hokan Inc. Obtains "SOC2 Type2 Attestation Report" for its Cloud System Specialized in the Insurance Industry

hokan Inc. (Headquarters: Chuo-ku, Tokyo; Representative Director and President: Izuru Yokotsuka; hereinafter: "the Company"), which provides "hokan®︎," a cloud-based insurance agency system that realizes "appropriate sales activities" and "a robust audit system for organizations," is pleased to announce that on April 24, 2026, it obtained the "SOC2 Type2 Attestation Report" (Note 1), following the "SOC2 Type1 Attestation Report" obtained in November 2025.

While the "SOC2 Type1 Attestation Report" evaluates the suitability of the design of internal controls at a specific point in time, the "SOC2 Type2 Attestation Report" obtained this time assesses and certifies that internal controls have been continuously and effectively operated over a certain period by an independent auditing body. This objectively confirms that the controls related to "security" and "privacy" in the system provided by the Company are continuously functioning based on international standards.

With this acquisition, insurance companies and agencies can confirm through a third-party evaluation that the Company's system's security framework is not only "appropriately designed at a certain point in time" but also "continuously and effectively operated." This will enable further efficiency in internal control evaluation work for internal and external audits.

Moving forward, the Company will continue to build a system that promotes the utilization of systems in a secure environment for the sustainable development of the insurance industry.

(Note 1) What is an SOC2 (System Organization Control 2) Attestation Report: Based on the Trust Services Criteria (TSC) and Description Criteria for a Description of a Service Organization’s System (DC200) established by the American Institute of Certified Public Accountants (AICPA), it is a report that an independent auditor verifies the status of design and operation of internal controls of a service organization and the content of its description, and reports the results. Among the five categories: "Security," "Availability," "Processing Integrity," "Confidentiality," and "Privacy," an independent auditing body evaluates whether internal controls are appropriately designed and operated for the criteria items related to the services provided. There are two types of this report: "Type1 Report," which evaluates the suitability of the design of internal controls at a specific point in time, and "Type2 Report," which evaluates the effectiveness of the operation of internal controls over a specific period.

Background: From Type1 to Type2 — From proving "design" to proving "continuous effectiveness of operation"

In November 2025, the Company obtained the SOC2 Type1 Attestation Report as a cloud system specialized for the insurance industry, receiving a third-party evaluation that its internal controls were appropriately "designed."

However, in the financial and insurance industries, it is required not only that internal controls are appropriately "designed" but also that they are "continuously and effectively operated" in daily operations. Particularly in recent years, with the sophistication and complexity of cyber threats targeting supply chain attacks and cloud services, the importance of objectively demonstrating the actual operating status of internal controls of service providers has increased more than ever.

Against this background, the Company promptly started initiatives to acquire Type2 after obtaining Type1, and has undergone continuous evaluation by an independent auditing body regarding the operating status of internal controls throughout the evaluation period. As a result, we have now obtained the "SOC2 Type2 Attestation Report."

Overview of "SOC2 Type2 Attestation Report" and "hokan®︎"'s Strengths

Target Services "hokan®︎ CRM," "hokan®︎ CRM+ Intent Comprehension," "hokan®︎ CRM+ Case Management," "hokan®︎ CRM+ Report," "hokan®︎ CRM+ Treasury"

Evaluation Criteria Security, Privacy

Report Type SOC2 Type2

Evaluation Period October 1, 2025 - March 31, 2026

This "SOC2 Type2 Attestation Report" verifies the effectiveness of the operation of internal controls during the above evaluation period by an independent audit firm, based on the international Trust Services Criteria (TSC) established by the AICPA. While Type1 evaluates "design at a certain point," Type2 evaluates "effectiveness of operation over a period," providing a higher level of reliability.

The target services include not only the customer and contract management system (hokan®︎ CRM) but also related products such as intent comprehension, case management, reports, and treasury, confirming that a consistent high level of security is continuously maintained across all services provided by the Company.