IR

Data Security and Privacy

#Data Security and Privacy #Information Security
Process #Response Manual #ITGC #Information
Security Disclosure #Personal Information
Processing #Security Controls Syestem #ISMS Certification

SOOP recognizes data security and privacy to be core responsibilities given the nature of our platform, where user activity data and personal information are collected and processed real-time. We aim to strengthen user trust and enhance the sustainability of our platform by increasing our investment in data protection and transparently disclosing our security status.

Strategy & Policy

Considering data security and privacy as core values, SOOP operates an integrated data protection system based on ISMS certification. We have established a governance framework that includes personal information impact assessments, internal audits and operation of cyber threat response teams. In addition, we have established various comprehensive internal guidelines, including the Data Protection Regulations and guidelines for users, servers and personal security, to define clear expectations and performance standards required of employees and partners. We also regularly conduct prevention-centered security activities such as data protection training, malware drills, sharing latest security trends and system security updates to raise company-wide security awareness and create an environment that can proactively respond to changing cyber threats.

  • Information Protection Regulation

    A comprehensive regulation on the protection of all company information assets (documents, databases, systems, networks, etc.), including personal information.

  • Privacy Policy

    Outlines the basic principles and procedures on the protection of data subjects’ rights and prevention of misuse of personal information throughout the entire process, from collection to destruction.

  • User-Friendly Privacy Policy

    To make our privacy policies more accessible to children and teenagers, we provide simplified summaries and video explanations.

Internal Management Plan for Privacy

An internal plan is established and distributed annually to ensure all employees fully understand and perform their roles and responsibilities in protecting privacy. Violations of these roles and responsibilities under the Information Protection Regulations are subject to disciplinary measures based on intent, degree of violation and damage caused to the company, and may affect the performance evaluations.

Privacy Protection Principles
  • 01

    SOOP complies with all applicable personal information protection laws and international standards in its service regions.

  • 02

    SOOP maintains transparency in how it processes users’ personal information.

  • 03

    SOOP respects users’ rights to make decisions about their personal information.

  • 04

    SOOP collects only the minimum personal information needed to meet its objectives and manages this information responsibly.

  • 05

    SOOP prioritizes the protection of user privacy.

Management
Management
Board of Directors /
Data Security
Committee
  • Oversight of the company’s data security framework (deliberation, review, decision-making on key issues)
  • Management of data protection and security control systems
CISO
  • Establishment of security control systems, leading cyber threat response and security incident prevention activities and ensuring compliance with information protection laws, regulations and certifications (e.g. ISMS)
CPO
  • Establishment and management of a protection system for the entire process of collecting, processing, storing and destroying personal information, and ensuring compliance with privacy laws and regulations
Security Team
  • Development of system security strategies, response to breaches, introduction of advanced security technologies, etc.
User Communication
Division
(User Insights Team)
  • Establish internal management plans for personal information, conduct privacy inspections and training, manage grievances, etc.
2024 key Performance
  • Investment in information technology sector in 2024
    KRW 59.14 billion
  • Investment in information protection sector in 2024
    KRW 1.57 billion
  • Information technology sector workforce
    302 people
  • Inspection of personal information entrusted companies
    2 cases
  • Dedicated data protection sector personnel
    5 people
  • Privacy self-
    inspection
    2 cases
  • Preparation of privacy guideline document for employees
    12 cases
  • Number of personal information leakage
    0 cases
  • Privacy training
    • - Company-wide mock training against malware email
    • - 2 data protection trainings
  • Selected as one of the top best companies in information protection investment in 2024

Data Security

Stronger Security Controls

SOOP classifies key information assets that make up the platform, such as servers, database and user management systems that make up the platform, based on their importance to the service, and regularly assess their risks. This allows us to identify the vulnerabilities in each system in advance and quickly establish and implement necessary measures to maintain a stable service environment. All information assets undergo risk analysis at least once a year, and based on the assessment results, we assign risk levels and prioritize those that require immediate response. We also operate a strict access control system to ensure that only pre-authorized personnel can access information security systems, and we monitor all access-related activities in real time, including access history, configuration change history and unauthorized access attempts, to minimize security risks. Recently, threats from malicious traffic have become ever more sophisticated, and in response, SOOP has adopted the Clean Zone service to strengthen the protection of platform servers and subscribed to services offered by telecommunication companies to enhance the safety throughout the entire service. We also proactively respond to various cyber threats in advance by establishing a 24/7 real-time monitoring system. Our goal is to continuously strengthen security levels to create a safe platform environment that both users and streamers can trust and use.

Information Security Management System (ISMS) certification (Valid through Jan. 2026)
Information Breach Response Framework

SOOP has established a Breach Response Guideline to promptly and systematically respond to personal information leakage incidents. If a breach occurs, we immediately notify the affected individuals and relevant organizations, minimize damage by systemizing the process of analyze the cause, take action, and establish measures to prevent recurrence. We also conduct mock drills simulating personal information leakage scenarios twice a year to strengthen employees’ response capabilities. We review and improve our response strategies based on various breach scenarios, and in 2024, maintained a 100% participation rate in the drills, ensuring that all employees are fully trained to follow response procedures.

Breach Response Manual
  • 01
    Initial Response
    • Log the incident with a detailed timeline of events
    • Activate the emergency contact network according to the risk level
  • 02
    Root Cause
    Investigation
    • Identify the cause of the incident
    • Escalate to senior personnel if action cannot be taken internally
  • 03
    Action
    • Internal action
    • Take measures through relevant departments or external partners
  • 04
    Delay in Action
    • If action is delayed, escalate the risk level
    • Report the situation to the highest-level person in charge
  • 05
    Notifications
    • Notify actions taken for each risk level
  • 06
    Root Cause Analysis
    • Collect and analyze data
    • Determine the detailed background and circumstances of the incident
    • Draft an accurate report and increase understandability
  • 07
    Prevention of
    Recurrence
    • Define measures to prevent incidents from spreading or recurring
  • 08
    Completion
    • Establish security policies to identify and prevent similar attacks
    • Update procedures, record the incident, revise long-term security policies, plan for necessary technical modifications

  • 2 simulation trainings completed

    100% participation rate

Operation of the Information Technology General Controls (ITGC)

In 2023, SOOP established an external audit response system for its internal accounting management framework pursuant to the Act on External Audit of Stock Companies and overhauled its IT control activities based on Information Technology General Controls (ITGC). ITGC is a basic control system that ensures the reliability and stability of IT systems, covering areas such as data integrity, system access security, program development and change management, as well as backup and disaster response management. In 2024, we continued with regular inspections and improvements on key IT control components, including major data changes, system access controls and program development and operations management. This ensures the reliability of financial information and data integrity, as well as the maintenance of a stable internal control system.

Raising Information Security Awareness

SOOP raises information protection awareness through various activities targeting employees and users. The Security Team regularly shares updates on domestic and international security issues, as well as internal information security trends, with all employees every month, helping prevent security incidents and increasing security sensitivity. In addition, our Personal Information Protection Campaign guides users on self-protection practices such as stronger passwords, two-factor authentication and blocking overseas logins, foster a safer service environment.

Information Security Training and Pledge

SOOP mandates annual security training for all employees along and offers customized training via online platforms to raise privacy awareness. Additionally, employees of SOOP and its affiliates are required to sign an Information Protection Pledge when they join the company, strengthening our information security systems.

Information Security Training in 2024
  • Company-wide security training
    All employees
    Twice a year     (first and second half)
    Completed by697employees
  • New hires
    Twice a year     (first and second half)
    Completed by90employees

Privacy Protection

Security Control of Personal Information Processing

SOOP designates and systematically manages all business systems, databases and management systems that handle personal information necessary to provide user services as “personal information processing systems.” We have established clear authorization criteria and operating procedure for access, inquiry, modification, extraction, etc. related to the processing of personal information, and control such processes to ensure that personal information is safely protected. We apply secure authentication methods to prevent access by third parties, and encrypt access paths to protect against external threats. In addition, we grant only the minimum necessary permissions for each system menu to ensure that personal information processors access only the information required for their work. Authorization must be obtained from both the personal information protection officer and information security officer respectively by a separate authorization process. Even after authorization is granted, we regularly review and revoke unnecessary authorizations. All actions such as access, creation, modification and deletion are recorded (logged) and kept for a specified period of time to maintain the safety and reliability of the personal information processing system.

Preventive Measures and Post-Monitoring

SOOP has various prevention and inspection systems in place to prevent and systematically manage personal information leakages. First, we identify risk factors in advance through personal information impact assessments, and strengthen internal controls by integrating and managing the authorization and usage status of personal information handlers. We also ensure the safety of outsourced personal information processing by adopting a framework that requires self-inspections by outsourcing companies and prompt correction requests. Further, we conduct annual inspections, including personal information status checks, and systematically carry out follow-up measures by regularly monitoring access and change logs, and through a final confirmation by the CPO. If an outsourcing company fails to take the required improvement measures, we conduct on-site inspections and take additional measures to ensure effective management. By linking these preventive actions with post-monitoring, we continuously enhance our company-wide personal information protection capabilities.

  • Preventive Measures
    • Personal information impact assessments
    • Comprehensive control of authorizations and usage by personal information processors
    • Self-inspections conducted by outsourcing companies and immediate correction requests
  • Post-Monitoring and Improvements
    • Privacy audits covering all stages from collection to destruction
    • Regular monitoring of granted authorizations, access logs and modification records
    • On-site inspections and additional measures against non-compliant outsourcing companies
    • Final confirmation by the CPO and managing of shortcomings
List

Content List

  • Our Impact

    Environmental Management

    #Environmental Management Policy#Greenhouse Gas (GHG) Emissions#Energy Saving Activities#Eco-Friendly Purchasing #Environmental Activities
    kakaoTalk share close
    more
  • Our Impact

    Responsible Content Creation

    #Digital Sex Crimes #Management of Media Content Operation Policy#Youth Protection Policy#Monitoring#AI Filtering#Healthy Content Environment#Life-Saving Relief#Copyroght Infringement
    kakaoTalk share close
    more
  • Our Impact

    Data Securit and Privacy

    #Data Security and Privacy#Information Security Process#Response Manual#ITGC#Information Security Disclosure#Personal Information Processing#Security Controls Syestem#ISMS Certification
    kakaoTalk share close
    more
  • Our Impact

    Mutual Growth with Partners

    #Content Support#Helping Streamers' Growth #Streamer Partnership#Mind Therapy "Maum Todak" #GGGL
    kakaoTalk share close
    more
  • Our Impact

    Managing User Satisfaciton

    #User Communication Channels#User Satisfacion Management#User Communication
    kakaoTalk share close
    more
  • Our Impact

    Corporate Culture

    #Human Resources Policies#Welfare System#Insight Survey#Corporate Communication Culture#Family-Friendly Enterprise Certification#Maternity Leave#Workstation
    kakaoTalk share close
    more
  • Our Impact

    Respect for Human Rights

    #Declaration of Human Rights Management#Managing Human Rights Impacts of Contents#Hiring People with Disabilities#Female Talent#Human Rights Education#Gievance Channels
    kakaoTalk share close
    more
  • Our Impact

    Human Resource Managemnt

    #Ideal Talent#Fair Hiring#Employee Evaluation#Nurturing Talent
    kakaoTalk share close
    more
  • Our Impact

    Health and Safety

    #Health and Safety Policy #Management System#Risk Assessments#Employee Wellness
    kakaoTalk share close
    more
  • Our Impact

    Local Community Contributions

    #Participatory Donation Culture#Supporting Culture and Arts#Creating Local Community-Linked Values
    kakaoTalk share close
    more
  • Our Impact

    Governance

    #Board Composition#Outside Director Independence#Board of Directors Diversity#ESG Committee#Audit Committee#IR Activities#Shareholder Return Policy
    kakaoTalk share close
    more
  • Our Impact

    Ethical Management

    #Ethical Management System#Code of Ethics#Whistleblower Program#Ethics Education
    kakaoTalk share close
    more
  • Our Impact

    Risk Management

    #Risk Management Governance and Process#Risk Identification and Response#Business Risks#Financial Risks#Social/Environmental Risks#Emerging Risks#Tax Risk and Policy
    kakaoTalk share close
    more
Top