Security

Customer data and personal information that we receive under service contracts and SaaS operations are, in principle, stored in data centers located within Japan. This site and our internal AI assistant system are hosted on Tencent Cloud International's Tokyo region; we do not perform cross-border transfer.

For client-specific systems, we deploy to the customer's preferred cloud (AWS / GCP / Azure / on-premises, etc.) by default and agree on data location, encryption methods, and backup policies in the contract.

• Japan's Act on the Protection of Personal Information (APPI) and related guidelines
• Healthcare engagements: Design and operations aligned with the Ministry guidelines on safe management of medical information systems (so-called “3-Ministry / 2-Guideline”) when applicable
• Financial engagements: Design aligned with FISC safety standards / financial-sector guidelines when applicable
• EU resident data handling: GDPR readiness (DPA / SCC / subprocessor management)
• Registered as a Japan Qualified Invoice issuer (T0100030449670); compliance with the Electronic Books Preservation Act

We currently do not hold third-party certifications (P-mark / ISMS / SOC 2). In line with growing enterprise and public-sector demand, the following roadmap is in preparation:

• P-mark (Privacy Mark): Internal governance, appointment of a Personal Information Protection Manager, and policy documentation are being prepared; application under consideration
• ISMS (ISO/IEC 27001): Considered as the next stage after P-mark
• Government Cloud (Japan): For public-sector engagements, we offer migration from Tencent Cloud to one of the certified Government Cloud environments (AWS / Azure / GCP / Sakura / Oracle) as an option

Note: certification timing is balanced against demand and cost. If you have specific requirements or deadlines, please discuss with us at contract time.

• All network communication encrypted with HTTPS / TLS 1.2+
• Production access restricted to SSH-key authentication via fixed IPs
• API keys, passwords, and other secrets managed via environment variables; thorough .gitignore + periodic gitleaks scanning to prevent accidental commits
• Server access logs reviewed periodically; suspicious activity is blocked immediately
• OS and library vulnerabilities (CVEs) are reviewed and patched on a regular cadence
• Least-privilege principle: access rights are limited to what is required for the role

Response flow when a security incident (data leak, unauthorized access, service outage, etc.) is detected:

1. Detection (T+0): via log monitoring, Discord notifications, or user reports
2. Initial response (within T+1h): scope identification and containment (block access, revoke keys, etc.)
3. Notification (within T+24h): notification to affected customers and authorities (when reportable under APPI)
4. Recovery (case-by-case): root-cause analysis, permanent fix, and service restoration
5. Post-incident report (within T+7d): customer-facing incident report and documentation of preventive measures

Note: SLAs are defined per contract. The above is our internal baseline.

If you discover a vulnerability in our site or services, please cooperate with responsible disclosure. Reporting channels:

• Email: security@sterriar.com
• security.txt (RFC 9116 format) publishes the latest contact and policy

Reports are handled appropriately internally and will not be disclosed without the reporter's consent. We do not currently run a Bug Bounty program but will express our gratitude to reporters.