1. This policy applies to information assets related to our group's business, namely information, business premises and associated infrastructure, personnel, hardware, software, and services used and provided. In our group's business, entrusted information is treated as confidential, and information specifically designated by customers is treated as the most important information. Other information is evaluated for confidentiality, availability, and completeness, and handled according to its importance.

2. Top management will establish an organizational structure for implementing this policy, clarify roles, responsibilities and authority, and procure the necessary resources.

3. Based on appropriate risk assessment, we will implement human, organizational, and technical measures to prevent unauthorized access to, and leakage, falsification, loss, destruction, and interference with the use of, information assets, and will manage and operate them safely and appropriately.

4. We will comply with laws and regulations regarding information security, contracts with customers, and our group's procedures as separately determined.

5. Personal information will be managed appropriately in accordance with our group's regulations that comply with the Personal Information Protection Act and the My Number Act.

6. We will provide education to those who use our group's information assets and ensure that they are fully aware of the importance of information security under this policy.

7.In order to ensure the safe and proper management and operation of information assets, we will establish a management system that includes risk evaluation criteria and risk assessments, and will review it regularly and improve it as necessary.

8. We set information security objectives and strive to achieve them through regular reviews and continuous improvement.

9. We will take firm action, including legal action, against any actions that violate this basic policy regarding information security.