Information Security Policy Statement

Section 1: Objectives of Information Security Management

1. Sitatech Information Services Co., Ltd. (hereinafter referred to as "the Company") implements an Information Security Management System (ISMS) which aims to meet the information security objectives as defined by the ISO 27001:2022 standards, relevant legislation, and international benchmarks.
   
2. To safeguard the confidentiality, integrity, and availability of company information assets and to ensure the continuous operation of our information processes, we have established this Information Security Policy to achieve the goal of sustainable operations.

Section 2: Scope of Implementation

1. The scope of this policy encompasses the Company, its affiliated units, related systems, employees, and suppliers, involving all forms of data and information processing facilities.
2. Information security management includes organizational, personnel, physical, and technical layers, implementing management and control measures to prevent improper use, leakage, tampering, or destruction of data due to mismanagement, human error, deliberate or natural disasters, thus mitigating potential risks and harm to the Company.

Section 3: Corporate Information Security Responsibilities

1. The management of the Company shall provide the necessary resources to establish, implement, operate, monitor, review, maintain, and improve the Information Security Management System.
2. Information security managers are responsible for implementing this policy through appropriate standards and procedures.
3. The Company's management shall establish and review this policy.
   
4. All personnel and subcontractors must adhere to established procedures to maintain the information security management policy, ensuring that business operations meet company requirements, legal, and contractual obligations.
   
5. All personnel should report security incidents and any identified vulnerabilities.
6. Any behaviour that jeopardizes information security will be subject to civil, criminal, and administrative liability depending on the severity or handled in accordance with the Company's relevant regulations.

Section 4: Information Security Management System

1. Risk Management: The Company regularly conducts information security risk assessments and risk treatment to identify and manage risks.
2. Asset Protection: The Company implements appropriate physical, technical, and organizational security controls to protect information assets.
3. Protective Measures: These measures include, but are not limited to, data anonymization, access control, data encryption, network security, incident management, and business continuity planning.
4. Education and Training: All employees and relevant stakeholders will receive ongoing information security awareness training and education to improve the identification and handling of security threats.
5. Incident Response: The Company establishes and implements information security incident management procedures to respond to and mitigate security incidents and to quickly identify, assess, report, and handle any incidents that occur.
6. Regulatory Compliance: The Company regularly conducts internal and external audits to ensure business operations comply with relevant laws, standards, and contractual requirements.
7. Continuous Improvement: The Company continuously improves the Information Security Management System through management reviews, internal audits, and feedback.
8. Policy Transparency: This policy is made available to all employees, partners, and the public to ensure transparency and corporate security accountability.

Section 5: Management Indicators

1. Information Service Availability: The availability requirements for the Company's information services are as follows:
2. 1. General system services should achieve 95% annual availability during regular business hours.
      
   2. Data centre operation and maintenance services should achieve 98% annual availability during regular business hours.
   3. Core business system services should achieve 99.9% annual availability during regular business hours.
3. It is required to limit the number of service interruptions due to cybersecurity incidents, abnormal events, or other safety accidents affecting systems and hosts:
4. 1. General system services should not exceed 5 interruptions per quarter.
      
   2. Data centre operation and maintenance services should not exceed 5 interruptions per quarter.
   3. Core business system services should not exceed 3 interruptions per quarter.
5. It is required to limit the the maximum duration of service interruptions due to cybersecurity incidents, abnormal events, or other safety accidents affecting systems and hosts:
6. 1. General system services should not exceed 8 working hours.
      
   2. Data centre operation and maintenance services should not exceed 8 working hours.
   3. Core business system services should not exceed 8 working hours.
7. Information asset confidentiality and integrity should be appropriately protected, requiring at least one risk assessment and risk management exercise annually.
8. To ensure the confidentiality of information, there should be no more than one incident of classified information leakage annually.
9. To ensure the accuracy and integrity of customer data, there should be no incidents of unauthorized data modification annually.
10. To ensure that information security measures and standards comply with current legislation, an audit should be conducted at least once every two years.
11. Business continuity plans should be maintained and tested at least once every two years for core business functions to ensure continuous information business services.
    

Section 6: Review and Implementation

1. This policy should be promptly assessed in the event of relevant incidents or at least reviewed once a year to reflect the latest developments in government legislation, technology, and business and to ensure the Company's ability to sustain operations.
2. This policy is implemented after approval by the Information Security Working Group.