Feversocial Information Security Policy

1. Purpose

Feversocial Limited (hereinafter referred to as "the Company"), the operator of the Feversocial platform service, has established this Information Security Policy (hereinafter referred to as "the Policy") to strengthen information security management. The Policy aims to ensure the confidentiality, integrity, and availability of the Company's information assets, providing the necessary information environment and infrastructure for the Company's continuous business operations. It also aims to comply with relevant regulations and avoid any intentional or accidental internal or external incidents. This Policy serves as the highest guiding principle for the Company's Information Security Management System (hereinafter referred to as "ISMS").

2. Objective

The Company's information security objective is to ensure the confidentiality, integrity, availability, and compliance of critical information and services. The Company defines and measures quantitative indicators of information security performance across different levels and functions to assess the implementation status of ISMS and whether it achieves its information security goals.

3. Scope

Considering internal and external issues, the needs and expectations of interested parties, and the interface and interdependence between the Company's activities and those of other organizations, the scope of this Policy and ISMS covers the software development, operations, and processes of the Open Customer Engagement Platform (OCEP) and all software products using the Ministry of Finance's electronic invoice API, as well as all value-added derivative works. This includes all related information business activities such as physical office areas, cloud systems, developers, software, operational data, system administration units, and related operational processes.

4. Target Audience and Responsibilities

1. All internal personnel, service providers, and visitors within the applicable scope of the Company must comply with this Policy and ISMS procedures.
2. Any actions that jeopardize information security will be subject to legal and administrative responsibility or internal disciplinary action based on the severity of the situation.

5. Coverage

To support and achieve the goals of this Policy, the Company has established specific regulations in the following areas, which will be implemented and regularly evaluated for effectiveness:

1. Information Security Organization and Management Review Procedures
2. Document and Record Management
3. Information Security Objectives and Performance Measurement
4. Risk Management
5. Information Security Internal Audits
6. Continuous Improvement
7. Human Resource Security Management
8. Asset Management
9. Access Control Management
10. Physical and Environmental Security Management
11. Operational Security and Cryptography
12. Communication Security Management
13. System Acquisition, Development, and Maintenance Management
14. Vendor Management
15. Information Security Incident Management
16. Business Continuity Management
17. Compliance Management

6. Organization and Responsibilities

To ensure the effective operation of the ISMS, the information security organization and responsibilities must be clearly defined to promote and maintain the management, execution, and auditing of various tasks.

7. Implementation Principles

1. The implementation of ISMS must follow the Plan-Do-Check-Act (PDCA) cycle, ensuring gradual and continuous improvement to maintain the effectiveness of the ISMS, its processes, and their interactions.
2. Changes to the ISMS must be planned and executed accordingly.

8. Review and Evaluation

1. This Policy should be reviewed and evaluated at least annually or whenever significant changes occur, ensuring it reflects the latest developments in relevant laws, regulations, technology, and business.
2. Revisions to the Policy should be based on the results of the review and will only take effect after being signed and published by the Company's Information Security Management Committee chairperson.

9. Communication and Dissemination

When ISMS documents (including this Policy) are formulated or revised, they should be communicated or disseminated via website announcements, email, messaging software, document management systems, meetings, or other methods to inform or communicate with internal and external stakeholders, such as employees, customers, partners, and suppliers.