1. Policy Purpose

    iHH Co., Ltd. (hereinafter referred to as the Company) has established this "Information Security and Privacy Protection Policy" (hereinafter referred to as this Policy) to promote the information security and privacy information management system, create a secure and reliable information operating environment, ensure the security of data, systems, equipment, and networks, and achieve the goals of information security, privacy protection, service quality enhancement, and sustainable operation.

  1. Scope: All employees, partners, or units of the Company are responsible for complying with this Policy.
  1. Information Security Policy and Objectives:

    3.1 To implement information security management, the requirements of ISO 27001 (Information Security Management System) must be followed.

    3.2 To implement personal identifiable information (PII) protection management, the provisions of the "Personal Data Protection Act" (hereinafter referred to as the "PDPA") and the requirements of ISO 27701 (Privacy Information Management System), as well as the privacy principles of ISO 29100 (Privacy Framework), must be followed.

    3.3 All Company employees must sign the Company's "Employee Employment Agreement," and external parties participating in the Company's projects must sign the "External Party Confidentiality Agreement" and comply with the relevant national laws and regulations such as the "Personal Data Protection Act," "Copyright Act," and "Information Security Management Act"; no leakage or illegal incidents shall occur.

    3.4 Access permissions must be set for the commissioning, joint cooperation, projects, or access or modification of sensitive data (PII personal data, confidential data, etc.), and sensitive information must be encrypted before transmission.

    3.5 The collection, processing, or use of personal data must respect the rights and interests of the parties involved, be conducted in an honest and trustworthy manner, not exceed the necessary scope for specific purposes, and be legitimately and reasonably related to the purposes of collection.

    3.6 Information Security Objectives and Measurements:

    3.6.1 Confidentiality objectives and measurement indicators: the number of incidents of sensitive data leakage detected annually must be zero.

    3.6.2 Integrity objectives and measurement indicators: the number of incidents of data tampering reported annually must be zero.

    3.6.3 Availability objectives and measurement indicators: the availability rate of the video collaboration system and platform must reach over 99% annually.

    3.6.4 Legality objectives and measurement indicators: the number of incidents of violations of the "Personal Data Protection Act," "Copyright Act," and other relevant national laws detected annually must be zero.

  1. Policy Review:

    4.1 This Policy should be evaluated and reviewed at least once a year to meet the requirements of relevant government regulations and reflect the latest developments in information technology, ensuring the effectiveness of information security and privacy information management operations.

    4.2 This Policy must be reviewed by the management committee or approved by the management representative, implemented on the date of announcement, and communicated in writing, electronically, or by other means to all employees and cooperating vendors or units for compliance. The same applies to any amendments.