Information Security Policy Statement

Capital Futures Group (hereinafter referred to as "the Group") adheres to the principle of safeguarding the information security of its operational environment. The Group is committed to the comprehensive protection and prevention of data stored or transmitted by the company to eliminate incidents such as damage, theft, leakage, alteration, abuse, and infringement. The Group will regularly revise its information security policies and implement them to continuously enhance the confidentiality, integrity, and availability of all information service systems. The Group's information security policy is as follows:

• The Group’s information security measures must comply with legal regulations and the requirements of the Group's information security policy. All development, modification, and implementation of information security controls or procedures must conform to and follow the mechanisms of the information security management system.
• All personnel of the Group (including employees, contractors, vendors, and consultants) who use the Group's information for providing information services or executing project work have a responsibility and obligation to protect the information assets they obtain or use from unauthorized access, alteration, destruction, or improper disclosure. Access and use of all information assets should be formally authorized, controlled, and identified through appropriate procedures.
• Customer data of the Group, including transaction data and basic information, is the highest business secret of the company and is strictly prohibited from unauthorized access and disclosure. Systems and hosts handling customer data should have dedicated and isolated network segments and computer environments.
• All information assets of the Group are owned by the company. All information processed, stored, or transmitted on company-owned information equipment and network resources belongs to the company. The company has the right to view, copy, or access this information.
• Information asset managers in each department of the Group must establish monitoring procedures for the usage of the information assets under their responsibility to identify potential risks of misuse and enhance the confidentiality, availability, and integrity of the data.
• The Group should establish a business continuity plan based on business needs and regularly test it to maintain its applicability.
• Work assignments should consider the separation of duties, and roles and responsibilities should be clearly distinguished to avoid unauthorized modifications or misuse of information or services.
• All personnel should remain vigilant for potential security incidents, vulnerabilities, and violations of security policies and procedures and report them according to procedures.
• The installation, use, or downloading of illegal or unauthorized software on the company’s internal network is strictly prohibited.
• All personnel who use information systems without authorization or violate this information security policy and related security regulations will be subject to legal liability based on the circumstances. Employees and contracted personnel will be dealt with in accordance with the Group's personnel regulations.
• This policy should be communicated to all employees and vendors providing information services via written, electronic, or other means, and must be adhered to.
• The issuance of this statement clearly declares the importance of maintaining information security. All departments should clearly understand the information security policy and follow relevant control procedures to maintain the information security and sustainable operation of all the Group's businesses.