Legal

Information Security Policy

Revised on August 25, 2023

1. Goal

QNAP SYSTEMS, INC. (QNAP) has developed an Information Security Policy to strengthen the security management of information and cloud services, and protect personal data in cloud services. The goal is to ensure the confidentiality, integrity, and availability of information assets owned by QNAP and provide an environment for information business continuity. This policy also complies with relevant regulations while protecting against intentional or unintentional threats from internal or external sources. QNAP’s top management formulated this policy for the purpose of effective system operation, including continuous process improvement, to prevent non-compliance and achieve the goal of information security.

2. Applicable Areas

1. QNAP established the Information Security Management System (ISMS) in accordance with the concerns of "internal and external stakeholders" and relevant government regulations. To ensure the confidentiality, integrity, and availability of information, the scope of this system is defined as security management for data center operations and maintenance of ERP, MES, EDI, PLM, Software Store, Online Shop, Account Center, AMIZCloud, QuWAN, and License Manager systems. QNAP has comprehensive expertise in information operations and management processes and meets various security requirements and expectations.
2. ISMS covers fourteen management issues to prevent data misuse, leakage, tampering, and destruction due to human error, deliberate revealing, natural disasters, or other factors that bring possible risks and hazards to QNAP. Management issues are as listed in Appendix A, from A5 to A18, for ISO 27001 ISMS compliance. Here's the detailed breakdown:
   1. A5 Information Security Policy.
   2. A6 Organization of Information Security.
   3. A7 Human Resource Security.
   4. A8 Asset Management.
   5. A9 Access Control.
   6. A10 Encryption.
   7. A11 Physical and Environmental Security.
   8. A12 Operation Security.
   9. A13 Communication Security.
   10. A14 System Acquisition, Development and Maintenance.
   11. A15 Supplier Relationship.
   12. A16 Information Security Incident Management.
   13. A17 Information Security Aspects of Business Continuity Management.
   14. A18 Compliance.
   All QNAP staff, external service providers, and visitors are required to adhere to this policy.

3. Definitions

1. Information Assets: Refers to the hardware, software, services, documents, and personnel necessary to maintain the normal operation of QNAP's information business.
2. Information Environment for Business Continuity: Refers to the computer operating environment required to maintain the normal operation of QNAP's various businesses.

4. Objectives

Maintain the confidentiality, integrity and availability of QNAP information assets, and protect user data privacy. All QNAP staff will work together to achieve the following objectives:

1. Protect QNAP's business information from unauthorized access.
2. Protect QNAP's business information from unauthorized modifications, and ensure the information is correct and complete.
3. Establish an inter-departmental information security organization to develop, promote, implement, evaluate, and improve information security management, and to ensure that QNAP has an information environment for business continuity.
4. Conduct information security education and training to promote employee awareness of information security and enhance their understanding of related responsibilities.
5. Implement information security risk assessments to improve the effectiveness and timeliness of information security management.
6. Implement an internal information security audit system to ensure effective information security management.
7. Business activities of QNAP shall comply with the requirements of relevant laws or regulations.

5. Responsibilities

1. QNAP management is responsible for preparing and reviewing this policy.
2. QNAP information security administrators shall implement this policy through appropriate standards and procedures while complying with information security and personal data laws and relevant regulations.
3. All QNAP staff and outsourcing service providers must follow relevant security management procedures in compliance with the Information Security Policy.
4. All staff and outsourcing vendors are required to report information security incidents and any identified vulnerabilities.
5. Any actions that jeopardize information security will result in the individual being held accountable for their civil, criminal, or administrative responsibilities, or in accordance with relevant QNAP regulations.
6. Cloud service outsourcing vendors and contracts related to cloud services must clearly stipulate responsibilities and obligations for both parties.
7. Appropriate security maintenance mechanisms must be designed into cloud services provision process to ensure the security of virtualized environments and image files.