Information Security Policy

BIONIME CORPORATION (hereafter referred to as “BIONIME”)upholds the information security concepts of maintaining the company’s operating environment and and enacts comprehensive protection of the data stored or transmitted by BIONIME to prevent damage, theft, leakage, tampering, abuse, infringement and other incidents, and continues to improve the confidentiality, integrity and availability of various information system services. This policy is hereby announced.

BIONIME’s information security policy statement is as follows:

(1) Establish an information security organization to maintain the daily operation of BIONIME’s information security management system maintenance.

(2) Establish an information asset monitoring and management mechanism. All personnel (including regular employees or outsourced personnel, such as stationed vendors, part-time personnel, etc.) have a responsibility and obligation to protect the relevant information assets for which they are responsible, and are to ensure the company’s important information assets are confidential, accurate and availabile.

(3) The job responsibilities of all personnel are divided into their appropriated divisions, and permissions are authorized only in accordance with the information necessary to complete the required job.

(4) Recruited personnel need to undertake necessary risk assessments and sign relevant guidelines and specifications; personnel are required to participate in information security awareness training, understand that it is the duty of each person to maintain and ensure information security, and implement this in their daily work.

(5) BIONIME’s offices or security controlled areas shall implement physical access and asset controls while executing the regulations thoroughly.

(6) Personnel are not allowed to connect to the internal network externally or by personal means, and are required to implement necessary security procedures so as to protect network security. Important equipment will be equipped with appropriate backup systems or monitoring mechanisms to maintain their availability. The computers of all personnel are installed with antivirus software which is updated regularly, while any unauthorized software installation is strictly prohibited.

(7) Accounts and passwords held by individuals must be properly kept and used, and reviewed regularly.

(8) At the beginning of each project and system development, security control procedures need to be considered so as to strengthen the security control requirements for service providers and to clearly describe the information security requirements in each service level agreement.

(9) All personnel should be kept alert at all times for any information security incidents, security vulnerabilities, or breaches of information security policies and procedures. If found, they should be notified immediately according to standard procedure.

(10) BIONIME has established a business continuous management mechanism and regularly conducts exercises and tests to maintain its applicability.

(11) The information security measures implemented by BIONIME will be committed to complying with the requirements of local laws and regulations.

Effective date of this policy: March 2021