SOOP ESG2021

Management of the Personal Information Handling System

To handle the personal information of users in a safe manner, AfreecaTV has established a personal information handling system covering the services provided, the database system, and the management system. We also defined standards for granting authorities and operational procedures for activities related to the personal information handling system, such as access, menus, views, editing, and extraction. We use a safe authentication system recommended by the company to block the access of third parties and respond to external threats by encrypting the access route. We also create authority categories and grant authorities to access and view necessary menus only to designated persons who handle personal information.

Approval for these authorities is granted by the persons responsible for personal information protection and information security following an application procedure for access. The log of access to the personal information handling system (e.g., authority given, access, creation, editing, deletion, etc.) by the persons who handle personal information and any activity after access are retained for a certain period, and authorities are reviewed periodically so that authorities can be removed from accounts that are not used.

Plan and Principles of the Internal Management of Personal Information

To systematically manage personal information and take protective and ex-post measures, AfreecaTV develops and updates its Personal Information Protection Management Plan annually.
We release revisions to the plan every year to all employees to remind them of their duties and responsibilities in handling and managing personal information, and we help them to collect and process the personal information of AfreecaTV’s users in a safe manner through our protection measures. To prepare for potential leakage of personal information that may occur despite stringent preventive and ex-post control efforts, we made all the steps – from reporting to the individual/institution in accordance with relevant laws to identifying the cause, taking measures, and making improvements – into a process and designated a team for each step to support the victims and minimize damage.

Cycle of personal information impact assessment

01

AfreecaTV complies with all laws and international standards on the protection of personal information.

02

AfreecaTV always discloses transparently the processing of users' personal information.

03

AfreecaTV respects the right of users to make decisions about their personal information.

04

AfreecaTV collects the minimum personal information possible to meet our objectives and manages this information responsibly.

05

AfreecaTV prioritizes the protection of user privacy.

Security Training

To raise awareness of information security within the company, AfreecaTV conducts information protection training for all employees. Specifically, new employees are required to complete security training to ensure compliance with information security regulations. The company periodically holds an E-Clean Day for employees. These events inform employees about security matters, such as phishing and other recent security threats. As remote working due to COVID-19 continues, we have provided training on security rules when working from home using actual cases of security issues.

Personal Information Protection Training

AfreecaTV engages in various activities to raise awareness of information security among those who handle or process personal information. All employees are required to sign the Information Security Agreement and receive training on information protection twice a year. There are also non-regular training programs on AfreecaTV‘s training system. We plan to achieve a 100% completion rate for the training provided to those who handle personal information. We take proactive measures to provide training on personal information protection to all employees.

ISMS (Information Security Management System)

We rank assets subject to the information security management system based on the importance of the service in our materiality assessment. We analyze risks regularly and nonregularly. Materiality assessments and risk analyses are conducted for the items defined in the ISMS and internal criteria. Risks receive a grade depending on the results, and this is the basis for prioritizing improvement measures and improvement methods. The weak points of all assets of AfreecaTV are analyzed regularly throughout the year and improvements are made to provide a safe environment and stable services to users.

The information security system is under strict control, and only relevant personnel and those who have been authorized in advance through an approval process can access it. The work scopes of employees are assessed through an appropriateness review for assigning necessary authorities. All activities, such as access, changing settings, and attempts to access by nonauthorized persons are monitored. AfreecaTV works with a security system company to detect and respond to external hacking attacks or abnormal activities 24/7, every day of the year. We strive to prevent security incidents in advance.

Advancement of Information Security Technology

AfreecaTV provides diverse services in the global market, which makes it vulnerable to DDoS (distributed denial of service) attacks due to the nature of the company. A DDoS attack refers to an attack that disables the operation of network resources or a website by attacking a single target system with multiple systems. We are striving to improve our information security technology to protect our services from external attacks.

We block DDoS attack attempts in cooperation with network providers, and also with separate equipment, and implemented a sophisticated security management system through monitoring. We encrypt material information and communication intervals from the stage of service development through our systematic security management system.

Incident (Attack) Response Procedures