Information Security Policy

This policy aims to protect information assets held and handled by Solvere, and to clarify our security responsibilities and basic stance to customers, partners, and internal stakeholders.

Additionally, we maintain a consistent organizational approach to security, including development structures involving contractors.

• Covered Personnel:All persons accessing Solvere's information assets, including officers, employees, contractors, and temporary staff
• Covered Assets:Customer-received data, production data, logs, source code, design information, authentication credentials, secrets, configurations, backups, etc.
• Covered Systems:IdP, major SaaS, cloud environments, development/production environments, audit log infrastructure, etc.

Solvere protects information assets based on the following principles.

• Data-Centric Security:Prioritizing the protection of confidential data, emphasizing access path control and data exfiltration prevention
• Zero Trust:Verifying all access without relying on assumed trust in devices, networks, or locations
• Least Privilege:Granting minimum necessary privileges and continuously removing unnecessary privileges
• Blast Radius Reduction:Designing and operating to contain the impact of breaches to localized areas
• Defense in Depth:Adopting multi-layered defense without relying on single controls

Solvere prioritizes the following in protecting information assets.

1. Protection of customer-received data and production data
2. Protection of production secrets and authentication credentials
3. Protection of source code and design information (managing residual risks with mitigation measures)

Solvere classifies information assets and provides protection according to classification.

• Restricted:Significant impact on business continuity if leaked
• Confidential:Disclosure outside the company is restricted
• Internal:Assumed to be shared within the company
• Public:Can be disclosed externally

Specific examples for each classification and requirements per classification are defined in subordinate documents.

• Security Owner:Maintaining this policy, making critical decisions (final approval of exceptions, oversight of major incidents)
• IT Administrator:Managing authentication infrastructure, device controls, and major SaaS configurations
• Repo/System Administrator:Permission management, audit log activation, invitation/deletion, protection settings operation
• Tech Lead / SRE:Environment separation, secret management, operational access management
• All Users:Compliance with this policy and subordinate documents, reporting of concerns and incident signs

When exceptions to this policy are necessary, approval must be obtained after satisfying the following.

• Clearly state the reason, scope, duration, and alternative controls for the exception
• Exceptions are time-limited and re-evaluated upon expiration

Operational details such as application methods and recording methods are defined in subordinate documents.

• Covered personnel confirm and comply with the key points of this policy and subordinate documents during onboarding
• Violations or concerns must be promptly reported through designated channels

This policy is reviewed at least once a year, or when significant changes or major incidents occur.