ESG

Information Protection

Information Protection Policy

NHN has implemented an information protection policy framework tailored to each employee's role. We conduct assessments on a regular basis, at least once a year, to ensure compliance with the policy, evaluate its effectiveness and make necessary improvements. This comprehensive framework comprises a top-level policy statement, supplemented by guidelines for different roles and responsibilities. Additionally, detailed guidelines are also prepared to provide precise instructions for implementing the higher-level guidelines, offering stringent security measures to prevent any information leakage.

Information Security Governance

NHN has appointed a Chief Information Security Officer (CISO) and a Chief Privacy Officer (CPO) as executives of its dedicated information security organization, granting them clear authority and responsibility over data security and privacy protection. Additionally, NHN operates an Information Security Committee comprised of key executives, including the CISO and CPO, to discuss and make decisions on major changes in information security governance. In order to strengthen information security and data protection, NHN maintains a dedicated information security organization while separating IT security and information protection policy entities for enhanced expertise and specialization.

Information Security Certification

NHN has obtained certifications for information security system and service stability from domestic and foreign reputable certification organizations. We spare no effort to check, manage, and operate internal systems, such as receiving verification on the personal information and information security systems from specialized national agencies.

ISMS-P

The highest level of authoritative domestic certification system of informationsecurity and personal information security in South Korea

ISMS-P(Information Security and Personal Information Security Management System) is a certification system that awards a company who achieves a certain degree ofperformance in the systematic and persistent activities in terms of information securityand personal information security. NHN has been annually audited for its system ofinformation security and personal information security subject to the certification of ISMS(Information Security Management System) and PIMS (Personal Information SecurityManagement System), which were obtained in September 2013, and the recentlyintegrated certification of ISMS-P as of November 2019.

Certified Service

ISMS-P

NHN : Operation of external online services (game, content, IoT, e-commerce)

NHN Cloud : NHN Cloud services

NHN Dooray! : Collaboration service, groupware, ERP(Enterprise resource planning), digital tax invoice services

NHN PAYCO : PAYCO Life, Financial services

ISMS

NHN Cloud : NHN Cloud Center (IDC)

NHN PAYCO : Franchise and Partnership / Outsourcing Services

Valid Period

NHN :2023.12.06 ~ 2026.12.05

NHN Cloud :(ISMS-P) 2023.12.06 ~ 2026.12.05 (ISMS) 2022.11.16 ~ 2025.11.15

NHN Dooray! :2023.12.06 ~ 2026.12.05

NHN PAYCO :(ISMS-P) 2024.01.18 ~ 2027.01.17 (ISMS) 2024.01.18 ~ 2027.01.17

ISO/IEC 27001, 27701, 29100

International Standard for Information Security and Privacy Management System and Privacy Framework

NHN has acquired international standard certificate ISO/IEC 27001, which is for information security management system published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), and international standard certificate ISO/IEC 27701 for the global privacy information management system. It meets global privacy requirements such as the EU GDPR. NHN has also acquired ISO/IEC 29100 which is international standard certificate required for establishing and operating global privacy framework.

Certified Service

NHN : The provision of entertainment, e-commerce, contentservice and IoT(Internet of Things) services.

NHN Cloud : The provision of NHN cloud services for public,finance, governmental and medical business services.

NHN Dooray! : The provision of collaboration service, groupware, ERP(Enterprise resource planning), digital tax invoice services.

Valid Period

2024.06.17 ~ 2027.06.16

ISO/IEC 27017, 27018, 27799

International Standard for Cloud Service Information Security and Privacy, Health Information Security

NHN has acquired international standard certificate ISO/IEC 27017 and ISO/IEC 27018, which is for information security and privacy security, specialized for cloud services, and ISO/IEC 27799, which is international standard certificate for health information security of cloud services.

Certified Service

NHN Cloud : The provision of NHN cloud services for public,finance, governmental and medical business services.

NHN Dooray! : The provision of collaboration service, groupware, ERP(Enterprise resource planning),digital tax invoice services.

Valid Period

2024.06.17 ~ 2027.06.16

ISO/IEC 22301

International Standard for Business continuity management system

ISO/IEC 22301 is international standard certificate for Business continuity managementsystem. NHN Cloud has acquired ISO/IEC 22301, and audited for its business continuitymanagement for IaaS Services of NHN Cloud, which were obtained in July 2022.

Certified Service

NHN Cloud : The provision of NHN cloud services for public, finance, governmental and medical business services.

Valid Period

2022.07.14 ~ 2025.07.13

CSAP(Cloud Security Assurance Program) Certification [IaaS, SaaS]

Information security management system evaluation and certification forproviding safe cloud services to governmental

The Cloud Security Assurance Program is a program that reviews whether a service provided by a cloud service provider complies with the information security standards under Article 23 Paragraph 2 of the Cloud Computing Development and User ProtectionAct of Korea and grants certifications to companies that satisfy certain minimum standards. NHN Cloud Corporation acquired the certification for IaaS in December 2017, SaaS in December 2019, DaaS in September 2023 and has its cloud service security systems regularly certified through strict verification procedures every year.

IaaS Certification No.

CSAP-2017-003

IaaS Certification Scope

NHN Cloud (for public institutions) (IaaS)

IaaS Valid Period

2022.12.13 ~ 2027.12.12

SaaS Certification No.

CSAP-2019-010

SaaS Certification Scope

Dooray! (Public email, collaboration tools, messenger, electronic approval, video conferencing, AI) (SaaS Standard Grade)

SaaS Valid Period

2024.12.18 ~ 2029.12.17

DaaS Certification No.

CSAP-2023-028

DaaS Certification Scope

NHN Cloud Virtual Desktop Service (DaaS)

DaaS Valid Period

2023.09.19 ~ 2028.09.18

CSA STAR

International Cloud Service Information Security Certification by CSA(Cloud Security Aliance)

CSA STAR certification is an international cloud service information security certificationhosted by the US Cloud Security Alliance (CSA). It assesses the effectiveness andmaturity of security controls through the Cloud Control Matrix and grants a certificationcalled STAR (Security, Trust & Assurance, Registry). NHN Cloud has obtained the CSAStar Certification for IaaS, PaaS, and SaaS of NHN Cloud service and is certified formaintaining the maturity of Gold Level.

Certified Service

NHN Cloud : The provision of NHN cloud services for public, finance, governmental and medical business services.

NHN Dooray! : The provision of collaboration service, groupware, ERP(Enterprise resource planning).

Valid Period

2022.07.12 ~ 2025.07.11

Guaranteeing the Right to Control Personal Information

User Personal Information Management

NHN provides guidance on user and legal guardian rights and how to exercise them through the Hangame Privacy Policy. Users and legal guardians can view or rectify their personal information or that of a child under the age of 14 at any time. If users do not consent to NHN’s processing of personal data, they have the right to refuse consent or request withdrawal of membership (withdrawal of consent or deletion of personal information). Users can rectify or review their information by selecting “Edit Member Information” on Hangame’s My Page and can withdraw their membership by clicking “Withdraw Membership” upon completing the identity verification process.

Collection and Disposal of Personal Information

NHN collects only the minimum necessary personal data in accordance with legal procedures and retains it for the duration agreed upon by the data subject or as required by applicable laws. When the processing purpose is fulfilled such as membership withdrawal, the collected data is deleted without delay. Any personal data that is no longer needed is securely disposed of. If NHN receives personal information from a third party, it only collects and processes the data within the scope agreed upon. Additionally, in accordance with the Personal Information Protection Act, NHN provides data subjects with a ‘Personal Information Collection Source Notification,’ which includes details on the source of collection, the purpose of processing, and the data subject’s right to request suspension of processing.

Provision of Personal Information to Third Parties

NHN lawfully collects Hangame users’ personal information and does not use or share it beyond the agreed scope without acquiring prior user consent. However, exceptions apply when users have explicitly consented to third-party data sharing. Such cases include when participating in channeling game services, promotional events, or giveaways. Even in such cases, NHN transparently informs users about the recipient, the purpose of data sharing, the specific data provided, and the recipient’s retention and usage period. Users must provide explicit and individual consent before any information is shared. NHN strictly prohibits providing, renting, or selling personal information to third parties for any purpose other than its intended business operations.

Personal Information Management System

Information Protection Monitoring System

NHN has implemented Secumon, an integrated security log analysis system based on open-source technology in a bid to enhance data security level. This system monitors all potential pathways where information is processed, including VPN access, server and database accesses, device activity logs, administrator actions on critical information systems, and external collaboration platform access. Secumon leverages machine learning technology to set predictive thresholds and detect abnormal activities in real time. NHN swiftly identifies potential security vulnerabilities and threats through daily monitoring and takes immediate action to reinforce personal information protection. NHN is committed to establishing a differentiated personal information protection system through its specialized security technology, while enhancing the security of its entire data processing environment.

Inspection of Personal Information Processing Contractors

NHN regularly inspects and oversees the personal information protection practices of its data processing contractors for compliance with privacy regulations. NHN conducts semi-annual inspections in the first and second half of the year to assess the status of data protection and identifies areas for improvement, requesting correction as needed. NHN also carries out follow-up inspections to verify the implementation of these improvements, ensuring a continuous management system. Additionally, NHN rigorously reviews the operational status and the handling of provided data according to outsourcing contracts. Upon contract termination, NHN requires contractors to submit a report verifying data destruction confirmation to guarantee the secure disposal of personal information. ※ 2024 Operational Performance: NHN conducted personal information protection inspections for 54 data processing contractors.

Information Security Training

NHN conducts information protection training to raise the information security awareness among its employees and partners. New hires are required to take information security training as part of their employment process and we provide training on personal information protection to all types of employees, including contractors and temporary workers every year. New hires serving technical position are also provided with developer security training so that information protection practices for safe service development and operation are properly shared. We provide information protection training materials tailored to the purpose of the service to not only employees but also partners, so that all employees and members have the ability to prevent and respond to security incidents based on their understanding of information protection.