Passing Japanese enterprise ringi approval for Kintone plugins
Deploying Kintone plugins in Japanese enterprises requires passing through the "ringi" (稟議) approval process. The plugin must pass IT, procurement, legal, audit, and executive review. This post covers what documents you need, what vendor criteria typically pass, and how to accelerate the timeline.
The short version
Japanese enterprise ringi approval for a Kintone plugin requires 5 document sets: company profile, public pricing, security sheet, data processing agreement, business continuity plan. Vendors don't need to be publicly listed to pass — "contractually written commitments" often suffice. Typical approval timeline: 4-8 weeks. Plan your rollout accordingly.
Typical ringi process flow
In mid-size to large Japanese enterprises, IT procurement including Kintone plugins follows:
- Origin department drafts ringi document (1 week)
- IT security review (1-2 weeks)
- Legal contract review (1 week)
- Procurement negotiation and competing quotes (1-2 weeks)
- Executive approval (1 week)
- Contract signature and PO (few days)
Total: 4-8 weeks. Complex cases extend to 3+ months.
Five required document sets
1. Vendor company profile
Demonstrates vendor reliability as a legal entity:
- Company name, headquarters address, contact
- Representative, founding date
- Capital, employee count
- Business description, major customers
- Certifications/awards (Cybozu Partner, ISO certifications, etc.)
Ideal: TSE-listed with publicly filed financials. But unlisted startups are acceptable if they have 3+ years of operating history and a major-customer list (industry categories are sufficient).
2. Public pricing
Japanese ringi avoids "contact for quote" vendors. Published pricing lets procurement evaluate without asking for bids.
Check:
- Monthly / annual base price
- Additional fees for user count, app count, data volume
- Setup, option fees
- Tax-inclusive / tax-exclusive
- Payment terms (NET30, month-end-plus-one etc.)
- Qualified invoice issuer registration status
3. Security sheet
Required by IT security review:
- Data residency (region, data center)
- Encryption (in transit, at rest)
- Authentication (OAuth 2.0, SSO, MFA)
- Access logs and retention period
- SOC 2 / ISO 27001 status
- Incident response and SLA
- Subprocessors list
- Data subject rights (deletion, disclosure, correction)
Many large enterprises have their own security questionnaires (100+ questions). Prepare standard answers in advance and customize only company-specific items.
4. Data processing agreement (DPA)
Required for Japan's Personal Information Protection Act and GDPR compliance. Should specify:
- Data use purpose (contract fulfillment only, etc.)
- Third-party disclosure restrictions
- Data subject rights handling
- Breach notification obligation and timeframe
- Data deletion on contract termination
- Subprocessor usage restrictions
5. Business continuity plan (BCP)
What happens to customer data and operations if the vendor shuts down? Mandatory review point:
- Notice period before vendor service termination (6+ months etc.)
- Data export format and method at contract end
- Source code / specification escrow arrangements
- Successor vendor migration support scope and fees
- Open-source commitment (where applicable)
Vendor selection criteria that pass ringi
"Volume of public information" matters
Japanese ringi dislikes information asymmetry. Vendors with everything on the website beat "contact sales to find out" vendors, because ringi handlers can complete their review much faster.
- Prices published
- Security sheet downloadable
- Contract templates readable
- Terms and privacy policy clear
- Development company / operating company clearly listed
"Same-industry customer references" help
Case studies from same-industry, similar-scale customers dramatically improve persuasion. NDA may limit disclosure, but "industry + company size + deployment timing + usage scope" is often enough.
"Small size" is not always a negative
Large vendors often lack flexibility for custom work. Mid/small vendors can pass ringi if they meet:
- 3+ years of operating history
- Strong public information
- Written business continuity plan
- Concrete security posture
- Fast response (24-hour document delivery etc.)
Accelerating ringi timelines
Do an early "information gathering" phase
Before formal ringi drafting, share candidate vendor materials with IT and procurement for informal pre-review. Address issues before they enter the formal process.
Run multiple candidates in parallel
Single-vendor ringi becomes catastrophic if issues are found mid-way. Running 2-3 parallel candidates hedges risk. Vendor-side effort is real, so 3 is the practical ceiling.
Avoid fiscal period-ends
March, September, and December are clogged with other ringi and approvals delay. February, May, August, November tend to move faster.
kinplug's ringi readiness
All of the following are publicly accessible:
- Company profile and Specified Commercial Transactions Act disclosure
- Standard ¥9,800/mo, Enterprise ¥49,800/mo — published pricing
- Security overview page
- Privacy policy and terms of service
- Vendor-shutdown open-source commitment (contractually binding)
- Qualified invoice issuer registration (completing 2026)
Ringi-ready Japanese document set available within 24 hours on request. Company-specific security questionnaires also supported.
Related
Try kinplug free for 14 days
No credit card. Sign in with Google or Microsoft, enter your Kintone subdomain, and go live in 90 seconds.