TAIFLEX Scientific Co., Ltd

Information Security Policy

Vision

To become a competent partner in business integration within the Group and a key enabler in achieving business objectives.

Purpose

Taiflex Scientific Co., Ltd. (hereinafter referred to as the “Company”)has established this Information Security Policy to strengthen information security management and ensure the confidentiality, integrity, and availability of the Company's information and information assets. This policy aims to maintain a secure information environment that supports the continuous operation of the Company's information systems, achieve business continuity objectives, comply with relevant regulations, and protect assets from intentional or accidental internal and external threats.

Scope

The Company's information security management covers 4 categories of control measures, encompassing 93 specific management items. It aims to mitigate potential risks and harms to the Company by preventing the improper use, leakage, tampering, or destruction of information caused by human error, deliberate acts, natural disasters, or other factors. The management items are categorized as follows:

Organizational Controls
Covering 37 control measures, including information security policies, asset management, supplier security, incident management, business continuity, regulatory compliance, threat intelligence, and ICT supply chain security.
People Controls
Covering 8 control measures, including personnel recruitment, roles and responsibilities, education and training, awareness enhancement, offboarding management, and remote work.
Physical Controls
Covering 14 control measures for physical and environmental security, including facility access control, equipment protection, media management, environmental threat prevention, and secure work areas.
Technological Controls
Covering 34 control measures for technical security requirements, including operational security, network security, encryption, identity and access management, secure development and system maintenance, data masking, data erasure, endpoint device security, and activity monitoring.

Objectives

In accordance with the Company's Information Security Policy, and taking into account applicable information security requirements as well as the results of risk assessment and risk treatment, the following information security objectives have been established:

Protect the Company's critical business information from unauthorized access.
Maintain the continuous operation of core information systems to ensure the Company has an information environment that supports business continuity.
Provide information security education and training to enhance employee awareness and understanding of related responsibilities.
Conduct internal and external audits to verify system effectiveness and applicability, strengthen risk controland information security maturity, and ensure the information environment continuously supports business operations.

Certification

The Company's information security management is based on the Trade Secret Management Policy formulated by the Intangible Assets Security Committee established in 2015, and is implemented in accordance with the quality system requirements of the international information security management framework ISO/IEC 27001 to consistently enhance information security governance. Through ongoing improvement under the Plan-Do-Check-Act (PDCA) cycle, the Company conducts regular reviews, inspections, and tracking to fulfill information security risk management and ensure the confidentiality, integrity, and availability of its information assets.

The Company has maintained ISO/IEC 27001 certification for ten consecutive years, with the certification valid through November 23, 2028, thereby enhancing its information security governance and risk management capabilities.