Information Security

The Information Department of Simplo formulates the information system management procedures. The application scope of the procedures is the use of the Company's computer information system and enterprise network resources. The Information Department seeks to ensure the accuracy and security of the Company's information and data through the formulation of these procedures and the implementation of the system by the employees, providing the management information and assisting in the processing of data of various units. The main controls of the management procedure include the following matters.

• Use and cancellation of computer system resources- The control requirements for the use of computer system resources required by employees in their jobs, including applications for desktop/laptop use, computer software installation, control of internet access for public laptops used off-site, and cancellation of computer resource authorization and accounts of resigned personnel are regulated.

• Data backup and disaster recovery- The control requirements for information data backup operations, by backing up server data files and database data to tapes or off-site hard disk cabinets based on the defined backup cycle and the schedule set for the software backup. The backup software sends a notification email if the backup succeeds or fails. The administrators need to handle and resolve the irregular backup instantly to ensure that the backup is completed correctly. When a disaster occurs, data recovery operations are required. The duties of relevant units are stipulated and administrators are required to conduct disaster recovery tests on a regular basis (every six months without fixed time).

• Computer virus management- The Company's anti-virus prevention practices for computer viruses are regulated, including the installation of anti-virus software authorized by the Company on all computers and the regular update of virus codes. Regular updates of the system and security are conducted through the Windows Update server, and internet behavior is controlled through proxy and firewalls.

• Email management- The rules for the use of email are regulated, including management of the number of recipients, the size of a single email, the management of private email sending and receiving, and the Company's emails sent and received externally.

• Internet access management- The regulations state that internet access must be applied for. It is prohibited to browse websites not for the business purpose, such as games, shopping, music and video, gambling, social networking sites, illegal or violent content, advertisements, adult information, free internet resources, controversial websites, website without clear sources, and websites listed for special control.

• Remote access management- The company mandates that employees who need to connect to internal services from a remote location due to business travel or other official duties must use a VPN to ensure security. VPN access rights must be applied for and are to be used in conjunction with personal mobile devices utilizing OTP (One-Time Password) two-factor authentication. Additionally, the IT department will regularly review VPN usage and will revoke unnecessary access rights after verification.

• Management of data centers- The regulations state that data centers require access control, and control requirements for personnel without permission to access the data centers. Daily management operations are also required such as the temperature and humidity of the data centers, uninterruptible power supply (UPS), inspection of the data center environment and equipment operation status. The data center environmental control system monitors and records the environment and equipment status, automatically sending warnings of irregularities to notify the administrators for instant handling.

• Information security meetings- We hold monthly information security meetings to verify and review the implementation status of our information security policies and address any information security issues.

New employees of the Simplo undergo basic information security education and training when onboarding. In addition, for existing staff, information security promotion is conducted from time to time through the Company's internal portal site or email, including security of email use, security of internet use, and remote security operations.
 

Passed the international certification for ISO 27001 Information Security Management System.

Simplo has long managed its information security based on its security policies to enhance protection and strengthen system operational capabilities, thereby reducing the impact of information security incidents. In response to the rapid development of diverse information systems, the company implemented the ISO 27001 Information Security Management System in 2023 and has recently passed the ISO international standard certification (SGS). The effective period of the certification is from December 9, 2023, to December 9, 2025, which signifies that Simplo is aligning its information security management practices with international standards to protect the interests of the company and its customers

The scope of this certification includes the information service infrastructure and information management processes of Simplo. This certification not only upgrades our information security protection but also demonstrates that the Simplo Group has taken its information security management to a higher level. We understand that it is essential to continue implementing and executing these practices to ensure the fundamental work of information security.

Note: ISO/IEC 27001 Information Security Management System (ISMS) is an internationally recognized framework and set of standards for information security management. It clearly defines standards for information security management, enhances security protection, and safeguards information assets. It is currently the most widely adopted standard for information security management systems internationally.