Information Security Policy

Phil Company, Inc. (hereinafter referred to as "the Company") operates its business with the purpose of "Filling the 'SUKIMA' in the town with 'creation'" The information assets, including customer information, handled in the Company's business are essential assets underpinning the Company’s management and operations. Recognizing the importance of protecting information assets from risks such as leakage, damage, or loss, all individuals who handle information assets, including officers and employees, shall comply with this Policy. They shall implement activities to maintain information security—specifically the confidentiality, integrity, and availability of information assets—thereby ensuring alignment with the Company’s business operations. This Policy is communicated and enforced across all employees and applies to all of the Company's businesses.

1. The Company shall establish an Information Security Policy and related regulations to protect information assets, conduct operations in accordance with these, and comply with information security-related applicable laws and regulations, and contractual obligations with customers.
2. The Company shall establish an Information Security Management System (ISMS) that sets goals for achieving the Basic Philosophy, execute it, and continuously review and improve it.
3. The Company shall regularly analyze and evaluate the risks of leakage, damage, or loss existing for information assets, thereby implementing risk assessments. Furthermore, necessary and appropriate security measures shall be implemented based on the results.
4. The Company shall establish an information security framework centered on a designated executive officer responsible for information security and clearly define the authority and responsibilities regarding information security. Additionally, the Company shall regularly conduct education, training, and awareness activities to ensure that all employees recognize the importance of information security and properly handle information assets.
5. The Company shall regularly inspect and audit compliance with the Information Security Policy and the handling of information assets. Any identified deficiencies or opportunities for improvement shall be addressed through appropriate corrective actions.
6. The Company shall take appropriate action against the occurrence of information security incidents. Furthermore, in the event of such an occurrence, the Company shall establish response procedures to minimize damage in advance, respond promptly in the event of an emergency, and take appropriate corrective actions. Specifically, the framework for managing incidents that may cause business interruption shall be established and regularly reviewed, thereby ensuring the Company's business continuity.