TrustDecision-

Data Protection Policy

Index
I. Purpose..................................................................................................................................1

II. Scope of Application.............................................................................................................1

III. Definitions............................................................................................................................1

IV. Data Classification and Labeling..........................................................................................2

V. Data Lifecycle Management.................................................................................................2

VI. Data Security Protection Measures.....................................................................................4

VII. Data Security Incident Response........................................................................................4

VIII. Compliance and Audit........................................................................................................5

IX. Policy Revision and Interpretation.......................................................................................5

I. Purpose
To effectively protect various data assets of TrustDecision (hereinafter referred to as
the "Company"), including customer data, trade secrets, employee information, etc.,
prevent data leakage, loss, tampering, or abuse, ensure the confidentiality, integrity,
and availability of data, comply with the requirements of relevant laws and
regulations, and safeguard the legitimate rights and interests of the Company and
customers, this policy is formulated.

II. Scope of Application

This policy applies to all employees, partners, suppliers, visitors of the Company, and
any individual or entity that processes, stores, or transmits the Company's data. It
covers all data generated, collected, stored, used, transmitted, and destroyed by the
Company in the course of business operations, including electronic data (such as
databases, files, emails, etc.) and paper data.
III. Definitions
1. Data: Information in any form, including but not limited to text, numbers, images,
audio, video, etc.

2. Sensitive data: Data that may cause significant losses to the Company or
customers if leaked, lost, or tampered with, such as customers' ID card numbers,
bank account numbers, transaction records, the Company's business plans,
technical secrets, etc.

3. Data leakage: The situation where sensitive data is obtained, used, or disclosed
by unauthorized individuals or entities.

4. Data lifecycle: The entire process of data from generation, collection, storage,
use, transmission to destruction.

IV. Data Classification and Labeling

1. Data Classification

According to the sensitivity and importance of data, the Company's data is divided
into the following categories:

• Top-secret data: The Company's core trade secrets, major strategic plans, etc.,
whose leakage will cause catastrophic losses to the Company.

• Confidential data: Customers' sensitive information, important business data,

technical solutions, etc., whose leakage will cause significant losses to the
Company.

• Sensitive data: Employees' personal information, ordinary business records, etc.,

whose leakage will have a certain impact on the Company or related individuals.

• Public data: The Company's public publicity materials, product introductions, etc.,
which can be publicly disclosed.

1. Data Labeling

For different categories of data, corresponding labeling methods should be adopted

for identification. For example, words such as "Top-secret" and "Confidential" are
indicated in the file name or header/footer of electronic documents, and
corresponding seals are affixed on paper documents. Data labels should be clear
and explicit, facilitating identification and management.
V. Data Lifecycle Management
1. Data Generation and Collection

• The generation and collection of data shall comply with the requirements of
relevant laws and regulations to ensure the legality and accuracy of data.

• When collecting personal information, the collected person shall be clearly

informed of the purpose and scope of the information and obtain their consent.

• The collected data shall be classified and labeled in a timely manner.

1. Data Storage

• Different categories of data shall adopt different storage methods and security
measures. Top-secret data and confidential data shall be stored in storage
devices with high security levels, and measures such as encryption and access
control shall be taken.

• Data storage devices shall be regularly maintained and inspected to ensure their
normal operation and data integrity.

• Important data shall be backed up. Backup data shall be stored separately from
the original data, and recovery tests shall be conducted regularly to ensure the
effectiveness of the backup.

1. Data Use

• Employees shall use data in accordance with their job responsibilities and
authorized scope, and shall not use or abuse data beyond the authorized scope.

• It is prohibited to use sensitive data for purposes unrelated to work or provide

sensitive data to unauthorized individuals or entities.

• In the process of using data, necessary security measures shall be taken to

prevent data leakage, loss, or tampering.

1. Data Transmission

• When transmitting sensitive data, encryption methods shall be adopted, such as

encrypted emails, Virtual Private Network (VPN), etc.

• It is prohibited to transmit sensitive data through unencrypted network channels

(such as public wireless networks, instant messaging tools, etc.).
• When transmitting data to the outside, it shall be approved by relevant
departments, and a data transmission agreement shall be signed to clarify the
rights and obligations of both parties.

1. Data Destruction

When data is no longer needed, it shall be destroyed in accordance with the

provisions of the Electronic Data Destruction Policy and Physical Data Destruction
Policy to ensure that the data cannot be recovered.

VI. Data Security Protection Measures

1. Access Control

Strictly implement the provisions of the Access Management Policy to strictly control
data access, ensuring that only authorized personnel can access the corresponding
data.

1. Encryption Protection

Sensitive data shall be encrypted, including storage encryption and transmission

encryption. The encryption algorithm shall adopt a security algorithm recognized by
the state.

1. Security Technology Protection

Deploy security technical measures such as firewalls, intrusion detection systems,

and antivirus software to prevent data security incidents caused by external attacks
and malicious code infections.

1. Personnel Security Management

• Strengthen data security awareness training for employees to improve their

attention to data protection and operational skills.

• Sign confidentiality agreements with employees to clarify their responsibilities and

obligations in data protection.

• Conduct background checks on personnel in positions involving sensitive data.

1. Physical Security Protection

Strengthen the physical security protection of the places where data storage and
processing equipment are located, such as setting up access control systems and
monitoring equipment, to prevent equipment theft, damage, or illegal access.
VII. Data Security Incident Response
1. Incident Reporting

When an employee discovers a data security incident (such as data leakage, loss,
tampering, etc.), he/she shall immediately report it to the Information Security
Department and shall not conceal or delay it.

1. Incident Investigation and Handling

After receiving the report, the Information Security Department shall immediately
organize personnel to investigate the incident, determine the nature, scope of impact,
and cause of the incident, and take corresponding handling measures, such as
preventing further data leakage and recovering damaged data.

1. Incident Notification and Recording

According to the severity of the incident, promptly notify the Company's management
and relevant departments of the incident, and report to the regulatory authorities in
accordance with regulations. At the same time, detailed records of the handling
process and results of the incident shall be made for future reference.

VIII. Compliance and Audit

1. The Company shall regularly audit the implementation of the data protection
policy, and check whether the classification, labeling, storage, use, transmission,
and destruction of data comply with the requirements of this policy and relevant
laws and regulations.

2. Problems found during the audit shall be promptly notified to relevant departments
for rectification, and the rectification situation shall be tracked.

3. For violations of this policy, the relevant persons shall be punished according to
the severity of the circumstances, including but not limited to warning, fine,
demotion, termination of labor contract, etc.; if the Company suffers losses, they
shall also bear corresponding compensation liabilities; if the violation constitutes a
crime, it shall be transferred to the judicial organ for handling.

IX. Policy Revision and Interpretation

This policy shall be revised regularly according to the Company's business
development, changes in relevant laws and regulations, and the needs of data
security management. The revision process shall be the same as the formulation
process. This policy shall be interpreted by the Company's Information Security
Department.