Security

​

Security Checklist

​

Data Protection

​

Communication Encryption

• Application and audio/video data use TLS 1.3 only
• HTTPS communication enforced (configured via AWS ELB)

​

Backup

• Backup Cycle: Monthly backups via AWS Database
• Retention Period: Server access logs permanently stored in S3
• BCP Measures: Remote storage across multiple regions on AWS Database

​

Data Access Restrictions

• Database and server access restricted to specific IP addresses via AWS Security Groups
• Data between companies is logically separated via database

​

Availability

​

Uptime

• Service Hours: 24 hours, 365 days in principle
• SLA: 99.9% or higher
• Track Record: 99.99% or higher (no server downtime exceeding several tens of minutes since service launch)

​

Incident Response

• Source code differential backups and DB backups available, enabling immediate rollback (recovery) at any time 24/7
• All server processes and system states are visualized via AWS CloudWatch or our proprietary alert system
• Alert notifications in case of any downtime

​

Planned Maintenance

• Updates scheduled around 21:00 every Friday, with possible connection interruptions of a few seconds
• Real-time notification via Email or text chat support (Intercom) if updates are required during business hours

​

Support System

​

Incident Notifications

• Contact Method: Notification via Email and in-app text chat service (Intercom)

​

Emergency Contact

• Support available via text chat service (Intercom) or Contact Form
• Response within 5 minutes during business hours (9:00-18:00)

​

User Management

​

Account Management

• One account per user
• Users can physically delete accounts upon resignation or transfer

​

Password Management

• Users can change passwords
• Two-factor authentication via Email token available

​

Web Application Security

​

SQL Injection Prevention

• Backend uses ORM middleware for database operations
• All SQL statement construction uses placeholders
• Appropriate permissions assigned to database accounts (accounts with only necessary READ/WRITE permissions)

​

OS Command Injection Prevention

• Shell execution is basically not performed
• When shell-level logic is required, execution only through verified safe libraries

​

Path Parameter/Directory Traversal Prevention

• Data stored on external hosting or database
• No direct file access functionality on web server
• Random filenames used, making them unpredictable

​

Session Management

• Session IDs use unpredictable, sufficiently long random strings
• Session IDs stored in Cookies (not in URL parameters)
• Cookies for HTTPS communication use Secure attribute
• Pages requiring login are separated from publicly accessible pages

​

Cross-Site Scripting (XSS) Prevention

• Using compatible frontend libraries
• HTTPS enforced via AWS ELB
• Character encoding (charset) specified in Content-Type field of HTTP response headers
• HttpOnly attribute added to Cookies

​

CSRF Prevention

• Backend-side access control via POST method
• Referer verification
• Automatic email notification to registered email address for important operations

​

HTTP Header Injection Prevention

• Using header output API in backend middleware

​

Clickjacking Prevention

• X-Frame-Options header field output
• Execution not possible without valid session
• Important operations designed so they cannot be executed using mouse alone

​

Buffer Overflow Prevention

• Using Node.js, which does not allow direct memory access
• Regular library checks via GitHub, with PRs raised for vulnerable libraries and timely updates

​

Access Control and Authorization

• Two-factor Email token authentication available for manager privileges
• Authorization control implemented in addition to authentication, preventing logged-in users from impersonating others