We are committed to rigorously regulating information security assurance in all aspects of our operations, adhering to relevant regulations in our operational locations, and continuously improving our systems and taking multiple measures to mitigate information security risks and establish a safe and orderly operational environment.

We attach great importance to data protection and have formulated the "Archives Confidentiality Management Measures" and the "Information System Management Measures" to stipulate data management and password usage policies, providing clear guidelines for information security operations involved in daily office operations.

We also conducted disaster recovery testing for the information security system and formulated an off-site backup management plan, which specifically includes:

• To cope with various natural disasters, man-made disasters, catastrophes, crises, and unexpected anomalies, the company's operational system and critical data are configured with an updated off-site backup mode. In the event that the primary operational system fails to operate normally, the backup operational system can be activated remotely;

• The operational system employs the SQL mobile synchronization mechanism in off-site backup, adopting the hot standby method with the highest level of system data recovery. In the event of any party's failure, the other party can immediately take over all applications and ensure data integrity. Other critical systems and data utilize off-site backup data backup methods to ensure the integrity of data preservation in the event of data updates and corruption. Additionally, computer-related equipment such as air conditioning and power supplies should have appropriate backup measures in place;

• To ensure the recovery of the main archive, the contents of the main archive should be regularly copied and backed up, and stored in a relatively safe location outside the company. Important files and inventories should be copied and backed up in a secure location. Relevant configuration files for system software and hardware need to be properly archived and stored;

• The network management team regularly tests the availability of backup data, formulates the "Off-site Backup Drill Plan" every year, and organizes data recovery drills.

In addition, the company conducts vulnerability scanning on systems that have been put into operation and for which a security system has been established at least quarterly, in order to promptly identify security vulnerabilities in the system. It organizes annual reviews of the adaptability, adequacy, and effectiveness of information security strategies, and organizes revisions when necessary to ensure the security of information systems. The company has a total of three information security professionals and held four information security-related meetings in 2025.

As of the end of the reporting period, the Hefu Hospital Management Platform System has obtained Level 3 verification for information security classification protection.

Level 3 verification of information security classified protection

Our company places great emphasis on the protection of "customer privacy rights". We adhere to relevant laws and regulations such as the "Personal Data Protection Act", have established a "Personal Data Protection Policy", and implemented rigorous privacy security management and protection measures for personal data. Additionally, we have established a data governance system, put in place data access permission controls, and a review mechanism for data owners, ensuring that data access, sharing, availability, integrity, and confidentiality are properly governed and protected.

To strengthen the confidentiality management of trade secrets and customer information, the company has clearly stipulated the confidentiality management system in the Employee Handbook and included confidentiality clauses in the labor contract, explicitly prohibiting the disclosure of confidential data, customer information, or other confidential matters. All employees have signed confidentiality agreements, and information security education and training are implemented for new employees upon their entry to enhance confidentiality awareness and legal compliance concepts. In 2025, We conducted the training in the form of online courses, with 100% employee participation, totaling 96 hours. In addition, to reduce the risk of collecting and storing customer personal information, we only collect necessary information required for business purposes and adopt a targeted storage mechanism. For example, the data collected by medical institutions is only stored in the local information system of the hospital, and our company does not extract or store related data, ensuring clear information ownership and enhancing customer trust.

This policy applies to all branches, operational sites, subsidiaries, customers, and suppliers of our company. During the reporting period, no illegal incidents related to information security or personal data protection occurred. We remain committed to safeguarding the security and privacy rights of customer data.