SPEQTRA

Security Policy

1. Basic Policy

SPEQTRA Investment Research PTE. LTD. ("Company") recognizes that ensuring the security of our clients' information assets and managing them appropriately is our social responsibility. The Company complies with information security laws, regulations, and contractual requirements, and establishes, implements, maintains, and continuously improves our information security management system to provide an environment where clients can use our services with confidence.

2. Scope of Application

This Security Policy applies to all services and systems provided by the Company and all information assets handled by the Company. It also applies to all employees, contractors, temporary staff, and all parties who have access to the Company's information assets.

3. Information Security Framework

The Company establishes a framework with clear responsibilities and authorities regarding information security and conducts continuous improvement.

  • Appoint an information security officer to plan, implement, evaluate, and improve company-wide information security measures
  • Regularly conduct information security education and training to improve security awareness and knowledge of all employees
  • Establish response frameworks and procedures for information security incidents

4. Risk Management

The Company identifies and evaluates information security risks and implements appropriate risk response measures.

  • Regularly conduct risk assessments to identify potential threats and vulnerabilities
  • Select and implement appropriate response measures (avoidance, reduction, transfer, acceptance) for identified risks
  • Regularly evaluate the effectiveness of risk response measures and revise as necessary

5. Asset Management

The Company appropriately classifies information assets and manages them according to their importance.

  • Regularly conduct information asset inventories and maintain and update information asset registers
  • Classify information assets based on confidentiality, integrity, and availability and establish appropriate handling procedures
  • Follow appropriate procedures for data erasure and destruction when disposing or returning information assets

6. Access Control

The Company implements appropriate access controls to prevent unauthorized access to information assets.

  • Apply the "principle of least privilege" by granting only the minimum necessary permissions for business purposes
  • Implement appropriate authentication mechanisms including password management and multi-factor authentication
  • Regularly review and promptly delete unnecessary access rights
  • Implement strict management and monitoring of privileged accounts

7. Encryption

The Company uses appropriate encryption technologies to protect confidential information.

  • Apply appropriate encryption to data at rest and data in transit
  • Establish procedures for secure generation, storage, and destruction of encryption keys
  • Use industry-standard encryption algorithms and protocols

8. System Development and Maintenance

The Company conducts security-conscious design and implementation in system development and maintenance.

  • Incorporate security requirements from the design stage based on security-by-design principles
  • Separate development and production environments and implement appropriate access controls
  • Regularly conduct security testing for early detection and correction of vulnerabilities
  • Implement secure source code management and review

9. Incident Response

The Company establishes frameworks and procedures for rapid and effective response to information security incidents.

  • Organize an incident response team with clear roles and responsibilities
  • Establish procedures for incident detection, reporting, initial response, investigation, recovery, and prevention of recurrence
  • Regularly conduct incident response training to improve response capabilities
  • Document lessons learned from incidents and utilize them to improve security measures

10. Business Continuity Management

The Company establishes plans to continue important operations or recover them promptly even in the event of disasters or security incidents.

  • Conduct business impact analysis to identify critical operations and recovery time objectives
  • Perform backup acquisition and regular restoration testing
  • Develop disaster recovery plans and conduct regular training and reviews

11. Legal Compliance

The Company identifies and complies with information security-related laws, regulations, and contractual requirements.

  • Comply with relevant laws such as personal data protection laws and unauthorized computer access laws
  • Respect intellectual property rights and comply with license agreements
  • Monitor changes in laws and regulations and respond as necessary

12. Audit and Evaluation

The Company regularly audits and evaluates the effectiveness of information security measures and conducts continuous improvement.

  • Regularly conduct internal audits to verify compliance with security policies
  • Regularly conduct vulnerability assessments and penetration testing by external experts
  • Develop and implement security improvement plans based on audit and evaluation results

Effective Date: June 1, 2025

This Security Policy will be regularly reviewed in response to changes in the information security environment and technological advances.