1. Purpose

This Information Security Basic Policy (hereinafter, the “Basic Policy”) stipulates the basic policy on information security for GMO Payment Gateway, Inc. (hereinafter, the “Company”). The purpose of the Basic Policy is to protect information assets including the personal information of the Company and the personal information of customers and business partners that is retained by the Company.

2. Scope

The scope of the Basic Policy consists of all information assets used in operations at the Company and equipment for the preservation of information assets, as well as the Company’s executives, employees, contract employees, part-time employees, and dispatched employees (hereinafter, all employees) that use these information assets.

3. Definition of terms

4. Declaration of intentions of the management team

The Company’s mission is to contribute to the achievement of payments that are safe and convenient for consumers and business in an aim to become the payment process infrastructure for Japan. As we are engaged in corporate activities in accordance with this mission, the Company makes use of its own unique information assets and holds information assets including personal information from many stakeholders. In an aim for even further growth as a company that creates added value in credit card payments so that we can satisfy customers as we endeavor to provide service based on the keywords of adaptation to the currents of the times, existence value, and sociality, we have established the Basic Policy and are engaged in information security measures based on the awareness that protecting information assets from external threats is one of the most important management issues. Based on the Basic Policy, the Company establishes and manages information security and takes the necessary protection and appropriate security measures on the information assets of the Company and its stakeholders. All employees aim to provide high value to stakeholders and expand corporate value through compliance with the Basic Policy and secure business activities that eliminate information security risks.

5. Basic Policy

1. Formulation of an Information Security Policy
   An Information Security Policy will be formulated in accordance with the declaration of intentions of the management team of the Company, and it will be released to all employees and related external parties. All employees will comply with this information security policy and implement information security measures.
2. Establishment of an information security management system
   • An Information Security Administrator (hereinafter, the “Administrator”) who is responsible for information security overall will be established. The Administrator will be responsible for leading and managing an organization for the establishment and management of information security, including response to security incidents.
   • An Information Security Committee will be established in order to enable an accurate understanding of the status of information security on a company-wide level so that the necessary measures can be promptly implemented.
3. Reviews
   The Basic Policy will be reviewed as necessary and ongoing improvements will be made in consideration of changes in the business environment, changes in the social environment and legal systems, the latest trends in information-related technologies, and newly discovered risks.
4. Implementation of information system security measures
   In order to protect the Company’s information system assets, risk analysis will be conducted, based on which information system security measures including unauthorized access measures, antivirus measures, information leakage measures, and reliability measures will be implemented.
5. Personal information protection
   Risk analysis will be conducted on personal information, based on which safety management measures for protecting personal information will be formulated and implemented.
6. Security measures on outsourcing
   For the outsourcing of the Company’s operations, the Company will screen the eligibility of contractors, review the contents of contracts, and work to make improvements from the perspective of protecting corporate confidential information and personal information.
7. Conformance with legal and contractual requirements
   In order to avoid violations of laws and regulations related to information security, contractual obligations, or security requirements by the Company, the Company will clarify these requirements, and formulate and implement measures for conforming with them.
8. Education and training and ensuring thorough awareness on information security
   The Company will conduct regular education and training on information security for all employees, and work to ensure thorough awareness of the importance, proper handling, and management of information security.
9. Responding to security incidents and security accidents
   If a security incident occurs, the person who made the discovery will promptly report the details to the Administrator, who in turn will immediately report to the involved parties and take emergency measures as necessary. For security accidents, an analysis will be conducted on the cause and measures will be taken to prevent recurrence.
10. Business continuity management
    The Company will ensure business continuity by working to avoid the suspension of business as much as possible due to factors such as accidental disasters, breakdowns, or negligence involving information assets or intentional abuse, etc. of information assets.
11. Measures in response to violations of the information security policy
    Employees that are in violation of the Information Security Policy will be subject to disciplinary action.

January 10, 2006
Issei Ainoura