Your B2B Transaction Data,
Protected to the Same Standard as a Bank.
Your procurement and purchasing data is your competitive edge.
newji sets the bar at "a system that handles business-to-business money and information must meet the same quality standard as a bank,"
and addresses security from three directions: technology, organization, and operations.
This is a reference English translation. The Japanese-language version of this document is the sole legally binding text. In the event of any discrepancy or inconsistency between the Japanese and English versions, the Japanese version shall prevail. View the Japanese original.
newji Security: Three Pillars
Installing tools alone cannot protect corporate data.
We believe that effective security requires all three elements: systems, people, and operations.
Technical Measures
We ensure the safety of the system itself — from encrypted communications and unauthorized access prevention to application-layer robustness.
Organizational Measures
We use systematic controls to reduce risks from the "people" who handle data — through employee training, NDAs, and access management.
Quality & Operations
We have systems in place to maintain quality in day-to-day development and operations — including automated testing, error monitoring, and pre-release checks.
Technical Measures
We protect the safety of the system itself with multi-layered defenses, from infrastructure to the application layer.
Encrypted Data Storage
Customer data is encrypted and stored at the server level. Critical data such as supplier information and purchasing terms is protected.
Always-On SSL/TLS Encrypted Communication
All communications are encrypted with SSL/TLS. This prevents data tampering, spoofing, and interception of communication content.
Unauthorized Access Prevention
We employ DDoS protection, WAF, IDS, and firewalls to defend against unauthorized access and detect suspicious activity.
Vulnerability Management
We conduct regular vulnerability checks using both automated tools and manual review. We also plan to introduce vulnerability assessments by a third-party organization.
Email Spoofing Prevention
We have implemented DMARC to prevent sender spoofing. This ensures the integrity of email communications with business partners.
Operations on AWS Tokyo Region
Customer business data is stored on the AWS cloud infrastructure in the Tokyo Region (ap-northeast-1). We leverage the cloud provider's robust foundation, including physical security, redundancy, and multi-AZ architecture.
* Details will be published progressively once the production environment configuration is finalized.
Application Security
As a system handling B2B transactions, newji strictly enforces a design principle at the application layer
that makes it structurally impossible to access another company's data in the first place.
Two-Factor Authentication (2FA)
Supports two-factor authentication (TOTP / 2FA). Achieves robust authentication that cannot be bypassed with a password alone.
Complete Tenant Isolation by Company
All data reads and writes strictly enforce the company ID (companyId) scope, making it structurally impossible to access another company's data. Only intentional sharing (e.g., item sharing) is treated as an exception.
Role-Based Access Control (RBAC)
Access permissions are configured according to roles such as procurement, sales, and administrator. Purchasing and sales permissions can be individually controlled, granting each person access only to the information they need.
Multi-Level Approval Workflow
Approval rules can be configured based on amount and conditions. Prevents unintended orders and operations at the organizational level.
Full Audit Trail for All Operations
All data changes — including items, orders, and quotations — are recorded in the change history. "When, who, and what was changed" can be traced, supporting audits and internal controls.
Rate Limiting
Limits are set per operation: up to 10 login attempts per 15 minutes, 100 API calls per hour, and 50 file uploads per hour. Brute-force attacks and abnormally high-volume access are automatically blocked.
Login History Logging
All logins are recorded along with IP address, timestamp, and device information. Any signs of unauthorized access can be traced immediately.
Encrypted API Key Management
API keys used for integration with external AI providers (Claude, GPT, Gemini, etc.) are stored with encryption. They are isolated per company and cannot be accessed by other companies.
All AI Actions Require Human Approval
Critical operations in which the AI assistant creates or updates data are always executed only after human review and approval. The final decision always rests with a human, ensuring that unintended automated processing cannot disrupt business operations.
Full Data Bulk Export
With administrator privileges, business data — including items, suppliers, inventory, orders, quotations, and contracts — can be downloaded in bulk as CSV at any time. The principle of data portability — that your data always belongs to you — is guaranteed through implementation.
Data Transmission Policy for External AI
Even when using AI features (Claude / GPT / Gemini), we operate under commercial API contract terms to ensure that customer business data is not used to train AI models by providers. Passwords, API keys, 2FA secrets, and attachment content are never transmitted.
* It is also possible to disable all AI features on a per-company basis.
Data Deletion Policy Upon Contract Termination
Upon contract termination, data is retained for a certain period to accommodate accidental operations and recovery requests, after which it is physically deleted. Complete erasure from backups is completed at the next rotation cycle.
* For details on the retention period and recovery process, please refer to the Terms of Service and Privacy Policy.
Disclosure of External AI Providers
When using AI features, the minimum necessary business data is transmitted to the following providers.
Under the commercial API contract terms of each provider, transmitted data is not used to train AI models.
| Provider | Country | Key Third-Party Certifications | Use |
|---|---|---|---|
| Anthropic, PBC (Claude) | United States | SOC 2 Type II | Text generation, data extraction, summarization |
| OpenAI, LLC (GPT) | United States | SOC 2 Type II | Text generation, data extraction, summarization |
| Google LLC (Gemini) | United States | SOC 2 Type II / ISO/IEC 27001 | Text generation, data extraction, summarization |
Two Connection Methods
Some AI features required for the basic operation of the Service use external AI provider APIs contracted by newji. Data is transmitted via our API key.
The majority of AI features operate by registering API keys that you contract directly into the Service. Your API key is stored with encryption and cannot be accessed by other companies.
It is also possible to disable all AI features on a per-company basis. When disabled, no data is transmitted to external AI providers.
Organizational Measures
Systems are operated by people.
We use systematic controls to reduce risks from the perspectives of employee education, contracts, and the physical environment.
Security Monitoring Zone
A security monitoring zone has been established within the office, with regular log monitoring conducted. Any anomalies are addressed immediately.
Secure Disposal of Confidential Documents
Confidential documents are disposed of using locked dissolution boxes. This eliminates the risk of information leakage from paper media.
Security Training
Security training is provided to all employees, with an ongoing commitment to improving security literacy.
Non-Disclosure Agreement (NDA)
Non-disclosure agreements are concluded with all employees both upon joining and leaving the company. The responsibility for handling customer information is clearly stated.
Least-Privilege Access for Administrative Accounts
Privileged accounts with administrative permissions are restricted to the minimum number of personnel required for business operations. Regular user management is conducted.
Device and Storage Media Management
Internal policies have been established for application installation on business devices and the use of portable storage media. This defends against external threats.
Operational Quality Assurance
Security does not end with a one-time setup.
We have systems in place to maintain quality in day-to-day development and operations.
Error Monitoring and Operational Visibility
Server errors and anomalies are continuously monitored and detected in real time. Structured logs allow tracking of "which operation caused what," enabling swift responses to any issues.
Automated Testing and Type Checking
With every code change, automated tests, TypeScript type checks, and build validation are performed. We mechanically verify "whether permission checks are in place" and "whether data is leaking to other companies" before each release.
Pre-Release Full Checklist
With every PR (code change proposal), all items on the security and quality checklists are reviewed. Both automated and human verification are performed to check for gaps in business logic, authentication, and permissions.
Continuous Vulnerability Updates
Vulnerability information for the frameworks and libraries in use is continuously monitored, and security patches are applied promptly.
Incident Response
In the event of a security incident, we promptly notify affected customers and implement measures to identify the scope of impact, contain the incident, and prevent recurrence.
Continuous Review of Security Standards
We continuously review our standard — that "B2B transaction data requires quality equivalent to a bank" — and update it to keep pace with the latest threats and technology trends.
The technical, application, and operational quality items listed on this page are all implemented in the current newji Platform.
For the certification status of our subcontractors and our own certification acquisition roadmap, please refer to the "Compliance & Roadmap" section below.
Certification Status and Roadmap
We disclose the third-party certification status of our subcontractors, while also preparing progressively for our own certification acquisition.
Certification Status of Key Subcontractors
| Category | Subcontractor | Country | Key Third-Party Certifications |
|---|---|---|---|
| Cloud Infrastructure | Amazon Web Services Japan G.K. (AWS) | Japan (Tokyo Region) | ISO/IEC 27001 / 27017 / 27018, SOC 1/2/3, PCI DSS |
| Email Delivery | Resend, Inc. | United States | SOC 2 Type II |
| Error Monitoring | Functional Software, Inc. (Sentry) | United States | SOC 2 Type II, ISO/IEC 27001 |
| AI Features | Anthropic, PBC / OpenAI, LLC / Google LLC | United States | SOC 2 Type II (and equivalent) under each provider's commercial API |
newji Certification Acquisition Roadmap
Establishing In-House Operating Standards and Disclosing Subcontractor Certifications
Development and operations are conducted under operating standards equivalent to bank-grade quality. The third-party certification status of key subcontractors is continuously disclosed as shown in the table above.
Third-Party Vulnerability Assessment
After the production launch, we plan to conduct a vulnerability assessment by an external security firm. We will establish a cycle of addressing findings and conducting follow-up assessments.
ISMS (ISO/IEC 27001) Certification
We will advance preparations for third-party certification of our Information Security Management System. This will establish a framework that meets the procurement standards of enterprise customers.
SOC 2 Type II Certification
We are planning to obtain international standard certifications such as SOC 2 Type II over the medium to long term, in order to serve customers in the United States and with global business partners.
The timing for each phase of the roadmap will be flexibly adjusted based on the growth of Service usage, customer requests, and the progress of our internal organizational development.
For requests regarding individual security checklist responses, DPA (Data Processing Agreement) execution, and similar matters, please contact us via the inquiry form below.
Security Inquiries
Whether you have security questions as part of your evaluation, need a completed security checklist,
or have individual inquiries, please feel free to contact us.