Corporate Governance

1. Information Security Committee: Responsible for making decisions related to the information security management system and reviewing management. Appoints an executive secretary for overall planning and implementation of the Company's information security.

2. Information Security Audit Section: Responsible for internal audits of the information security management system.

3. Information Security Control Section: Responsible for carry out information security operations, emergency response and crisis management for information security incidents, and planning information security education and training.

4. Information Security Management Section: Responsible for supervising the implementation of the information security policy.

The Company strives to improve the confidentiality, integrity, and availability of its information, and has established a strict internal control system, which specifies the division of functions and authority between information management departments, as well as implementation methods.

With regard to the management of IT room security, the Company established an environment monitoring system to monitor fire safety, flood prevention, and electricity. The system sends a notification for emergency response when an emergency occurs. The Company also installed access control and a surveillance system to strictly control access to the IT room. Personnel all need to apply for access rights to enter the IT room.

Access to the Company's internal files and main operations systems are all managed with accounts and passwords. Access rights settings are based on position and responsibilities. When the position of an employee changes, the IT Department immediately modifies the employee's access rights. Access rights are canceled when employees are terminated. As for password security, passwords need to be regularly changed, meet complexity requirements, and accounts are locked after a fixed number of failed attempts, in order to improve security management.

We have complete backups and remote backup mechanisms for main operations systems and files, and established a complete system recovery plan. Post-disaster recovery drills are conducted for important operations systems to ensure the availability of backup data. We comply with laws and regulations on intellectual property rights, and only use legally authorized software. We also regularly inspect the licenses of our software. All user devices are installed with anti-virus software, and access rights are set to prohibit software from being installed. Software installation requires approval from the department head and evaluation by the IT Department, which assists with software installation to ensure that the software is legal and secure.

In response to customers' information security requirements and to strictly abide by our contracts with customers and commitment to confidentiality, we use access rights management mechanisms for information, documents, and data related to customers and trade secrets, ensuring that transaction information will not be leaked. New employees all take information security courses to ensure that they understand the information security policy, related laws and regulations, and their confidentiality obligations, so that they will properly carry out operations to maintain information security and confidentiality.