Cheng Huan Industrial Co., Ltd. (hereinafter referred to as "the Company"), in order to ensure the confidentiality, integrity, and availability of its information assets, and with reference to the spirit of the Cyber Security Management Act and its relevant subordinate regulations and related laws, establishes and promotes an information security management mechanism to reduce the risks that intentional or accidental internal/external threats may pose to information assets. This policy is therefore formulated.

• This policy applies to all employees of the Company, outsourced service providers, data users (including custodians), and visitors.
• The scope of information and communications security management includes four major control domains: organization, personnel, physical, and technical controls. In order to prevent incidents such as improper use, leakage, tampering, or destruction of data due to human error, malicious acts, or natural disasters, and to avoid various potential information and communications security risks that could harm the Company, the Company implements the above management controls.

The Company's information and communications security policy is: "Effectively utilize resources to ensure the confidentiality, integrity, and availability of information assets." Through the implementation of this policy, the following objectives are to be achieved:

• Establish a secure and reliable digital operating environment to ensure the security of the Company's data, systems, equipment, and networks, thereby safeguarding business continuity.
• Protect the security of the Company's business services by ensuring that information is accessible only by authorized personnel, so as to maintain confidentiality.
• Protect the security of the Company's business services by preventing unauthorized modification, so as to ensure accuracy and integrity.
• Establish the Company's business continuity plan to ensure continuous operation of the Company's information-related business services.
• Ensure that the execution of all business services complies with the requirements of the Cyber Security Management Act, its subordinate regulations, and relevant laws and regulations.
• To protect data related to the Company's business and services from risks such as theft, tampering, damage, loss, or leakage caused by external threats or improper internal management and usage.
• Enhance the capability to protect and manage personal data, reduce operational risks, and create a trustworthy environment for personal data and privacy protection.

• The Company shall establish an Information and Communications Security Management Committee to coordinate and promote information and communications security matters.
• Management shall support the information and communications security management system and provide relevant resources to ensure effective implementation of this policy.
• All employees, outsourced service providers, data users (including custodians), and visitors shall comply with this policy.
• All employees, outsourced service providers, and data users (including custodians) are responsible for reporting information and communications security incidents or vulnerabilities through appropriate reporting mechanisms.
• Any act that endangers information and communications security will, depending on severity, be subject to civil and criminal liabilities, or will be handled in accordance with the Company's relevant regulations.

• To evaluate the achievement of information and communications security management objectives, the Company shall establish relevant management metrics and regularly monitor, assess, and improve them.
• The Company shall periodically review the organizational structure and duties of information and communications security personnel to ensure the effective promotion of information and communications security work.
• In accordance with competent authority requirements, the Company shall provide appropriate information and communications security training based on employees' roles and responsibilities.
• The Company shall strengthen the environmental security of information assets and adopt appropriate protection and access control mechanisms.
• The Company shall ensure that information is not disclosed to unauthorized third parties.
• The Company shall strengthen access control to prevent unauthorized access and to ensure that the Company's information assets are properly protected.
• The Company's information system development shall meet security requirements, and technical testing and patching shall be performed regularly.
• The Company shall ensure that all information and communications security incidents or suspicious vulnerability intelligence are escalated via appropriate reporting mechanisms and are properly investigated and handled.

This policy shall undergo at least one management review annually to reflect government laws and regulations, information and communications security standards, technologies, competent authority requirements, and the actual operational needs of the Company's management system, so as to ensure business continuity. In addition, if stakeholders such as competent authorities (or as required by laws and regulations), customers, experts, or scholars provide information and communications security-related feedback, such feedback shall be included as discussion topics in the management review meeting.

This policy shall be implemented after being reviewed and approved by the Company's Information and Communications Security Management Committee. The same procedure shall apply to any revisions.

Issue Date : October 1, 2025