Tatung Medical & Healthcare Technologies Co., Ltd. (hereinafter referred to as the Company) specifically regulates this policy in order to ensure the confidentiality, integrity and availability of the Company’s information assets, to comply with the requirements of Cyber Security Management Act and sub-Acts, so as to protect it from internal and external intentional or unexpected threats. In addition, to implement the protection and management of personal information, and to comply with the requirements of Personal Information Protection Act.

1. The related Information System and the operation of the personal information treatment for all units of the Company, Outsourced Supplier, Information User (include information Custodian), Visitor, etc.
2. TInformation security management covers 4 themes: organizational, people, physical and technological. We will avoid various possible risks and hazards to the Company in the future due to improper use, leakage, alteration, destruction, etc. of data due to human negligence, intentional or natural disasters.

Maintain the confidentiality, integrity and availability of the Company's information assets, and protect the privacy of user data. Through the joint efforts of all colleagues, the following goals are achieved:

1. Establish a safe and reliable informatization operation environment, to ensure the security of the Company's data, systems, equipment and networks to ensure the sustainable operation of the Company's business.
2. Protect the security of the Company's business services and ensure that only authorized personnel can access information to maintain its confidentiality.
3. Protect the security of the Company's business services and avoid unauthorized modifications to ensure their accuracy and completeness.
4. Establish the Company's business sustainability operation plan to ensure the continued operation of the Company's information business services.
5. Ensure that the execution of the Company's various business services must comply with the Cyber Security Management Act and sub-Acts, relevant laws and regulations, and the contractual requirements of the partner.
6. To protect the security of personal data related to the Company's business and avoid risks of theft, tampering, damage, loss or leakage due to external threats or improper management and use by internal personnel.
7. Improve the protection and management capabilities of personal information, reduce operational risks, and create a trustworthy personal information protection and privacy environment.
8. Regularly conduct risk assessments on personal information processes to identify the level of risks that can be tolerated.

1. The Company should establish an "information security" and "personal data protection" organization to coordinate the promotion of related security matters.
2. Management should actively participate in and support the "information security" and "personal information protection" management systems, and implement this policy through appropriate standards and procedures.
3. All colleagues of the company, outsourced service providers, data users (including custodians) and visitors should abide by this policy.
4. All colleagues of the Company, outsourced service providers and data users (including custodians) are responsible for reporting information security incidents or weaknesses through appropriate reporting mechanisms.
5. Any behavior that endangers the security of financial institutions will be investigated for civil or criminal liability depending on the severity of the case, or will be discussed and punished in accordance with the relevant regulations of the Company.

In order to evaluate the achievement of information security management objectives, the following information security management indicators are hereby determined:

◆ Identity indicators

1. The requirements to ensure the availability of the Company's information services are as follows:
   1. ■ Key business system services reach more than 97% of the annual service time.
2. Ensure that the interruption of operating services due to system and host abnormalities caused by IT security incidents, abnormal events, and other security incidents shall not exceed the following times per year:
   1. ■ The service interruption of key business systems shall not exceed once per quarter.
3. To ensure that the interruption of operation services due to system and host abnormalities caused by IT security incidents, abnormal events, and other security incidents, the maximum working hours at any one time shall not exceed the following requirements:
   1. ■ The service interruption of critical business systems shall not exceed 4 working hours at a time.
4. Provide at least 3 hours of information security-related training every year according to employees' duties and responsibilities.
5. The confidentiality and integrity of the company's information assets should be properly protected, and risk assessment and risk management must be conducted at least once a year.
6. In order to ensure that the Company's information security and personal data protection measures or specifications comply with the requirements of current laws and regulations, audits are required at least once a year.
7. The business continuity operation plan drill needs to be conducted at least once a year to ensure the continued operation of the company's information business services.
8. Conduct personal information inventory at least once a year.
9. Personal information risk assessment and risk management are implemented at least a year.

◆ Identify indicators

1. The responsibilities of the Company’s information security organization personnel should be reviewed in a timely manner to ensure the advancement of information security work.
2. The confidentiality, integrity, and availability of the Company's information assets should be properly protected, and risk assessment and risk management must be conducted at least once a year.
3. In order to ensure that the Company's information security measures or specifications comply with the requirements of current laws and regulations, internal audits are required at least once a year.
4. The business continuity plan drill needs to be conducted at least once a year to ensure the continued operation of the Company's information business services.
5. Access control should be strengthened to prevent unauthorized and improper access to ensure that the Company's information assets are properly protected.
6. The Company's information system development should take security needs into consideration and coordinate with the system development cycle to audit security vulnerabilities.
7. The Company should be ensured that all information security incidents or suspected security weaknesses are reported upward according to the appropriate reporting mechanism, and are appropriately investigated and handled.

1. The Company has established a personal information protection organization to clearly define the responsibilities and obligations of relevant personnel.
2. The Company has established and implemented a Personal Information Management System (PIMS) to confirm the implementation of this policy; all employees and outsourced vendors should comply with the specifications and requirements of the Personal Information Management System (PIMS) .
3. The Company adopts strict measures and policies to protect the personal information of the parties, including but not limited to, all employees of the Company shall receive education and training related to personal information protection, privacy protection or information security. The Company shall outsource When manufacturers or partners cooperate with our company, they all sign confidentiality contracts, so that they are fully aware of the importance of personal data protection and the legal responsibilities related to leaking personal information. If there is a violation of confidentiality obligations, strict internal regulations will be imposed. Punish or seek compensation for serious breach of contract, and pursue civil and criminal legal liability.
4. The Company obtains or collects personal information required for operations, including but not limited to an individual’s name, date of birth, national identity card unified number (passport number), characteristics, fingerprints, marriage, family, education, occupation and other personal information. , should abide by the Republic of China's Personal Information Protection Act (hereinafter referred to as the Personal Information Act) and other laws, and collect and process personal information appropriately, fairly and legally. In addition, according to Article 5 of the Personal Information Act, the collection, processing or use of personal information shall respect the rights and interests of the parties concerned, be done in good faith and in good faith, shall not exceed the necessary scope for the specific purpose, and shall be legitimate and consistent with the purpose of collection and reasonable connection.
5. The personal information collected and processed by the Company shall comply with the Personal Information Act of the Republic of China and the Company's personal information management system, and the use of personal information shall be required for the Company's operations or business before it can be undertaken by the Company. Colleagues use.
6. If the personal information obtained by the Company is necessary for international transfer, it shall comply with Article 21 of the Personal Information Act and relevant regulations and shall not violate the vital interests of the country. The personal information shall not be transferred or used to third countries in roundabout ways. The Company will not conduct international transfers if there are special provisions in international treaties or agreements, or if the information receiving country's laws on the protection of personal information are not perfect, resulting in the risk of harming the rights and interests of the parties concerned. To maintain the security of personal information.
7. When the Company receives a request for access or change of personal information, it shall process the personal information of the subject within the legal scope in accordance with the Personal Information Act and the procedures established by the Company.

This policy shall be reviewed at least once a year to reflect the latest developments in government laws, regulations, technology and business, etc., to ensure the Company's sustainable operation and information security practice capabilities.

This Policy shall be implemented after review by the Information Security Management Committee, and the same shall apply when revised.