Privacy Policy

English Version

Robitech, Inc. (hereinafter referred to as "the Company") recognizes the importance of personal information and is committed to protecting it in compliance with the Act on the Protection of Personal Information and other applicable laws and regulations.

1. Collection of Personal Information

The Company collects personal information (name, email address, phone number, etc.) through fair and appropriate means to the extent necessary for our business operations.

2. Purpose of Use

We use the collected information for the following purposes:

• To provide and manage our services and products.
• To respond to inquiries and provide technical support.
• To perform identity verification and authentication.
• To distribute newsletters, event information, and promotional materials.
• To analyze website traffic and usage patterns to improve user experience.

3. Management and Security

We implement strict security measures to prevent unauthorized access, loss, destruction, alteration, or leakage of personal information. We also provide necessary training to our employees regarding the handling of data.

4. Provision to Third Parties

We will not provide personal information to third parties without the prior consent of the individual, except in the following cases:

• When required by law.
• When necessary to protect human life, body, or property.
• When outsourcing business operations to a trusted partner (subject to strict confidentiality agreements).

5. Cookies and Tracking Technologies

Our website may use "Cookies" to enhance your browsing experience. You have the option to disable cookies through your browser settings, though this may limit some functionality of our site.

6. Rights of the User (Disclosure and Correction)

If you wish to request the disclosure, correction, or deletion of your personal data, please contact us. We will respond promptly after verifying your identity.

7. Contact Information

For inquiries regarding this Privacy Policy, please contact:
Robitech, Inc. Privacy Desk
account(at)robitech.co.jp

1. Overview

Objective: The objective of this Information Security Policy (ISP) is to establish a comprehensive framework that ensures the confidentiality, integrity, and availability of organizational information systems. It aims to align security practices with business objectives, mitigate risks, and ensure compliance with applicable regulations.

Scope: This policy applies to all systems, data, and networks of the organization, including those accessed via Amazon’s Selling Partner API (SP-API).

2. Security Governance

Policy Management: Establish, maintain, and enforce security policies to ensure consistent governance across the organization.

Risk and Compliance Regulations Management: Identify and assess security risks, and ensure compliance with applicable laws, standards, and industry regulations.

Privacy Regulation Management: Ensure personal data is collected, processed, and protected in accordance with privacy laws and regulatory requirements.

Third Party Risk Management: Evaluate and monitor third-party partners to ensure they meet the organization’s security and compliance requirements.

Business Continuity: Establish and maintain business continuity and disaster recovery plans to ensure the organization can continue critical operations and recover from disruptions.

Acceptable Use Policy: Define acceptable and unacceptable use of organizational systems, networks, and data. Organizational resources must only be used for authorized business purposes. Unauthorized activities such as installing unapproved software, accessing inappropriate content, or using company resources for personal gain are prohibited. Users must protect organizational information, follow access controls, and comply with all security requirements.

3. Infrastructure Security

Data Storage: Store organizational data in approved environments with appropriate access controls and encryption. Maintain an inventory of all information assets and apply security controls to protect them throughout their lifecycle.

Device Access Policy: Personal or mobile devices (e.g., smartphones, tablets) are strictly prohibited from accessing the corporate network or Amazon data. Only company-managed and approved devices may connect through VPN with IPS restrictions. Endpoint security is enforced via centralized management (MDM), device encryption, and malware protection. Use of USB or removable media is disabled, and local admin rights are restricted to approved exceptions.

Asset Baseline Configuration: Implement standardized baseline configurations for systems and devices to minimize vulnerabilities and unauthorized changes.

Cloud Security: Continuously monitor cloud configurations for all in-scope assets against a defined security baseline such as CIS or AWS foundational benchmarks. Utilize a Cloud Security Posture Management (CSPM) tool to detect configuration drift and take risk-based corrective action. Generate and retain monitoring reports and alerts as audit evidence, reviewed by the IT Security Manager.

Asset Destruction: Ensure secure disposal or sanitization of data and assets when they are no longer required.

Anti-malware Controls: Deploy and maintain anti-malware solutions to detect, prevent, and remediate malicious software threats.

Physical Security Policy: All operations are conducted in a controlled remote environment. Access to organizational resources is managed through secure connections, ensuring that data remains protected and is not stored on local devices.

Restriction of Unauthorized Software: Only authorized and approved software may be installed or executed on organizational systems. Unauthorized software is strictly prohibited.

4. Data Protection

Encryption Protocols: Apply strong encryption standards to protect data at rest and in transit.

Management and Classification of Data: Classify data based on sensitivity and apply appropriate protection measures accordingly. Amazon data is stored separately with clear identifiers to ensure traceability and compliance with attribution requirements.

Data Retention and Back-up: Retain data only for the required period and ensure regular, secure backups are maintained.

Dark Web Review: Conduct periodic reviews of the dark web to identify potential data leaks or threats.

API Key Security: Securely manage API keys with strict access controls, rotation policies, and monitoring.

Removable Media Policy: Removable media must not be used to store or transfer Amazon data or organizational programs.

Data Loss Prevention (DLP) Controls: Implement technical and procedural controls to prevent unauthorized transfer or exposure of Amazon data. Deploy a Data Loss Prevention (DLP) solution or equivalent mechanisms to monitor and detect data exfiltration attempts. DLP coverage includes email, endpoints, and cloud storage containing Amazon data. The DLP system configuration and data definitions are reviewed and updated quarterly to ensure continued protection. All Amazon data stored on desktops, laptops, and removable media is encrypted to prevent unauthorized access or leakage.

AI/ML Usage Policy: This organization does not use Amazon or seller data for training AI/ML models, nor will it permit such use in the future.

5. Network Security and Vulnerability Management

Security Controls: Implement firewalls, VPNs, IDS/IPS, and SIEM monitoring to protect network traffic and detect threats. Access is restricted to fixed, approved devices only; mobile access is not permitted. A Web Application Firewall (WAF) is deployed to filter, monitor, and block malicious HTTP/S traffic and prevent unauthorized data exfiltration.

Vulnerability Management: Perform regular vulnerability scans and security assessments to identify weaknesses in the network.

Remediation of Vulnerabilities: Apply timely patches and configuration updates to remediate identified vulnerabilities.

Network Segregation: Enforce network segmentation by function and sensitivity to reduce exposure.

6. Application Security

Development Practices: Follow secure software development practices aligned with a documented Secure Software Development Life Cycle (SDLC). Ensure production data is never used in lower environments. Conduct static (SAST), dynamic (DAST), and open-source dependency scans before any code change or production release. Remediate critical-risk vulnerabilities within 7 days and high-risk vulnerabilities within 30 days. Perform annual and post-significant-change penetration tests on in-scope applications and document test results and corrective actions for review by the IT Security Manager.

Vulnerability Testing: Conduct regular internal and external vulnerability scans to identify and remediate security weaknesses across all in-scope systems and applications. Perform penetration testing of cloud and network services at least annually and after any significant system or infrastructure change. Document all scan results and remediation actions, ensuring that critical-risk vulnerabilities are remediated within 7 days and high-risk vulnerabilities within 30 days. Reports are reviewed and retained by the IT Security Manager for compliance verification.

Patch and Update Management: Ensure timely patching and updates of application components and dependencies.

Access and Authentication Controls: Implement strict access and authentication mechanisms for applications.

API Security: Secure APIs with authentication, authorization, and traffic monitoring controls.

7. Identity and Access Management

Access Provisioning and De-provisioning: Ensure timely provisioning and removal of user access based on role and employment status.

Access Control: Limit both physical and logical access to systems and data based on the principle of least privilege and need-to-know. Require Multi-Factor Authentication (MFA) for all remote, privileged, and cloud access. All access attempts—including successful and failed logins—are logged and monitored through the SIEM system. Access rights are reviewed quarterly to ensure continued appropriateness.

Privileged Access Management: Control and monitor privileged accounts to prevent misuse and unauthorized activities.

Remote Access: Secure remote connections with VPNs and multi-factor authentication.

Password Management: Enforce strong password policies and secure storage of credentials. Configure account lockout after five consecutive invalid login attempts and apply rate limiting to prevent automated or brute-force attacks. Monitor login activities to detect, alert, and respond to unauthorized or anomalous access attempts in coordination with the incident response process.

8. Security Monitoring and Incident Response

Log Management: Collect and retain system and application logs for all production and cloud systems that store or process Amazon data. Logs are securely stored for at least 12 months, protected from unauthorized access and tampering, and sanitized to exclude Personally Identifiable Information (PII). Log retention and access settings are reviewed periodically by the IT Security Manager.

Log Monitoring: Implement a centralized Security Information and Event Management (SIEM) system to aggregate and analyze logs in real time. Critical alerts are reviewed immediately, with daily log analysis and bi-weekly security reviews performed to detect and respond to anomalies. All security events are investigated, documented, and retained as part of the incident management process.

Incident Management Plan: Define and maintain a documented process for detecting, reporting, and responding to security incidents.

9. Privacy

Privacy Regulation Requirements: Comply with applicable privacy regulations, including the Japanese Act on the Protection of Personal Information (APPI), and ensure lawful collection and processing of personal data.

Privacy Data Protection: Protect personal data with appropriate security controls, including encryption, access control, and secure disposal.

10. Data Handling and Management

Data Lifecycle: Manage data through its entire lifecycle, from collection to secure storage, controlled access, transfer, retention, and disposal.

11. Security Awareness and Training

Training Program: Provide regular security awareness training to all employees to reduce human-related risks.

Technical Training: Deliver specialized technical training for engineers and administrators to strengthen security skills.

Human Resource Security: Ensure that security requirements are applied throughout the employee lifecycle, including: Pre-employment background checks where applicable; Security clauses in employment and contractor agreements; Mandatory security onboarding and awareness training; Timely de-provisioning of accounts and access upon termination or role change.

12. Security Management Cycle

Maintain detailed documentation and logs for all security reviews, monitoring activities, and incident responses to ensure traceability and compliance.

• Daily: Monitor system alerts, review SIEM dashboards, and check for abnormal login attempts.
• Bi-Weekly: SIEM Log Review.
• Monthly: Conduct monthly security checks and internal/external vulnerability scans. Document results and remediation actions for review and retention.
• Quarterly: Reviews & removes inactive / dormant accounts.
• Annually: Review and update all organizational security policies to ensure they remain aligned with regulations, standards, and operational practices. Conduct comprehensive audits of systems, processes, and controls to validate compliance and identify areas for improvement. Perform penetration tests on critical systems and applications to identify and remediate vulnerabilities before they can be exploited. The organization conducts and documents backup restoration testing at least annually to verify data recoverability. Test results are reviewed and retained as evidence of control effectiveness.
• Release Cycle: For major changes, reviews and testing are conducted in accordance with the Secure Software Development Life Cycle (SDLC).
• Security Onboarding Procedures: Provide new employees and contractors with mandatory security onboarding and access training.