Information Security Policy

Our company values the interests of our customers and investors. In response to emerging technologies, which may expose the company to external malicious threats and intrusions, potentially damaging our reputation and causing operational difficulties, we have implemented the ISO 27001 Information Security Management System. We have formulated information security policies and related specifications, communicated them to our colleagues, and strengthened internal information security governance and awareness.

We declare the following information security policy:

1. Information Security Objectives:
1.1 Ensure the confidentiality of the company's information assets by implementing data access controls, allowing information to be accessed only by authorized personnel.
1.2 Ensure the integrity of the company's information operations management, avoiding unauthorized modifications.
1.3 Ensure the continuous operation of the company's information operations.
1.4 Ensure that the company's information operations comply with relevant legal requirements and contractual obligations.
2. Information Security Control Measures:
2.1 Establish an information security management organization, led by the General Manager, to supervise the operation of the information security management system, identify internal and external issues related to information security, and assess the requirements and expectations of relevant stakeholders.
2.2 Management commits to maintaining information security, continuously improving the quality of information security, reducing the occurrence of information security incidents, and safeguarding the rights of customers.
2.3 Regularly review and timely update information security management system documents, maintaining clear management system records.
2.4 Regularly inventory and conduct impact analysis of information assets, perform risk assessment operations, identify risks that may harm the operation of the information security management system, and take appropriate measures to mitigate risks.
2.5 Regularly conduct information security awareness training for employees to enhance information security awareness and prevent information security incidents caused by negligence. All employees have a responsibility to protect the information assets they own, manage, or use.
2.6 Unit supervisors consider functional division in assigning tasks to employees, appropriately distinguishing job responsibilities to avoid unauthorized modifications or misuse of information, products, or services that may affect customer rights.
2.7 For vendors and their employees, temporary employees, visitors, etc., who have business dealings with the company and require access to the company's information assets, conduct necessary audits and require the signing of information security compliance declarations.
2.8 Consider business needs and potential events that may affect customer rights, establish a plan for the continuous operation of information operations, and regularly test and drill to ensure that, in the event of an incident, normal operations can be restored as quickly as possible.
2.9 To ensure the achievement of the company's information security objectives, establish information security indicators and measure them regularly to maintain the effectiveness of the information security management system and control procedures.
2.10 Ensure the security of controlled areas and office locations to prevent the theft or damage of information assets.
2.11 Continuously implement and strengthen network communication security management to reduce the risk of hackers, external attacks, malicious programs, and other events affecting the normal operation of the company.
2.12 System development, modification, and maintenance comply with and adhere to the control spirit of ISO 27001. After appropriate evaluation, discussion, analysis, and authorization, testing and confirmation are conducted before delivery.
2.13 In the event of information security incidents, vulnerabilities, and situations that may violate security policies and specifications, follow procedures for reporting, conduct impact range analysis and confirmation, and implement remedial measures to minimize losses.
2.14 Adhere to relevant internal and external legal requirements, establish necessary control procedures, regularly conduct information security audits, and maintain the ISO 27001 international certificate.
3. This policy is reviewed at least once a year and is amended and announced as necessary.