company will comply with laws and regulations, guidelines set by the government, and other norms regarding the handling of personal information.
  • Our company will strive to prevent and correct unauthorized access to personal information, leakage, loss, or damage of personal information.
  • Our company will respond appropriately and promptly to complaints and consultations regarding personal information.
  • Our company will continuously improve the personal information protection management system.
Data Usage Policy

Personal information will not be provided to third parties unless there are special circumstances, such as those required by law.
Also, we strive to keep the acquisition of personal information to a minimum necessary for its use.
For more details, please refer to the Privacy Policy.

https://n.loilo.tv/ja/privacy
https://n.loilo.tv/en/privacy

Privacy Mark JIS Q 15001 and Initiatives on Personal Information Protection

Our company obtained the Privacy Mark on April 18, 2019.

PrivacyMark System is a system set up to assess private enterprises that take appropriate measures to protect personal information. Such private enterprises are granted the right to display "PrivacyMark" in the course of their business activities. The System is in compliance with Japan Industrial Standards (JIS Q 15001: [Personal Information Protection Management System - Requirements]).

Based on our Personal Information Protection Policy, we conduct identification, risk analysis, and countermeasures of personal information, provide education to our employees, and regularly inspect and evaluate the operational status to implement improvements on identified issues, thereby maintaining an appropriate personal information protection framework

GDPR and U.S. Privacy Laws (FERPA/ COPPA/ SOPIPA)
  • The EU, based on Article 45 of the GDPR (General Data Protection Regulation), conducts adequacy decisions on our country. Additionally, as mentioned later, the data center of Loilo Note School (Amazon Web Services) is compliant with GDPR, thereby enabling the appropriate transfer of data from the EEA.
  • For compliance with U.S. Privacy laws such as FERPA, COPPA, and SOPIPA, please refer to the Privacy Policy for U.S. Users.
    https://n.loilo.tv/en/privacy
Data Center

LoiLoNote School uses Amazon Web Service (hereinafter referred to as AWS) as its data center in compliance with Japanese laws.

Data Center Security and Compliance

Our data center provider, AWS, complies with ISO 27001, ISO 27017, and ISO 27018 certifications. ISO 27001 is a security management standard that defines best practices for security management and comprehensive security controls. ISO 27017 focuses on cloud security specific to cloud service providers. ISO 27018 is an international code of practice that focuses on the protection of personal data in the cloud.

Additionally, AWS is compliant with the General Data Protection Regulation (GDPR). Therefore, data can be transferred from the EEA to non-EEA countries, including the United States, that have not received an adequacy decision from the European Commission in accordance with the GDPR.
https://aws.amazon.com/compliance/gdpr-center/

For more details on AWS's security and compliance, including other aspects, please see below
https://aws.amazon.com/compliance/programs/

ISMAP Security Evaluation System for Government Information Systems

Amazon Web Services, the data center for LoiLoNote School, has received the ISMAP (Information system Security Management and Assessment Program) certification, a security evaluation system for Japanese government information systems that began in 2020.
https://www.ismap.go.jp/csm?id=cloud_service_list

The Security Evaluation System for Government Information Systems is a system designed to ensure the security level of cloud service procurement by the government by evaluating and registering cloud services that meet the security requirements demanded by the government in advance, and thereby contributing to the smooth introduction of cloud services.
https://www.ismap.go.jp/csm?id=kb_article_view&sysparm_article=KB0010301&sys_kb_id=5370ef9bdbb1a1506e6cb915f396192c&spa=1

Data Center Security

According to the "Security Reference for Government Agencies Using AWS Cloud," compiled in collaboration by Accenture Japan Ltd., NTT DATA Corporation, PwC Arata LLC, and Fujisoft Incorporated, AWS has a highly reliable data center that can comply with the "Unified Standards for Information Security Measures for Government Agencies and Others (Fiscal Year 2018 Edition)" issued by the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and can be used without any issues in Japanese government agencies and other institutions.

Please download the detailed materials from the links below:

"Security Reference for Government Agencies Using AWS Cloud" (PwC Arata LLC)
https://www.ismap.go.jp/csm?id=cloud_service_list

"Unified Standards for Information Security Measures for Government Agencies and Others (Fiscal Year 2018 Edition)"
https://www.nisc.go.jp/eng/index.html#sec3

For information on the security certifications obtained by AWS, please visit this page as well:
https://aws.amazon.com/compliance/programs/

For AWS security whitepapers, please refer to the following link:
https://docs.aws.amazon.com/whitepapers/latest/aws-risk-and-compliance/welcome.html

Encryption of Communication

All communication used in LoiLoNote School is encrypted. This ensures safety even if data is intercepted during transmission.

Provision of Stable Servicen

In order to continuously provide a stable service, we publish the real-time service status.
https://status.loilonote.app/en

For the period from January to March 2019, we achieved a service uptime of 100% and an availability of 99.9897%.

Backup

LoiLo Note School's data is backed up in multiple remote locations to ensure recovery even in the event of a large-scale disaster, such as the Great East Japan Earthquake.

Software Vulnerability Countermeasures

If a security patch deemed urgent is issued for the software in use, we will apply it within at least one week. For non-urgent patches, we will apply them during server software updates (approximately once a month). In addition, for the software we develop, we follow the "Web Application Security Implementation Checklist" published by the Information-Technology Promotion Agency (IPA) and implement continuous countermeasures.

Current Customers

Our services are being utilized by numerous municipalities and schools across the globe including in Japan, Taiwan, and the United States.

Schools adopted: About 12,000 schools
Municipalities adopted: About 700 municipalities
(As of September 2023)