Information and Communication Security Policy

2024.04 Version

This Information and Communication Security Policy (hereinafter referred to as “the Policy”), which is specially designed to serve as the highest guiding principle for internal information security management, provides reliable information and communication services for Quilter International Enterprise Co., LTD. (hereinafter referred to as “Quilter” or “the Company”) and the mobile device application (hereinafter referred to as “QCASH app”) created by the Company to provide remittance services for migrant workers; the Policy aims to maintain the confidentiality of information assets security, integrity, and availability, and it also intends to facilitate the smooth conduct of various business activities.

1. Scope

The Policy applies to all employees of the Company, as well as suppliers and visitors who conduct business or interact with the Company.

2. Information Security Objectives

The objectives of Company’s information security are as follows:

  1. Ensure the confidentiality of the Company’s information assets and implement information access controls to ensure that information can only be accessed by authorized personnel.
  2. Ensure the accuracy and completeness of the Company’s information processing methods.
  3. Ensure the continuous operation of the Company’s information processes.
3. Information Security Control Measures

The Company’s information security control measures include but are not limited to:

  1. Establish an information security and personal data protection management committee and an information security promotion group to ensure the effectiveness of information security management operations.
  2. Establish a list of information assets and designate owners in each department. Each department should also conduct risk assessments on differences in information asset levels. In the case where the risk exceeds the acceptable level, risk management should be carried out and control measures should be implemented.
  3. Conduct necessary assessments for personnel recruitment. Employees should sign relevant operating procedures and participate in information security education and training to enhance their awareness of information security protection.
  4. Implement strict rules regarding access control and items being brought in and out of the Company’s buildings and information security control areas.
  5. Identify the information security of all products, services, processes, networks, and information technology infrastructure to ensure risks are identified and deploy appropriate protective measures.
  6. Establish appropriate backup or monitoring mechanisms for important equipment to maintain availability. Employees’ personal computers should be installed with anti-virus software, virus code updates should be checked regularly, and the use of unauthorized software is prohibited.
  7. Employees should properly protect and use personal accounts, passwords, and permissions. Management should conduct regular annual inspections. Back up key system operating data regularly and store it off-site.
  8. In the initial stage of system development, security control mechanisms should be considered; for outsourced development, the security requirements for control and contract should be strengthened. System development should be closely monitored to prevent delays and deviations from the schedule.
  9. Design appropriate response programs for information security incidents and vulnerability to respond immediately to information security incidents and prevent further damage.
  10. Develop business continuity operation plans, conduct regular drills, and continuously adjust and update the content.
  11. Incorporate verification and review mechanisms into employees’ daily operations to maintain data accuracy. Supervisors should supervise the implementation of the information security system to strengthen employees’ information security awareness and legal concepts.
  12. Undergo necessary review when vendors and visitors who have business or interactions with the Company need to access the Company’s information assets. These personnel are also responsible for protecting the Company’s information assets.
4. Review and Revision

In response to changes in laws, business needs, technological developments, etc., the Company will revise and publish the Policy from time to time without further prior notice to you. The Policy is written in Chinese. If there are any versions in other languages and there is any inconsistency in the content, the Chinese version shall prevail. If you have any questions about the Policy, please contact the Company through the channels published on the Website.