Information Security Policy

This Information Security Policy serves as the foundation for ADAT Technology Co., Ltd. to implement and maintain an effective information security management system. It ensures the confidentiality, integrity, and availability of the information assets under our management and helps us comply with all relevant legal and regulatory requirements.

1. A structured framework has been established to define and promote our information security objectives. These goals are reviewed and monitored at least every six months to ensure that they are being met.


2. All information security measures are designed in compliance with relevant legal, regulatory, and contractual requirements, ensuring alignment with operational and business needs.


3. Specific information security standards have been defined for different domains to effectively protect company systems, infrastructure, and data.


4. Employees are required to comply with all internal information security rules to ensure the proper use of company resources and prevent misuse.


5. A well-defined incident reporting and response mechanism is in place to ensure timely detection and response to information security incidents. This helps maintain the continuity of business operations and protect critical systems.


6. Our ISMS is developed and maintained in alignment with the company’s overall strategic risk management framework to ensure a holistic approach to risk.


7. Company leadership is expected to actively participate in security management activities and demonstrate visible support and commitment to information security initiatives.


8. We have established criteria for assessing and managing information security risks across the organization.


9. When handling personal data, all processing activities must comply with the Personal Data Protection Act and related regulations. Employees must not collect or disclose business information without authorization, and such data may not be used for non-business purposes.


10. Only software with proper licensing may be used. Any use of unauthorized, pirated, or unverified software is strictly prohibited.


11. The use of mobile devices must comply with the company’s information asset management procedures to ensure proper control of data and systems.


12. External vendors and service providers must follow this policy and relevant procedures. They are not permitted to use or misuse the company’s information assets without authorization. When accessing restricted or sensitive information, vendors must sign a confidentiality agreement.


13. At least once a year, the company conducts simulations and drills for the Business Continuity Plan (BCP) and the information security incident reporting procedures. These exercises are reviewed and updated based on the results.


14. This policy is drafted by the Information Security Unit under the Information Security Management Committee, reviewed by the designated Security Representative, approved by the Chief Information Security Officer (CISO), and communicated to all employees and relevant external stakeholders through email, public announcements, or meetings.