Information Security Policy Statement

To ensure that our company's ISMS (Information Security Management System) is thoroughly implemented, effectively operated, supervised, and continuously maintained, we have issued a cyber security management policy to protect the confidentiality, integrity, and availability of our company's critical information systems.

This policy serves as a high-level guiding principle. All employees and outsourced vendors are obligated to actively participate in promoting the cyber security management policy to ensure the secure operation of all information systems. We expect everyone to understand, implement, and maintain this policy to achieve the goal of continuous information operation in line with our business objectives.

"Implement Cyber Security, Enhance Cyber Service Quality";

"Strengthen Cyber Security Training, Comply with Legal Requirements";

"Plan for Continuous Operation, Quickly Complete Disaster Recovery";

"Reasonable Use of Personal Data, Prevent Personal Data Leakage".

~Implement Cyber Security, Enhance Cyber Service Quality

Thoroughly implement ISMS, ensuring that all information operations measures protect the confidentiality, integrity, and availability of data. Prevent risks such as leakage, destruction, or loss due to information security threats by selecting appropriate protective measures. Reduce risks to an acceptable level through monitoring, reviewing, and auditing the information security management system to enhance service quality and improve service levels.

~Strengthen Cyber Security Training, Comply with Legal Requirements

Strengthen cyber security training, supervise all employees to implement cyber security management, and continuously conduct appropriate cyber security education and training. Establish the concept of "Cyber Security is Everyone's Responsibility" to help employees understand the importance of complying with relevant cyber security laws and regulations. This will increase cyber security awareness and capabilities, reduce cyber security risks, and meet the requirements of the Cyber Security Management Act and the Personal Data Protection Act.

~Plan for Continuous Operation, Quickly Complete Disaster Recovery

Develop emergency response plans and disaster recovery plans for critical business core cyber systems. Each core cyber system must conduct at least one emergency response drill every two years to ensure that in the event of system failure or major disaster, the core cyber systems can quickly recover and continue to operate, ensuring the smooth execution of our company's main business.

~Reasonable Use of Personal Data, Prevent Personal Data Leakage

Classify and assess personal data to determine protection needs and measures. Establish access control mechanisms, use encryption and security measures for personal data transmission and sharing, regularly evaluate the compliance of entrusted parties, and sign contracts and agreements with outsourced vendors to ensure personal data security. Strengthen employee education and training to enhance personal data protection awareness. Establish monitoring and review mechanisms to continuously monitor the use, access, and transmission of personal data, and promptly detect and respond to abnormal activities or security incidents. Ensure that personal data can be securely and permanently deleted when no longer needed.