IR Link

Information Security Protection

#Security Protection #ISMS Certificate #Data Protection

Protection of Personal Information and Privacy

As the largest one-person media platform service in Korea, AfreecaTV is dedicated to safeguarding the personal information of its users. To comply with relevant laws and regulations, we have established policies to protect personal information and privacy throughout the entire lifecycle of our services, from planning to termination. We analyze the potential impact of collecting and using users' personal information at every stage of the service and implement preventive measures and post-control actions accordingly. Our aim is to ensure that users can trust AfreecaTV with their personal information and use our services with confidence.

Information Security System

AfreecaTV has established an Information Protection Committee to prevent customer's personal information leaks and create a secure business environment. The committee operates information protection systems and security monitoring systems. It oversees the overall information protection management system, led by the Chief Information Security Officer (CISO), Chief Privacy Officer (CPO), and Chief Technology Officer (CTO), who are responsible for information security in various aspects. All information security-related issues and significant matters are deliberated, reviewed, and decided upon by the committee, ensuring comprehensive management throughout the organization. Since December 2021, a dedicated information security organization has been formed under the supervision of the Chief Information Security Officer to carry out systematic information security activities and safeguard the organization's information assets.

Organizational chart for data security

Personal Information Management

AfreecaTV takes full responsibility for the protection and safety of users' personal information. To achieve this, we annually formulate internal plans for personal information management and disclose them to all employees. Efforts are made to ensure that all staff members are aware of their responsibilities and obligations regarding personal information protection. Moreover, AfreecaTV has established thorough measures to prepare for potential personal information breaches and established response processes. In the event of a data breach, we actively respond by notifying relevant individuals and organizations in accordance with applicable laws, identifying the cause of the breach, and implementing appropriate measures and improvements at every stage of the response process. Dedicated response teams are designated for each stage to assist affected parties and minimize damages. Through these sustained efforts, AfreecaTV is fully committed to fulfilling its responsibility for the protection and safety of users' personal information.

Privacy Protection Principles
01
AfreecaTV complies with all laws and international standards on the protection of personal information.
02
AfreecaTV always discloses the processing of the users' personal information transparently.
03
AfreecaTV respects the right of users to make decisions about their personal information.
04
AfreecaTV collects the minimum personal information needed to meet the objectives and manages this information responsibly.
05
AfreecaTV prioritizes the protection of user privacy.

Personal Information Protection System

AfreecaTV conducts pre-checks on the sensitivity of personal information collected and used in all services to ensure compliance with personal information protection laws and internal management regulations. We conduct ongoing assessments of the impact of personal information and operate a comprehensive management system to manage the authority and usage status of personal information handlers who handle user's personal information. Annual inspections of the actual status of personal information are performed to ensure compliance with procedures related to the collection, use, provision, protection, disposal, and user rights of personal information, minimizing the risk of personal information protection. Regular checks on personal information protection status are carried out for personal information subcontractors (all entities entrusted with processing AfreecaTV's personal information) to maintain the level of personal information protection. Furthermore, we have established self-inspection lists for each subcontractor to request improvements in cases of violations or deficiencies. If improvements are not made continuously or if the level of personal information protection is deemed inadequate, on-site inspections are conducted to expedite necessary improvements and actions. These post-control measures are continuously managed by AfreecaTV's Chief Privacy Officer (CPO) to identify areas that require further enhancement, maintaining the level of personal information protection and preventing leaks. We remain committed to consistent efforts in maintaining personal information protection and preventing data breaches.

Personal information impact assessment

Management of the Personal Information Processing System

AfreecaTV designates the handling of various personal information related to the services provided to users as 'Personal Information Processing System'. It controls the access, menus, queries, modifications, extractions, and other activities related to the Personal Information Processing System by defining systematic authorization criteria and operating procedures to ensure the secure processing of users' personal information. To access the system, we employ secure authentication methods recommended to prevent unauthorized access by third parties. Furthermore, encryption of access paths is implemented to counter external threats. Each menu in the system is associated with various authorization groups, ensuring that only authorized personnel with the necessary roles can access and view the required personal information. The management of these authorizations involves a process of application and approval by privacy and information protection officers to ensure appropriateness. Logs of all actions performed by personal information processors, such as access, creation, modification, and deletion of data in the Personal Information Processing System, are stored for a specific period. Regular reviews of the appropriateness of authorizations are conducted to revoke unnecessary access privileges. We follow a structured approach to maintain the security and confidentiality of personal information and ensure that access to the Personal Information Processing System is strictly controlled and monitored.

Security Management System

AfreecaTV classifies assets subject to information protection management in order of service importance and conducts regular and ad-hoc risk analyses. The importance assessment and risk analysis are carried out based on predefined items within the information protection management system and criteria defined by the company. The results are used to determine risk levels, review priority and action plans for improvements, and establish plans for implementation. AfreecaTV ensures that all assets undergo annual periodic risk analyses and improvements to check for vulnerabilities. This effort is made to provide users with a safe environment, ensuring peace of mind when using the services. The information security system is strictly controlled to allow access only to authorized employees through relevant personnel or approval processes. We carefully assess the appropriate level of access based on the scope of each employee's duties and grants only necessary permissions. Every action, including access history and configuration changes, as well as unauthorized access attempts, is monitored. AfreecaTV also collaborates with specialized security system companies to detect and respond to external hacker attack attempts or anomalies 24/7, 365 days a year, in an effort to prevent security incidents in advance.

Advancing Data Security Technology

AfreecaTV provides various services in the global market, and due to its nature, it faces the possibility of numerous Distributed Denial of Service (DDoS) attacks. DDoS attacks involve multiple systems collaborating to target and overwhelm a single system, rendering its website or network resources inoperable. AfreecaTV strives to enhance its information security technology to protect its services from such external attacks. Through collaboration with network operators, AfreecaTV actively defends against DDoS attack attempts. Furthermore, measures are implemented to block DDoS attacks using separate equipment, and advanced security management is performed through monitoring. From the development stage of its services, AfreecaTV applies encryption for sensitive information and communication channels to establish a systematic security management system.

Incident handling procedure

  • 01 Initial response

    • Record timeline-based incident circumstances
    • Operate an emergency contact network per risk level
  • 02 Root cause investigation

    • Identify the cause of the incident
    • If action cannot be taken internally, report the matter to higher-level staff
  • 03 Action

    • Internal action
    • Action through related departments or external contractors
  • 04 Action delayed

    • If action is delayed, escalate the risk level
    • Report the matter to the highest-level staff
  • 05 Notification

    • Notify actions taken for each risk level
  • 06 Root cause analysis

    • Collect and analyze data
    • Determine the details of the incident
    • Draft an accurate report so that the situation is easily understood
  • 07 Recurrence prevention

    • Decide how to prevent incidents from spreading or recurring
  • 08 Completion

    • Draw up security policies to identify and prevent similar attacks
    • Change procedures, record information about the incident, draw up long-term security policies, draft plans to modify technology

Privacy Policy

AfreecaTV protects the privacy and data of our users throughout the lifecycle of a service from planning to end. We conduct an internal privacy inspection to ensure that all our services are built upon privacy protection. For example, we examine the compliance with relevant laws, regulations and internal regulations, analyze the level of sensitivity of the users and manage risks. To maintain the level of protection, we do not renew the contract with a counterparty that has no possibility of improving. On top of that, we conduct an inspection on the compliance with safety measures for unique information for teams that handle unique identification information, such as social security numbers , as well as a regular inspection on privacy protection for the HR team and the finance team.

Data Security Investment Recognized

In June 2023, AfreecaTV transparently disclosed its information security status on the KISA Information Protection Public Disclosure Portal and was selected as an exemplary company for information security investments. The portal provides information on AfreecaTV's information security initiatives and activities, including detailed investment status in information security. As of December 2022, AfreecaTV invested approximately 48.5 billion won in the information technology sector and 0.86 billion won in the information security sector, which was utilized for the introduction of network security equipment and security solutions. We also conducted two self-assessments of personal information handling and six information security education sessions for all employees, among various other information security initiatives.

Data Protection Training

AfreecaTV carries out various activities to strengthen awareness of personal information protection and handling among its employees. All employees participate in an information security pledge process, and regular personal information protection education is conducted twice a year. In addition to regular education, AfreecaTV offers adhoc personal information protection training through its inhouse education system.

Data protection training
Data protection training
Year Data protection training Personal information leak (no. of cases)
Minutes of training Completion rate (%)
2020 60 100 0
2021 90 100 0
2022 130 100 0

Information Security Management System Certificate

AfreecaTV gained confidence in data security by obtaining the ISMS from the Korea Internet & Security Agency (KISA) in 2014. Since then, we have maintained the certification so far. We plan to strengthen our security capacity by advancing the management system based on the certification.

ISMS certificate
List

Contents List

맨위로 이동