Your B2B Transaction Data,
Protected to the Same Standard as a Bank.

Your procurement and purchasing data is your competitive edge.
newji sets the bar at "a system that handles business-to-business money and information must meet the same quality standard as a bank,"
and addresses security from three directions: technology, organization, and operations.

newji Security: Three Pillars

Installing tools alone cannot protect corporate data.
We believe that effective security requires all three elements: systems, people, and operations.

Technical Measures

We ensure the safety of the system itself — from encrypted communications and unauthorized access prevention to application-layer robustness.

Organizational Measures

We use systematic controls to reduce risks from the "people" who handle data — through employee training, NDAs, and access management.

Quality & Operations

We have systems in place to maintain quality in day-to-day development and operations — including automated testing, error monitoring, and pre-release checks.

Technical Measures

We protect the safety of the system itself with multi-layered defenses, from infrastructure to the application layer.

Encrypted Data Storage

Customer data is encrypted and stored at the server level. Critical data such as supplier information and purchasing terms is protected.

Always-On SSL/TLS Encrypted Communication

All communications are encrypted with SSL/TLS. This prevents data tampering, spoofing, and interception of communication content.

Unauthorized Access Prevention

We employ DDoS protection, WAF, IDS, and firewalls to defend against unauthorized access and detect suspicious activity.

Vulnerability Management

We conduct regular vulnerability checks using both automated tools and manual review. We also plan to introduce vulnerability assessments by a third-party organization.

Email Spoofing Prevention

We have implemented DMARC to prevent sender spoofing. This ensures the integrity of email communications with business partners.

Operations on AWS Tokyo Region

Customer business data is stored on the AWS cloud infrastructure in the Tokyo Region (ap-northeast-1). We leverage the cloud provider's robust foundation, including physical security, redundancy, and multi-AZ architecture.
* Details will be published progressively once the production environment configuration is finalized.

Application Security

As a system handling B2B transactions, newji strictly enforces a design principle at the application layer
that makes it structurally impossible to access another company's data in the first place.

Two-Factor Authentication (2FA)

Supports two-factor authentication (TOTP / 2FA). Achieves robust authentication that cannot be bypassed with a password alone.

Complete Tenant Isolation by Company

All data reads and writes strictly enforce the company ID (companyId) scope, making it structurally impossible to access another company's data. Only intentional sharing (e.g., item sharing) is treated as an exception.

Role-Based Access Control (RBAC)

Access permissions are configured according to roles such as procurement, sales, and administrator. Purchasing and sales permissions can be individually controlled, granting each person access only to the information they need.

Multi-Level Approval Workflow

Approval rules can be configured based on amount and conditions. Prevents unintended orders and operations at the organizational level.

Full Audit Trail for All Operations

All data changes — including items, orders, and quotations — are recorded in the change history. "When, who, and what was changed" can be traced, supporting audits and internal controls.

Rate Limiting

Limits are set per operation: up to 10 login attempts per 15 minutes, 100 API calls per hour, and 50 file uploads per hour. Brute-force attacks and abnormally high-volume access are automatically blocked.

Login History Logging

All logins are recorded along with IP address, timestamp, and device information. Any signs of unauthorized access can be traced immediately.

Encrypted API Key Management

API keys used for integration with external AI providers (Claude, GPT, Gemini, etc.) are stored with encryption. They are isolated per company and cannot be accessed by other companies.

All AI Actions Require Human Approval

Critical operations in which the AI assistant creates or updates data are always executed only after human review and approval. The final decision always rests with a human, ensuring that unintended automated processing cannot disrupt business operations.

Full Data Bulk Export

With administrator privileges, business data — including items, suppliers, inventory, orders, quotations, and contracts — can be downloaded in bulk as CSV at any time. The principle of data portability — that your data always belongs to you — is guaranteed through implementation.

Data Transmission Policy for External AI

Even when using AI features (Claude / GPT / Gemini), we operate under commercial API contract terms to ensure that customer business data is not used to train AI models by providers. Passwords, API keys, 2FA secrets, and attachment content are never transmitted.
* It is also possible to disable all AI features on a per-company basis.

Data Deletion Policy Upon Contract Termination

Upon contract termination, data is retained for a certain period to accommodate accidental operations and recovery requests, after which it is physically deleted. Complete erasure from backups is completed at the next rotation cycle.
* For details on the retention period and recovery process, please refer to the Terms of Service and Privacy Policy.

Disclosure of External AI Providers

When using AI features, the minimum necessary business data is transmitted to the following providers.
Under the commercial API contract terms of each provider, transmitted data is not used to train AI models.

Provider Country Key Third-Party Certifications Use
Anthropic, PBC (Claude) United States SOC 2 Type II Text generation, data extraction, summarization
OpenAI, LLC (GPT) United States SOC 2 Type II Text generation, data extraction, summarization
Google LLC (Gemini) United States SOC 2 Type II / ISO/IEC 27001 Text generation, data extraction, summarization

Two Connection Methods

Provided by NEWJI INC.

Some AI features required for the basic operation of the Service use external AI provider APIs contracted by newji. Data is transmitted via our API key.

Customer-Provided (BYOK)

The majority of AI features operate by registering API keys that you contract directly into the Service. Your API key is stored with encryption and cannot be accessed by other companies.

It is also possible to disable all AI features on a per-company basis. When disabled, no data is transmitted to external AI providers.

Organizational Measures

Systems are operated by people.
We use systematic controls to reduce risks from the perspectives of employee education, contracts, and the physical environment.

Security Monitoring Zone

A security monitoring zone has been established within the office, with regular log monitoring conducted. Any anomalies are addressed immediately.

Secure Disposal of Confidential Documents

Confidential documents are disposed of using locked dissolution boxes. This eliminates the risk of information leakage from paper media.

Security Training

Security training is provided to all employees, with an ongoing commitment to improving security literacy.

Non-Disclosure Agreement (NDA)

Non-disclosure agreements are concluded with all employees both upon joining and leaving the company. The responsibility for handling customer information is clearly stated.

Least-Privilege Access for Administrative Accounts

Privileged accounts with administrative permissions are restricted to the minimum number of personnel required for business operations. Regular user management is conducted.

Device and Storage Media Management

Internal policies have been established for application installation on business devices and the use of portable storage media. This defends against external threats.

Operational Quality Assurance

Security does not end with a one-time setup.
We have systems in place to maintain quality in day-to-day development and operations.

Error Monitoring and Operational Visibility

Server errors and anomalies are continuously monitored and detected in real time. Structured logs allow tracking of "which operation caused what," enabling swift responses to any issues.

Automated Testing and Type Checking

With every code change, automated tests, TypeScript type checks, and build validation are performed. We mechanically verify "whether permission checks are in place" and "whether data is leaking to other companies" before each release.

Pre-Release Full Checklist

With every PR (code change proposal), all items on the security and quality checklists are reviewed. Both automated and human verification are performed to check for gaps in business logic, authentication, and permissions.

Continuous Vulnerability Updates

Vulnerability information for the frameworks and libraries in use is continuously monitored, and security patches are applied promptly.

Incident Response

In the event of a security incident, we promptly notify affected customers and implement measures to identify the scope of impact, contain the incident, and prevent recurrence.

Continuous Review of Security Standards

We continuously review our standard — that "B2B transaction data requires quality equivalent to a bank" — and update it to keep pace with the latest threats and technology trends.

NOTE

The technical, application, and operational quality items listed on this page are all implemented in the current newji Platform.
For the certification status of our subcontractors and our own certification acquisition roadmap, please refer to the "Compliance & Roadmap" section below.

Certification Status and Roadmap

We disclose the third-party certification status of our subcontractors, while also preparing progressively for our own certification acquisition.

Certification Status of Key Subcontractors

Category Subcontractor Country Key Third-Party Certifications
Cloud Infrastructure Amazon Web Services Japan G.K. (AWS) Japan (Tokyo Region) ISO/IEC 27001 / 27017 / 27018, SOC 1/2/3, PCI DSS
Email Delivery Resend, Inc. United States SOC 2 Type II
Error Monitoring Functional Software, Inc. (Sentry) United States SOC 2 Type II, ISO/IEC 27001
AI Features Anthropic, PBC / OpenAI, LLC / Google LLC United States SOC 2 Type II (and equivalent) under each provider's commercial API

newji Certification Acquisition Roadmap

Phase 1 / At Launch

Establishing In-House Operating Standards and Disclosing Subcontractor Certifications

Development and operations are conducted under operating standards equivalent to bank-grade quality. The third-party certification status of key subcontractors is continuously disclosed as shown in the table above.

Phase 2 / In Preparation

Third-Party Vulnerability Assessment

After the production launch, we plan to conduct a vulnerability assessment by an external security firm. We will establish a cycle of addressing findings and conducting follow-up assessments.

Phase 3 / Mid-Term Plan

ISMS (ISO/IEC 27001) Certification

We will advance preparations for third-party certification of our Information Security Management System. This will establish a framework that meets the procurement standards of enterprise customers.

Phase 4 / Long-Term Plan

SOC 2 Type II Certification

We are planning to obtain international standard certifications such as SOC 2 Type II over the medium to long term, in order to serve customers in the United States and with global business partners.

NOTE

The timing for each phase of the roadmap will be flexibly adjusted based on the growth of Service usage, customer requests, and the progress of our internal organizational development.
For requests regarding individual security checklist responses, DPA (Data Processing Agreement) execution, and similar matters, please contact us via the inquiry form below.

Security Inquiries

Whether you have security questions as part of your evaluation, need a completed security checklist,
or have individual inquiries, please feel free to contact us.

Contact Us

You cannot copy content of this page