Security
Build freely. Protect responsibly.
Cor. Inc. is building out its information security program to balance the speed of AI development with the responsibility of protecting our customers' valuable information. While maintaining a local-first environment where developers can be highly productive, we operate a combination of sensitivity-based access controls, approved AI tools, minimal security logging, and an incident response framework.
Information Security Basic Policy
The Japanese version is the authoritative text. This English translation is provided for convenience.
Cor. Inc. (hereinafter, “the Company”), under its management philosophy of “shaping the future and realizing a happy society through co-creation rather than competition,” engages in businesses including contracted AI development and AI adoption support, AI advisory and training, the provision of the AI evaluation platform “Grift,” and support for highly confidential AI operations using local LLMs.
The scope of this Basic Policy covers all operations related to the entirety of the Company's business at its head office (Fukuoka) — the planning, requirements definition, development, and operation of AI solutions, together with the associated accounting and finance work — as well as the information assets handled in those operations.
Because these businesses involve handling many information assets — including confidential information, source code, and training data entrusted to us by customers — the Company recognizes ensuring information security as a critical management issue. The Company believes that implementing appropriate safeguards for customer information collected through its operations and for the information assets it handles, and maintaining their confidentiality, integrity, and availability, forms the foundation of the trust it builds with customers and of the sustainable development of its business.
Through the establishment and operation of an information security management system (ISMS), the Company aims to prevent security incidents such as information leaks and tampering, and to that end establishes the following information security guidelines.
Guidelines
- The Company will identify information asset risks using defined procedures and implement appropriate risk treatment in order to establish and continually improve its information security management system.
- The Company will clearly define roles and responsibilities for information security and appropriately manage its information assets.
- The Company will conduct education and awareness activities for management, employees, and all related parties so that they recognize their responsibility to maintain information security.
- The Company will monitor and record the implementation of its information security management system, and will improve operational reliability and pursue continual improvement through the setting and achievement of information security objectives and through periodic internal audits and management reviews.
- In the unlikely event of an information security problem, the Company will immediately investigate the cause, minimize the damage, and strive to ensure business continuity.
- The Company will comply with laws and regulations, other social norms, and contracts with customers concerning information assets and their handling.
- The Company will consider climate change and other changes in the business environment as issues relevant to information security and business continuity.
July 1, 2026
Cor. Inc.
Representative Director Kosuke Terada
Established: July 1, 2026 / Version 1
Three Pillars
Local-First
We use high-spec, company-issued Macs as the baseline so developers can work comfortably in a local development environment. By combining device encryption, MDM, account management, and necessary security configurations, we aim to balance development speed with information management.
Minimal Security Logging, Detection, and Response
Rather than preventively prohibiting everything, we maintain security visibility to the extent needed for our work and build a framework that can quickly detect and respond when issues arise. The data we collect is limited to work-related security telemetry, and our policy is not to excessively collect private content.
Sensitivity Tiers
Depending on the sensitivity of the information handled, we selectively use company accounts, approved AI tools, access controls, and isolated environments when needed. For non-confidential verification we prioritize speed, while applying stricter handling when dealing with customer confidential data, personal information, source code, and the like.
Building Our Framework
- Since June 2026, in collaboration with our retained legal counsel, we have been building a legal review framework covering contracts, personal information, AI use, and information security operations.
- Cor. Inc. is advancing the operational readiness of its ISMS (Information Security Management System), targeting ISO/IEC 27001 certification.
AI Usage Policy
Cor. actively leverages AI tools for our work. At the same time, when handling customer confidential data, personal information, source code, training data, and the like, we use AI tools under contracts and configurations that prevent training use, company accounts, or approved environments. AI outputs are verified by people and used only after confirming rights, accuracy, and safety.
Initiatives
| Area | Initiative | Status |
|---|---|---|
| Legal Review | In collaboration with retained legal counsel, reviewing contracts, personal information, AI use, and ISMS operations | Building since June 2026 |
| ISMS | Targeting ISO/IEC 27001 certification, building risk management, training, policies, and audit framework | In progress |
| Device Management | Company-issued Macs, device encryption, MDM, and distribution of necessary configurations | Phased rollout |
| AI Use | Applying approved AI tools, company accounts, and no-training settings according to sensitivity | Operational readiness in progress |
| Local LLM | Supporting AI use that avoids unnecessarily exposing confidential information externally | Applied per engagement |
| Incident Response | Codifying reporting lines, initial response, and recurrence prevention into policy | Being built within ISMS operations |
About Privacy
For how we handle personal information, please see our Privacy Policy.