Notice to Stakeholders Regarding the Information Security Policy

Dear Valued Partner:

Zhejiang Sunny Optical Technology Co., Ltd. places great importance on the security and protection of information assets, regarding information security as the cornerstone of business continuity and sustainable growth. To effectively manage information security risks and safeguard the interests of our company, our customers, and all our partners—including your organization—we have established and implemented stringent information security requirements.

I. Purpose of Notification

This notice is intended to:

1. Officially inform your company about the existence of our information security policy and its core requirements.

2. Clearly outline your company’s information security responsibilities and obligations as a business-related party of our company, particularly in the course of collaborating with us—specifically, when accessing, handling, or storing any of our information assets (including, but not limited to: business data, customer information, employee details, technical documents, trade secrets, system access permissions, and more).

3. Foster a collaborative effort between both parties to jointly build a secure, reliable, and trustworthy business environment.

II. Information Security Policy

Implement risk management, enhance security measures, ensure information security, and build customer trust.

Interpretation: By systematically identifying all information assets involved in the company’s business operations and customer service processes, we will conduct a scientific and effective classification, assess their associated risks, implement appropriate control measures to mitigate these risks, ensure the security of information assets, enhance customer trust, and maintain business continuity.

III. Core Information Security Requirements

Our company's information security policy includes, but is not limited to:

1. Confidentiality:

Ø Strictly protect our company's and our customers' and employees' non-public information from unauthorized access, use, or disclosure.

Ø Any confidential information of our company that your company comes into contact with shall be used solely for the purpose of fulfilling the contractual obligations agreed upon by both parties.

2. Integrity:

Ø Ensure the accuracy and integrity of our company's information assets, and prevent unauthorized tampering, destruction, or loss.

Ø When handling our company's information, your firm should take necessary measures to ensure its integrity.

3. Availability:

Ø Ensure that authorized users can reliably access the information and systems they need, when required (within the scope of the contractual agreement).

Ø The services provided by your company (if applicable) shall meet the agreed-upon availability requirements.

4. Compliance:

Ø Comply with applicable information security laws and regulations, industry standards (such as the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, etc.), and contractual agreements.

5. Access Control:

Ø Strictly adhere to the "principle of least privilege," granting your company and its personnel only the minimum information access necessary to fulfill contractual obligations.

Ø Your company needs to strictly manage and supervise the actions of your personnel regarding access to our company's information assets.

6. Data Classification & Handling:

Ø Our company classifies its information assets based on sensitivity and importance (e.g., Secret 1, Secret 2, General). Your company is required to implement appropriate protective measures for different categories of information, as per our requirements or mutual agreements.

7. Physical & Environmental Security:

Ø If your company handles or stores our company's information assets at your premises, you must provide appropriate security measures (such as access control, surveillance, fire and theft protection, etc.).

8. Network Security:

Ø If your company needs to connect to our network or systems, you must use a secure connection method (such as VPN) and ensure the security of your own network to prevent it from being used as a stepping stone to attack our company.

9. Security Incident Reporting:

Ø Your company is obligated to: Upon discovering or suspecting a security incident involving our company’s information assets or systems (such as data breaches, loss, tampering, unauthorized access, cyberattacks, malware infections, etc.), you must notify our designated contact person within 2 hours (see below).

Ø Assist our company in conducting event investigations and handling procedures.

10. Personnel Security:

Ø Your company should ensure that personnel accessing our company's information assets possess the appropriate security awareness and skills, and have already signed confidentiality agreements.

Ø When personnel are transferred or leave the organization, promptly revoke their access permissions.

11. Business Continuity:

Ø Your company should have an appropriate business continuity plan in place to ensure timely recovery of the services provided to our company in the event of an interruption.

12. Audit & Monitoring:

Ø Our company reserves the right to inspect or audit your company’s compliance with information security obligations upon reasonable notice (methods may include questionnaires, on-site inspections, review of third-party audit reports, etc.), and your company shall cooperate accordingly.

4. Contact Us

If you have any questions or need to report a security incident, please contact our company’s Information Security Officer via the following methods:

Email: xjma@sunnyoptical.com

Related news