Information Security System Establishment and Management
Both Arcadyan headquarters and its Vietnam Manufacturing Center have certified for ISO 27001 Information Security Management System and ISO 27005 Information Risk Management, demonstrating the Arcadyan's commitment to institutionalizing information security and aligning with international standards. To further strengthen data leakage prevention, Arcadyan has implemented a Data Loss Prevention (DLP) mechanism, strictly regulating the use of high-risk channels such as communication software and external storage devices. Additionally, Arcadyan has enhanced its mobile device usage policies to comprehensively improve its resilience and response capabilities in information security, ensuring the protection of clients' confidentiality, personal data, and intellectual property.
ISO 27001 Information Security Policy
- Ensure the confidentiality of information related to the business of the Company to prevent breaches or losses of the Company's sensitive information and individual data.
- Ensure the completeness and availability of the Company's business information to perform the operation and various business of the Company correctly.
Information Security Management Framework
To enhance corporate information security governance, Arcadyan has established the Information Security Management Committee as Arcadyan's highest decision-making and management body for cybersecurity. This committee is responsible for formulating information security strategies and allocating resources accordingly. Led by senior management, the committee appoints an Information Security Management Representative (a designated specialist) to oversee daily operations and ensure effective implementation.
Under the committee, three dedicated working groups have been established: the Document Editing Team, the Risk Management and Evaluation Team, and the Internal Audit Team. These teams are respectively responsible for the development and maintenance of information security documentation, risk assessments and control measures, and internal audits with corrective action tracking—together forming a comprehensive governance mechanism. The Information Security Management Representative provides regular reports to the committee every six months, covering management performance, emerging issues, and strategic directions. This ensures that the overall information security system remains compliant, relevant, and effective on a continual basis. The Information Security Management Representative provides regular reports to the committee every six months, covering management performance, emerging issues, and strategic directions. This ensures that the overall information security system remains compliant, relevant, and effective on a continual basis.
Information Security Management Mechanism
To ensure the confidentiality, integrity, and availability of its information assets, Arcadyan has established internal control mechanisms and an information security documentation system in line with the ISO 27001 Information Security Management Systems. Arcadyan continually strengthens its risk response capabilities by conducting regular internal and external security audits. These audits include risk grading and vulnerability scanning of process-related databases, as well as regular updates to the information asset inventory. To enhance operational resilience, Arcadyan implements a range of control measures such as Business Impact Analysis (BIA), disaster recovery drills, account permission reviews, firewall configuration audits, cybersecurity training, penetration testing, management review meetings, and unannounced social engineering simulations. These efforts ensure the continuous improvement of Arcadyan 's information security defense systems. Since 2020, Arcadyan has maintained cyber insurance coverage to mitigate the potential financial risks of information security incidents. In 2024, the insured amount reached USD 3 million, demonstrating Arcadyan's strong commitment and forwardlooking approach to information security risk management.
Information Security Awareness and Training
Prevention of Unauthorized Third-Party Access or Disclosure of Information
To comprehensively safeguard Arcadyan's and clients' information assets and prevent the risk of unauthorized third-party access or data leakage, Arcadyan has established a multi-layered information security control mechanism. This mechanism extends from core account management to mobile device and network usage, reinforcing access control and minimizing the risk of unauthorized access. The key control measures are as follows:
Information Data Retention and Management
Arcadyan has established a comprehensive mechanism for information data retention and log management to ensure complete traceability of data access activities. All servers and database systems are equipped with logging functions and defined retention periods. System logs are retained for at least one year, while logs from firewalls and core switches are preserved for no less than three months. Depending on applicable laws and regulations, contractual obligations, and practical needs, relevant records may be retained for extended periods to support investigations and audits related to information security incidents.
All access records across Arcadyan's operations are strictly controlled to prevent unauthorized tampering, deletion, or leakage. To mitigate the risks of misuse from idle accounts, all critical systems are equipped with auto-logout functions, and user access rights are regularly reviewed and audited. Additionally, the effectiveness of Arcadyan's information security management system is continually assessed through both internal and external audits.
Regarding information asset management, Arcadyan conducts risk assessments and applies appropriate control measures based on asset sensitivity and risk characteristics. Retention periods for third-party data are also clearly defined to minimize the risk of data leakage or loss. These efforts enhance operational resilience and the overall level of information security protection. As of 2024, Arcadyan has reported zero incidents involving client privacy violations or other major security breaches across all global sites, demonstrating Arcadyan's strong commitment to data security and continuous improvement.
Handling, Sharing, and Retaining Con dential Information
Arcadyan places great importance on the protection and proper use of information assets. Through institutionalized management and ongoing awareness initiatives, Arcadyan ensures that all confidential information is handled, shared, and retained in full compliance with applicable laws and stakeholder expectations, while fulfilling its corporate responsibility for information confidentiality. Specific management practices include:
- Employee Con dentiality Obligations: All new employees are required to sign and comply with Arcadyan's written or implied confidentiality policies upon onboarding. During employment, employees are responsible for maintaining the confidentiality of information related to clients, suppliers, and other business partners, and must fulfill their information security responsibilities within the scope of their roles.
- Information Security and Data Protection: Employees must properly manage electronic files, printed documents, and communication records to prevent unauthorized access, leakage, or misuse. Through the implementation of information security policies, audit mechanisms, and training programs, Arcadyan strengthens employee awareness and actions to protect Arcadyan's and stakeholders' information assets.
- Website Privacy Policy Disclosure: Arcadyan clearly discloses its "Privacy Policy" at the bottom of its official website homepage, including a notice stating: "This website uses cookies to enhance your browsing experience. By using this website, you consent to our use of cookies." This ensures informed consent from visitors regarding personal data processing, in accordance with legal requirements and digital transparency principles.
Through these management practices and stakeholder communication mechanisms, Arcadyan continuously strengthens its security governance to ensure that the handling, storage, and sharing of all sensitive information is lawful, appropriate, and secure.
Data and Privacy Protection
In response to international data protection trends and relevant regulations in our operating regions, Arcadyan adheres to the European Union's General Data Protection Regulation (GDPR) and local privacy laws. We have established a privacy policy that serves as the highest guiding principle for protecting the personal data of both internal and external stakeholders. Arcadyan's Information Security Department oversees the collection, processing, and storage of personal data, ensuring all processes comply with applicable regulations and our corporate code of conduct.
Arcadyan has established privacy complaint and reporting channels. Stakeholders who discover data misuse or privacy violations may file complaints through designated channels (ethics@arcadyan.com). In 2024, Arcadyan received no privacy complaints or penalty records from external parties or regulatory authorities, nor experienced any incidents involving customer privacy infringement or data breaches. This demonstrates the effective implementation of our data protection management and internal control mechanisms, reflecting our commitment to safeguarding customer privacy.