Data Security

I. Principles of Data Security

When conducting any data processing activities involving personal information, Jianbo Research adheres to the following principles:

1. Principle of Accountability: Implement management, technical, and other necessary measures to ensure the security of personal information and other data, and assume responsibility for any harm caused to the legitimate rights and interests of individuals as a result of their personal information processing activities.

2. Principle of Minimum Necessity: Only process the minimum types and amount of personal information required to fulfill the purpose for which the individual has provided consent. Once the purpose is achieved, personal information should be promptly deleted.

3. Security Assurance Principle: Ensure security capabilities that align with the risks encountered, and implement adequate management measures and technical solutions to safeguard the confidentiality, integrity, and availability of personal information.

II. Basic Requirements for Data Security

Jianbo Research takes necessary measures to ensure adequate security safeguards for data processing activities, in compliance with applicable data protection laws. These measures should take into account the current state of technology, implementation costs, as well as the nature, scope, context, and purpose of the processing—and the potential risks of harm to the rights and freedoms of individuals whose personal information is involved. This includes, but is not limited to:

1. Establish a personal information protection management department, along with corresponding workflows and security management systems, that comply with data protection legal requirements.

2. All equipment, technologies, and other related items involving cybersecurity comply with relevant national laws and regulations, industry standards, and national standards, and have already obtained the corresponding licenses or qualification certificates.

3. Implement the principles of minimizing both the number of individuals with access permissions and the amount of information they can access. Regularly review critical data operations (such as bulk data export, copying, or destruction) and enforce robust anti-leakage measures. Additionally, establish an internal approval process for all significant data activities, and ensure clear segregation of roles among security managers, data operators, and auditors.

4. Implement measures such as data classification, backup, and encryption to ensure the security, confidentiality, and integrity of data during both storage and transmission. Properly safeguard physical media—including paper, optical, and electromagnetic formats—used to store recorded data, and adopt appropriate secure storage practices. Additionally, de-identify personal information by separating identifiable data used for re-identification from the de-identified data itself, while strengthening access and usage authorization controls.

5. Implement measures to prevent unauthorized physical access to locations and devices storing personal information; take steps to ensure data is protected against accidental damage or loss.

6. Establish a security incident response mechanism and emergency preparedness plan. Regularly (at least once a year), organize internal personnel for emergency response training and drills, ensuring they are well-versed in their job responsibilities as well as emergency handling strategies and procedures. In the event either party becomes aware of potential security issues affecting relevant data—especially personal information security incidents—they must promptly notify the other party via email, fax, or other written communication channels. Once notified, both parties should immediately implement effective measures to contain the issue, prevent further escalation of the incident, and minimize any adverse impact as much as possible.

7. Recording and retaining data-sharing activities. Maintain records of data processing in accordance with data protection laws or your organization's internal management policies.

8. If requested by the partner, we will allow and assist the partner’s authorized representative or a designated third-party auditing entity in conducting an audit of the data provider, to verify whether the data provided and its use in data processing outcomes comply with applicable data protection laws. Should the audit or inspection activities involve trade secrets, we will adhere to our corresponding confidentiality obligations. However, disclosing necessary information to cooperate with regulatory investigations or to resolve any disputes between the parties—such as sharing details with judicial, law enforcement, or administrative authorities, or with professional advisory firms that have signed confidentiality agreements—will not be considered a breach of these confidentiality commitments.

9. Without the written consent of the partner, data or data processing results shall not be provided to countries and regions outside mainland China.

10. Unless confirmed in writing by the partner, no media publicity will be given to the matter of the collaboration.

11. Unless mutually agreed upon in writing by both parties, the rights, obligations, and/or responsibilities under this contract may not be transferred to any third party in any manner.

12. In accordance with relevant data protection laws, each party shall fulfill its obligations as a data processor for the personal information it processes individually, while also independently enjoying and exercising its legitimate rights and interests as a data processor. Additionally, each party shall provide a clear pathway for individuals to assert their rights, cooperate in responding to requests from data subjects, and furnish the necessary information to assist individuals in safeguarding their legitimate rights and interests.

13. If cooperation from the partner is required—such as in response to regulatory requests aimed at safeguarding data security—both parties shall collaborate closely to address the matter appropriately. Should the company receive inquiries, penalties, or claims from regulatory authorities or any third party, it must notify the other party in writing within 24 hours of receiving such notice, while simultaneously working together to minimize any resulting losses for both sides.

14. Other security measures taken to fulfill the data security obligations of the cooperating parties, particularly the security requirements jointly proposed for the collaborative project, as well as the information protection and security standards mandated by Chinese laws, regulations, and national standards.