Basic Policy on Information Security (Security Policy)

Money Forward Vietnam Co., Ltd, (hereinafter referred to as the “Company”) acknowledges that appropriate management of information is a top priority agenda, and thus handles users’ information rigorously while taking appropriate precautions against risks such as information leakage, and thereby strives to earn users’ trust. The Company stipulates the Basic Policy on Information Security (Security Policy) as below as a guideline for the Company’s security-related initiatives, and shall comply with this Basic Policy on Information Security (Security Policy) and the Personal Information Protection Policy (Privacy Policy).

1. Purpose

The purpose of this policy is to provide guidelines for establishing and implementing information security management systems to protect the information assets of users and of Money Forward Vietnam Co., Ltd, (hereinafter referred to as the “Company”) from all threats, whether internal or external, accidental or intentional, and thereby help ensure the continuity of the Company’s business activities.

2. Scope

All information assets that the Company handles in its business activities shall be subject to this basic policy. Information assets refer to the information, data, information systems, networks, and equipment that the Company possesses or operates and manages, as well as all items—both tangible and intangible—that the Company deems necessary for conducting its businesses.

3. Building an information security system

The Company shall organize an information security management system centered around its management team, and engage in efforts to maintain and enhance its information security. The Company shall also regularly audit such efforts and organize a system to facilitate enhancements.

4. Protecting information assets

The Company shall acknowledge the importance of all information assets it possesses from the perspectives of confidentiality, completeness and availability, and conduct risk assessment, and thereby strive to appropriately protect information assets based on the information security system.

5. Raising information security literacy

The Company shall strive to raise information security literacy among all of its employees, and conduct education and training on a continuous basis to ensure the appropriate management of its information assets.

6. Responding to security-related incidents and accidents

In cases where a security-related incident or accident occurs, or seems likely to occur, the Company shall promptly respond and take necessary procedures.

7. Complying with laws and ordinances, regulations, and agreements

The Company shall ascertain and comply with any laws and ordinances, regulations, or agreements that apply to the promotion of its businesses on a case-by-case basis.

8. Managing business continuity

The Company shall strive to avoid any business interruptions caused by factors such as incidental disasters, malfunctions or negligence of its information systems, or intentional abuse of its information assets, and thereby ensure business continuity.

9. Measures against violations to the basic policy

The Company’s employees shall act in accordance with this basic policy, and in cases where a violation is made, the individual shall be subject to disciplinary punishment stipulated in the employment regulation.

10. Implementing continuous improvements

The Company shall regularly evaluate and revise the aforementioned initiatives, and thereby continuously improve its information security management.