Tatung Medical & Healthcare Technologies Co., Ltd. (hereinafter referred to as the Company) specifically regulates this policy in order to strengthen information security management, ensure the confidentiality, integrity and availability of its information assets, provide an information environment for the continuous operation of the Company's information business, and comply with the requirements of relevant laws and regulations, so as to protect it from internal and external intentional or unexpected threats.

1. All units of the Company.
2. Information security management covers 11 management items of ISO27001:2013, and the Company's internal personnel, outsourcing service providers and customers shall comply with this policy. We will avoid various possible risks and hazards to the Company in the future due to improper use, leakage, alteration, destruction, etc. of data due to human negligence, intentional or natural disasters.

Maintain the confidentiality, integrity and availability of the Company's information assets, and protect the privacy of user data. Through the joint efforts of all colleagues, the following goals are achieved:

1. Protect the Company's business activity information, avoid unauthorized access, and ensure its confidentiality.
2. Protect the Company's business activity information, avoid unauthorized modification, and ensure its accuracy and integrity.
3. Establish a cross-departmental information security organization, formulate, promote, implement and evaluate information security management matters to ensure that the Company has an information environment for business continuity.
4. Handle information security education and training, promote employees' awareness of information security and strengthen their awareness of relevant responsibilities.
5. Implement information security risk assessment mechanism to enhance the effectiveness and timeliness of information security management.
6. Implement the information security internal audit system to ensure the implementation of information security management.
7.  The execution of the Company's business activities shall comply with the requirements of relevant laws and regulations.

1. The Company's Information Security Management Committee establishes and reviews this policy.
2. Members of the Information Security Organization adopt appropriate standards and procedures to implement this policy.
3. All personnel of the Company and outsourcing service providers must maintain this policy in accordance with relevant safety management procedures.
4. All personnel are responsible for reporting information security incidents and any identified vulnerabilities.
5. Any behavior that endangers information security will be investigated for civil, criminal and administrative liabilities or punished in accordance with the relevant regulations of the Company, depending on the seriousness of the circumstances.

In order to evaluate the achievement of information security management objectives, the following information security management indicators are hereby determined:

1. All confidential business information or personal data of the Company shall be leaked to zero throughout the year to ensure the confidentiality of the Company's related business.
2. The completeness of all relevant information related to the Company's business must reach 100% to ensure the integrity of the Company's related business.
3. The requirements for ensuring the availability of the Company's information services are as follows:
   1. ■ The maintenance service of the computer room reaches more than 95% of the annual business hours.
   2. ■ More than 95% of the key business system services were launched throughout the year.
4. In order to ensure that the Company's information security measures or specifications comply with the requirements of current laws and regulations, it is necessary to perform at least one internal audit every year and at least one internal validity check every quarter, and shall not violate the requirements of laws and regulations to ensure the legality of the Company's related business.

This policy shall be reviewed at least once a year to reflect the latest developments in government laws, regulations, technology and business, etc., to ensure the Company's sustainable operation and information security practice capabilities.

1. This policy is reviewed in conjunction with the management review meeting of the Company.
2. This Policy shall be implemented after review by the Information Security Management Committee, and the same shall apply when revised.