Tingyi (Cayman Islands) Holding Corp.

Information Security and Privacy Protection Policy

Preface

Tingyi (Cayman Islands) Holding Corp. (hereinafter referred to as “Master Kong”, “the Company” or “We”) strictly adheres to all laws and regulations regarding information security and privacy protection in the jurisdictions where it operates. This policy aims to delineate the Company's responsibilities and obligations in the areas of information security and privacy protection, ensuring that while pursuing business growth, the Company places full emphasis on safeguarding information security and customer privacy.

Scope of Application

This policy applies to all employees of the Company (including permanent, part-time, and temporary employees, as well as senior management and directors of the Company and its subsidiaries). The Company encourages suppliers to jointly comply with the requirements outlined in this policy.

Information Security Management Requirements

• All collection, storage, processing, and transmission of data must comply with laws, regulations, and internal standards to prevent data leakage, tampering, or destruction.
• Continuously invest in the latest information security technologies, equipment, and solutions—such as firewalls, intrusion detection systems, data encryption technologies, and security audit systems—to strengthen the protection of network and information systems and guard against security risks including hacker attacks and virus intrusions.
• Regularly evaluate the effectiveness of investments in information security protection and roll out adjustments and optimizations as needed.
• Clearly define the permissions of IT operation and maintenance personnel and promptly revoke relevant access rights upon completion of maintenance tasks.
• Timely update software and hardware facilities of information systems, upgrade protective measures, and regularly engage third parties to conduct external audits of the information security management system to ensure its effectiveness.
• Continuously monitor the Company’s information and network security status, conduct regular vulnerability scans, and take measures to promptly repair and remediate any identified information security vulnerabilities and risks.
• Develop information security contingency plans and regularly test emergency mechanisms and incident response procedures.
• For suppliers, conduct thorough reviews of their information and network system security to ensure the integrity and confidentiality of company information is not compromised due to supplier-related issues.

Privacy Protection Management Requirements

• Implement systematic and process-oriented management of the information, set an access limit to customer information and strictly adhere to the principle of confidentiality of customer information.
• Sign confidentiality agreements with staff and third-party companies involved in user information and oversee the implantation of such agreements, to ensure the information security of the Company and users.
• In terms of capturing and recording customer information, each business formulates the Customer Complaint Information Management Operational Approach, records only the basic information about the customer and cleans up the important and sensitive information on a regular basis.
• In terms of information access, we endeavor to ensure data security in our internal systems and implement account login permission management to restrict the access scenarios and conditions of use of consumer and customer information by our internal staff to ensure information security of our consumers and customers to the greatest extent.

Employee Participation

• Clearly define the information security responsibilities of each employee, such as complying with information security operating procedures and consciously protecting internal data and customer information.
• Continuously promote information security-related training and publicity efforts to enhance employees' awareness of information security.
• When potential information security threats are identified, employees should follow the information security risk reporting procedures to escalate the matter.
• For specific positions (including but not limited to information security positions), the Company incorporates information security and privacy protection as part of employee performance evaluation.

Disciplinary Actions??

The Company implements a zero-tolerance policy towards any behavior that discloses user privacy information and will take disciplinary measures against violations of this policy, including but not limited to warnings, fines, and termination of employment.

Review and Revision??

Master Kong regularly reviews this policy and revises it based on the latest regulations, regulatory developments, business conditions, and other factors. Employees should stay informed of policy updates to ensure that their actions remain aligned with the requirements of this policy.

Source: