1. Article 1 (Purpose) QBOX, in order to ensure the secure and stable operation of information and communication systems and to provide reliable information and communication services, hereby establishes the QBOX Information Security Policy (hereinafter referred to as "this Policy") as the highest guiding principle for information security management within the company. This policy aims to safeguard the confidentiality, integrity, and availability of information assets and facilitate the smooth operation of various business activities.

   Article 2 (Applicability) This policy applies to all employees of the company, as well as to vendors and visitors engaged in business transactions or interactions with the company.

   Article 3 (Information Security Objectives) The information security objectives of the company are as follows:

2. Ensure the confidentiality of the company's information assets, implement data access controls, and ensure that information can only be accessed by authorized personnel.

3. Ensure the correctness and integrity of the company's information processing methods.

4. Ensure the continuous operation of the company's information processes.

Article 5 (Review and Revision) This policy shall be reviewed and amended by the Information Security Management Organization as needed and implemented following approval.

Establishment of an Information Security and Personal Data Protection Management Committee and an Information Security Promotion Team to ensure the effectiveness of information security management operations.

Each department should create an inventory of information assets and specify owners. Risk assessments should be conducted based on the differences in information asset levels, and risk management should be performed for risks exceeding acceptable levels. Continual implementation of control measures is necessary.

Personnel recruitment should involve necessary assessments, and employees should sign relevant operational regulations. Employees should participate in information security education and training to enhance awareness of information security protection.

Strict access control and item removal rules should be implemented for entry into the company's buildings and information security-controlled areas.

Clear identification of information security for all products, services, processes, networks, and information technology infrastructure to ensure that risks are identified and appropriate protective measures are deployed.

Adequate backup or monitoring mechanisms should be established for important equipment to maintain their availability. Employees' personal computers should have antivirus software installed, and regular virus code updates should be confirmed. Unauthorized software usage should be prohibited.

Employees should be responsible for the proper safeguarding and usage of their personal accounts, passwords, and permissions. Managers should conduct regular annual checks. Regular data backups and off-site storage should be performed for critical system operation data.

Consideration of security control mechanisms should be made during the initial stages of system development. For outsourced development, control and contractual information security requirements should be strengthened. System development should be closely monitored to prevent delays and deviations from the schedule.

Proper procedures for responding to information security incidents and vulnerabilities should be designed, enabling immediate responses to information security incidents to prevent further damage.

A business continuity plan should be established, regularly practiced, and continuously adjusted and updated.

Daily operations of employees should incorporate verification and review mechanisms to maintain data accuracy. Supervisors should oversee the implementation of information security compliance systems, reinforce employee awareness of information security, and legal awareness.

Vendors and visitors engaged in business transactions or interactions with the company who require access to the company's information assets should undergo necessary reviews. These individuals bear the responsibility of protecting the company's information assets.

Article 4 (Information Security Control Measures) The company's information security control measures include but are not limited to: