ESG-Corporate Governance

CHANGING Information Technology Inc. Code of Integrity Management

Article 1: Purpose and Scope

This Code of Integrity (hereinafter referred to as the "Code") is established to strengthen the Company's ethical business culture and provide a reference framework for sound business operations.

This Code applies to subsidiaries, foundations in which the Company directly or indirectly contributes more than 50%, and other entities or organizations under substantial control within the Group.

Article 2: Prohibition of Unethical Behavior

Directors, managers, employees, mandataries, or persons with substantial control (hereinafter "Substantial Controllers") shall not, in conducting business, directly or indirectly provide, promise, request, or receive any improper benefit, or engage in other acts of dishonesty, illegality, or breach of duty to gain or maintain advantage ("Unethical Acts").

The scope of the above includes public officials, political candidates, political parties or party personnel, as well as any public or private enterprises or institutions and their directors, supervisors, managers, employees, Substantial Controllers, or other stakeholders.

Article 3: Forms of Benefits

"Benefits" refer to any valuable item, including money, gifts, commissions, positions, services, privileges, or rebates of any form or name. Normal social courtesies that are occasional and do not affect specific rights or obligations are excluded.

Article 4: Compliance with Laws

The Company shall comply with Company Law, Securities and Exchange Act, Accounting Act, Political Donations Act, Anti-Corruption Act, Government Procurement Act, Intellectual Property Laws, Public Officials Conflicts of Interest Act, listing regulations, and other relevant laws as the basis for implementing ethical management.

Article 5: Policies

Based on integrity, transparency, and responsibility, the Company establishes policies founded on ethics, approved by the Board of Directors, creating effective corporate governance and risk control mechanisms to ensure a sustainable business environment.

Article 6: Prevention Programs

The Company's integrity policies shall clearly define specific practices and prevention programs (hereinafter "Prevention Programs") to prevent unethical acts, including operating procedures, conduct guidelines, and education/training.

Prevention Programs shall comply with laws of the country or region where the Company and its Group entities operate.

In developing Prevention Programs, the Company should consult with employees or their representatives and with key business partners or other stakeholders.

Article 7: Scope of Prevention Programs

The Company shall establish mechanisms to assess risks of unethical acts, regularly analyze business activities with high risk, and develop and review Prevention Programs for adequacy and effectiveness.

Prevention Programs shall cover measures for: (1) bribery and acceptance of bribes; (2) illegal political donations; (3) improper charitable donations or sponsorships; (4) provision or acceptance of unreasonable gifts, entertainment, or other improper benefits; (5) infringement of trade secrets, trademarks, patents, copyrights, or other intellectual property; (6) unfair competition; (7) products and services that, during R&D, procurement, manufacturing, provision, or sales, directly or indirectly harm the rights, health, or safety of consumers or other stakeholders.

Article 8: Commitment and Implementation

The Company shall require directors and senior management to declare adherence to integrity policies and include compliance in employment agreements for employees.

Integrity policies shall be disclosed in regulations, external documents, and the Company website, and actively implemented in internal management and business activities.

Documentation of policies, declarations, commitments, and implementation shall be properly stored.

Article 9: Ethical Business Activities

The Company shall conduct business fairly and transparently in accordance with ethical principles.

Prior to transactions, the Company shall assess the legality and integrity of agents, suppliers, customers, or other business partners, avoiding dealings with parties involved in unethical acts.

Contracts shall include provisions to comply with integrity policies and allow termination if the counterparty engages in unethical behavior.

Article 10: Prohibition of Bribery and Acceptance of Bribes

Directors, managers, employees, mandataries, and Substantial Controllers shall not, in performing duties, provide, promise, request, or receive any improper benefit from customers, agents, contractors, suppliers, public officials, or other stakeholders.

Article 11: Prohibition of Illegal Political Donations

Directors, managers, employees, mandataries, and Substantial Controllers shall comply with Political Donations Act and internal procedures when providing donations to political parties or individuals, and shall not use them for commercial advantage.

Article 12: Prohibition of Improper Charitable Donations or Sponsorships

Donations or sponsorships must comply with relevant laws and internal procedures, and shall not be used as disguised bribery.

Article 13: Prohibition of Unreasonable Gifts, Services, Entertainment, or Other Improper Benefits

Directors, managers, employees, mandataries, and Substantial Controllers shall not directly or indirectly provide or accept unreasonable gifts, entertainment, or other improper benefits to influence business transactions.

Article 14: Prohibition of Intellectual Property Infringement

The Company and its personnel shall comply with intellectual property laws, internal procedures, and contract terms. Without the owner’s consent, they shall not use, disclose, dispose, destroy, or infringe upon intellectual property.

Article 15: Prohibition of Unfair Competition

The Company shall comply with competition laws and shall not fix prices, manipulate bids, limit production, allocate customers or suppliers, or divide markets.

Article 16: Prevention of Product or Service Harm to Stakeholders

Directors, managers, employees, mandataries, and Substantial Controllers shall follow regulations and international standards in R&D, procurement, manufacturing, provision, or sales, ensuring transparency and safety, protecting consumer and stakeholder rights, and recalling or stopping products/services when safety or health risks are identified.

Article 17: Organization and Responsibility

Directors, managers, employees, mandataries, and Substantial Controllers shall exercise due care, supervise prevention of unethical acts, review implementation, and continuously improve integrity management.

The Company's General Management Office shall be responsible for developing and supervising integrity policies and Prevention Programs, including:

Integrating ethics into business strategy and establishing anti-fraud measures in compliance with laws.
Regularly analyzing business risks and setting standards for operating procedures and conduct guidelines.
Planning internal organization and assigning checks and balances for high-risk activities.
Promoting integrity training and awareness.
Planning and managing whistleblowing systems.
Assisting the Board and management in auditing and evaluating preventive measures and reporting compliance.

Article 18: Compliance in Business Execution

Personnel shall comply with laws and Prevention Programs when performing business activities.

Article 19: Director and Manager Conflict of Interest

The Company shall prevent conflicts of interest and provide channels for directors, managers, and stakeholders to declare potential conflicts. Those with conflicts shall abstain from discussion and voting on related matters.

Personnel shall not use their position to gain improper benefits for themselves, family, or others.

Article 20: Accounting and Internal Control

For high-risk activities, the Company shall maintain effective accounting and internal control systems, perform audits, and report results to management and the Board.

Article 21: Operating Procedures and Guidelines

Operating procedures and guidelines define attention points for directors, managers, employees, and Substantial Controllers, including: recognition of improper benefits, handling political donations, charitable donations, conflicts of interest, confidentiality, supplier/customer management, violation handling, and disciplinary measures.

Article 22: Education, Training, and Assessment

The Chairman, CEO, or senior management shall regularly communicate the importance of integrity and provide training to personnel and stakeholders, integrating policies into performance evaluation.

Article 23: Reporting and Whistleblower System

The Company shall establish reporting channels, assign responsible personnel, investigate cases, maintain confidentiality, protect whistleblowers, and reward reporting as appropriate. Significant findings shall be immediately reported to independent directors.

Article 24: Information Disclosure

The Company shall disclose integrity policy implementation on the Company website, annual reports, and public documents.

Article 25: Review and Amendment

The Company shall monitor domestic and international developments, encourage suggestions, and revise policies to enhance effectiveness.

Article 26: Enforcement

This Code is approved by the Board of Directors and reported to the Shareholders’ Meeting, and the same applies to amendments.

This Code was established on July 27, 2023 (ROC Year 112).

CHANGING Information Technology Inc.Procedures & Guidelines for Ethical Management

Article 1

Based on the principles of fairness, honesty, integrity, and transparency, the Company conducts business activities. To implement the integrity management policy and actively prevent dishonest conduct, and pursuant to the "Ethical Corporate Management Best Practice Principles for TWSE/TPEx Listed Companies" and the laws and regulations of the jurisdictions where the Company and its group enterprises and organizations operate, this Operating Procedure and Code of Conduct is established to specify matters Company personnel should observe when performing duties. The scope of this Procedure and Code of Conduct applies to the Company’s subsidiaries, foundations to which the Company directly or indirectly contributes more than fifty percent of funds, and other group enterprises or organizations with substantial control.

Article 2

“Company personnel” as used in this Procedure and Code of Conduct refers to the directors, supervisors, managers, employees, appointees, and persons with substantial control of the Company and its group enterprises and organizations.

If Company personnel obtain, promise, request, or accept any improper benefit through a third party, such conduct shall be presumed to have been carried out by the Company personnel.

Article 3

“Dishonest conduct” as used in this Procedure and Code of Conduct refers to circumstances where Company personnel, in the course of performing business, in order to obtain or retain benefits, directly or indirectly provide, accept, promise, or request any improper benefits, or engage in other conduct that violates integrity, the law, or fiduciary duties.

The targets of the preceding paragraph include public officials, political candidates, political parties or party officials, as well as any public or private enterprises or organizations and their directors, supervisors, managers, employees, persons with substantial control, or other stakeholders.

Article 4

“Benefits” as used in this Procedure and Code of Conduct refer to money, gifts, presents, commissions, positions, services, preferential treatment, rebates, facilitation payments, hospitality, entertainment, or any other items of value in any form or under any designation.

Article 5

The Company designates the Office of the General Manager as the responsible unit (hereinafter the "Responsible Unit") to handle revision, execution, interpretation, advisory services, reporting, filing, and supervision related to this Procedure and Code of Conduct. The Responsible Unit shall be primarily responsible for the following matters and shall report to the Board of Directors regularly:

Assist in integrating integrity and ethical values into the Company’s business strategy and, in coordination with laws and regulations, establish anti-fraud measures to ensure integrity management.
Regularly analyze and assess risks of dishonest conduct within the business scope, establish prevention programs accordingly, and set related standard operating procedures and conduct guidelines within each program.
Plan internal organization, staffing, and responsibilities, and establish mutual oversight and checks-and-balances mechanisms for business activities with higher risks of dishonest conduct.
Promote and coordinate integrity policy education and training.
Plan a whistleblowing system to ensure its effectiveness.
Assist the Board and management in auditing and evaluating whether the preventive measures established for integrity management operate effectively, and regularly evaluate compliance of relevant business processes and produce reports.
Prepare and properly preserve documentation related to integrity management policies, declarations of compliance, commitments, and records of implementation.

Article 6

When Company personnel directly or indirectly provide, accept, promise, or request benefits as defined in Article 4, except under the following circumstances, such actions shall comply with the "Ethical Corporate Management Best Practice Principles for TWSE/TPEx Listed Companies" and this Procedure and Code of Conduct and must be handled according to relevant procedures prior to execution:

Actions taken for business needs during domestic or overseas visits, guest reception, business promotion, or communication and coordination, carried out in accordance with local courtesies, practices, or customs.
Participation in or invitation to normal social events held for social custom, business purposes, or relationship-building.
Invitations of clients or being invited to specific business events, factory tours, etc., where the cost allocation method, number of participants, accommodation level, and duration are clearly specified.
Participation in publicly held folk festival activities open to the general public.
Rewards, relief, condolences, or tokens of appreciation from supervisors.
Provision or acceptance of money, property, or other benefits from persons who are not relatives or frequent acquaintances, or gifts given to a majority of Company personnel, provided they conform to general social norms or customary practices.
Acceptance of gifts in connection with engagement, marriage, childbirth, relocation, taking office, promotion, retirement, resignation, departure from service, or illness/injury/death of oneself, spouse, or immediate family, provided they conform to general social norms or customary practices.
Other circumstances that conform to Company regulations.

Article 7

When Company personnel are offered or promised benefits as defined in Article 4 by others, except for circumstances listed in the preceding article, they shall handle the matter according to the following procedures:

If the offeror or promisor has no official interest relation with the recipient, the recipient shall report to their direct supervisor within three days of receipt, and notify the Responsible Unit if necessary.
If the offeror or promisor has an official interest relation with the recipient, the recipient shall return or refuse the offer and report to their direct supervisor and notify the Responsible Unit; if returning is not possible, the recipient shall, within three days of receipt, hand the item to the Responsible Unit for handling.

The "official interest relation" referred to in the preceding paragraph means any of the following:

Having a commercial relationship, supervisory/command relationship, or relation involving expense subsidies (or rewards).
Seeking, negotiating, or having entered into contracting, purchasing, or other contractual relations.
Other circumstances where decisions, execution, or non-execution of Company business would result in favorable or unfavorable impact.

The Responsible Unit shall, based on the nature and value of the benefit in the first paragraph, propose actions such as returning, paying to receive, turning over to the Company, donating to charity, or other appropriate suggestions, and execute upon approval by the General Manager.

Article 8

The Company shall not provide or promise any facilitation payments.

If Company personnel provide or promise facilitation payments due to threats or coercion, they shall record the process, report to their direct supervisor, and notify the Responsible Unit.

Upon receiving such notice, the Responsible Unit shall immediately handle the matter and review related circumstances to reduce the risk of recurrence. If unlawful conduct is found, the Responsible Unit shall immediately notify judicial authorities.

Article 9

The Company may make political donations only after reporting to and obtaining approval from the General Manager and notifying the Responsible Unit, and shall handle such donations in accordance with the following provisions:

Confirm compliance with the political donation laws and regulations of the recipient's country, including limits and acceptable forms of donations.
Decisions shall be recorded in writing.
Political donations shall be accounted for in accordance with applicable laws and accounting procedures.
When providing political donations, avoid engaging in business dealings, permit applications, or other matters involving Company interests with government-related agencies.

Article 10

The Company may provide charitable donations or sponsorships only after reporting to and obtaining approval from the General Manager and notifying the Responsible Unit, and shall handle them in accordance with the following:

Comply with laws and regulations of the place of operation.
Decisions shall be recorded in writing.
Recipients of charitable donations shall be charitable organizations and not used as a disguised means of bribery.
Any return or benefit obtained from the sponsorship shall be clear and reasonable and shall not be an entity with business dealings with the Company or persons related to Company personnel.
After donations or sponsorships, confirm that the flow of funds is consistent with the donation purpose.

Article 11

If a director, manager, or other stakeholder attending or present at a Board meeting has a material interest in a matter before the Board that affects the director or the legal person they represent, the director shall state the important content of the interest at that Board meeting; if such interest may harm the Company’s interests, the director shall not participate in discussion or voting, shall recuse from discussion and voting, and shall not represent other directors to exercise voting rights. Directors shall also self-regulate and not improperly support one another.

If the director’s spouse, relatives within the second degree by blood, or a company controlled or subordinated to the director has an interest in the matter in the preceding paragraph, such interest shall be deemed the director’s personal interest in that matter.

If Company personnel discover an actual or potential conflict of interest between themselves (or the legal person they represent) and matters involving the Company, or potential situations where themselves, spouse, parents, children, or related stakeholders may obtain improper benefits, they shall report such matters to their direct supervisor and the Responsible Unit simultaneously, and the direct supervisor shall provide appropriate guidance.

Company personnel shall not use Company resources for commercial activities outside the Company, nor allow participation in external commercial activities to affect their job performance.

Article 12

The Company shall establish a dedicated unit to formulate and implement management, preservation, and confidentiality procedures for trade secrets, trademarks, patents, copyrights and other intellectual property, and shall regularly review implementation results to ensure the continued effectiveness of such procedures.

Company personnel shall strictly comply with the intellectual property procedures mentioned above, shall not disclose Company trade secrets, trademarks, patents, copyrights or other intellectual property to others, and shall not inquire into or collect Company trade secrets, trademarks, patents, copyrights or other intellectual property unrelated to their duties.

Article 13

In conducting business activities, the Company shall comply with the Fair Trade Act and related competition laws and regulations, and shall not fix prices, manipulate bids, restrict production or quotas, or share or divide markets by allocating customers, suppliers, operating areas, or types of business.

Article 14

The Company shall collect and understand laws, regulations, and international standards applicable to the products and services it provides, compile matters that require attention, and publish them so that Company personnel ensure information transparency and safety in the research, procurement, manufacturing, provision, or sale of products and services.

The Company shall establish and publish on its website a policy for protecting the rights and interests of consumers or other stakeholders to prevent products or services from directly or indirectly harming stakeholders’ rights, health, or safety. If media reports or facts indicate that the Company’s products or services may endanger consumer or stakeholder safety or health, the Company shall, in principle, recall the batch of products or suspend the service, investigate the facts, and propose corrective measures.

The Responsible Unit shall report such incidents, the handling approach, and subsequent corrective measures to the Board of Directors.

Article 15

Company personnel shall comply with securities regulations, shall not use material nonpublic information to engage in insider trading, and shall not disclose such information to others to prevent others from engaging in insider trading.

Other institutions or persons involved in the Company’s mergers, divisions, acquisitions, share transfers, major memoranda, strategic alliances, other business cooperation plans, or important contracts shall sign confidentiality agreements with the Company, undertake not to disclose Company trade secrets or other material information learned to others, and shall not use such information without Company consent.

Article 16

The Company shall require directors and senior management to issue declarations of compliance with integrity management policies and require employees to comply with integrity management policies as a condition of employment.

The Company shall disclose its integrity management policies in internal regulations, annual reports, the corporate website, or other publications, and shall declare such policies at product launches, investor briefings, and other external events so that suppliers, customers, and other business-related organizations and personnel can clearly understand the Company’s integrity management principles and rules.

Article 17

Before establishing commercial relationships with others, the Company shall evaluate the legality, integrity management policies, and any records of dishonest conduct of agents, suppliers, customers, or other counterparties to ensure their business practices are fair, transparent, and do not request, provide, or accept bribes.

In carrying out the foregoing evaluation, the Company may perform appropriate due diligence procedures to review the following items to understand the counterparty’s integrity status:

The enterprise’s country, place of operation, organizational structure, management policies, and payment locations.
Whether the enterprise has adopted integrity management policies and the state of their implementation.
Whether the enterprise’s place of operation is in a country with high corruption risk.
Whether the enterprise’s business is in an industry with high bribery risk.
The enterprise’s long-term operating status and reputation.
Consult opinions of the enterprise’s business partners about that enterprise.
Whether the enterprise has records of bribery or illegal political donations or other dishonest conduct.

Article 18

When engaging in business activities, Company personnel shall inform counterparties of the Company’s integrity management policies and related rules and shall explicitly refuse to directly or indirectly provide, promise, request, or accept any form or designation of improper benefits.

Article 19

Company personnel shall avoid conducting business transactions with agents, suppliers, customers, or other counterparties involved in dishonest conduct. Upon discovering that a business partner or collaborator has engaged in dishonest conduct, the Company shall immediately cease business dealings with such party and list them as a refused counterparty to implement the Company’s integrity management policy.

Article 20

When the Company enters into contracts with others, it shall fully understand the counterparty’s integrity status and include compliance with the Company’s integrity management policy as a contractual clause. At minimum, contracts should specify the following:

If either party becomes aware that personnel have violated contractual clauses prohibiting receipt of commissions, kickbacks, or other improper benefits, that party shall immediately inform the other party of such personnel’s identity, the manner of provision, promise, request, or receipt, the amount, or other improper benefits, provide relevant evidence, and cooperate with investigations. If a party suffers damage as a result, it may claim damages from the other party and deduct the amount from contract payments due.
If either party is involved in dishonest conduct during business activities, the other party may unconditionally terminate or rescind the contract at any time.
Establish clear and reasonable payment terms, including payment location, method, and compliance with applicable tax regulations.

Article 21

The Company encourages internal and external persons to report dishonest or improper conduct and, depending on the severity of the report, may provide rewards or discretionary bonuses. Internal personnel who make false reports or malicious allegations shall be subject to disciplinary action, and in severe cases, dismissal.

Personnel handling reports shall issue written declarations to keep the reporter’s identity and report content confidential, and the Company commits to protecting reporters from improper treatment due to reporting.

The Responsible Unit shall handle reports according to the following procedures:

Reports involving general employees shall be submitted to the department head; reports involving directors or senior management shall be submitted to the independent directors.
The Responsible Unit and the relevant supervisor or personnel receiving the report shall promptly ascertain the facts, and regulatory compliance or other related departments shall provide assistance when necessary.
If the accused is found to have violated applicable laws, Company integrity policies, or rules, the accused shall be immediately required to cease the related conduct and appropriate measures shall be taken; if necessary, the matter shall be reported to competent authorities, referred to judicial authorities for investigation, or legal action shall be taken to claim damages to protect the Company’s reputation and rights.
Records of report acceptance, investigation process, and results shall be kept in writing and preserved for five years, which may be retained electronically. If litigation related to the report arises before the retention period expires, relevant materials shall be retained until the litigation concludes.
For substantiated reports, the responsible Company units shall review related internal control systems and operating procedures and propose corrective measures to prevent recurrence.
The Responsible Unit shall report the report details, handling approach, and subsequent corrective measures to the Board of Directors.

Article 22

If Company personnel discover others engaging in dishonest conduct against the Company and such conduct involves unlawful matters, the Company shall notify judicial or prosecutorial authorities; if the conduct involves government agencies or public servants, the Company shall also notify governmental anti-corruption agencies.

Article 23

The Responsible Unit shall hold internal promotional activities from time to time and arrange for the Chairman, General Manager, or senior management to communicate the importance of integrity to directors, employees, and appointees.

If Company personnel commit serious violations of integrity, the Company shall dismiss or remove them in accordance with applicable laws or Company personnel rules.

Article 24

This Procedure and Code of Conduct shall be adopted by the Board of Directors and submitted to the Shareholders’ Meeting for report; the same applies to amendments.

When this Procedure and Code of Conduct is submitted to the Board for discussion, the views of each independent director shall be fully considered, and any dissenting or reserved opinions of independent directors shall be recorded in the minutes of the Board; if an independent director cannot attend the Board meeting to express dissent or reservation in person, except for justified reasons, they shall provide a written opinion in advance to be recorded in the minutes.

This Procedure and Code of Conduct was adopted on July 27, 2023 (ROC Year 112).

Ethical Business Practices

1. Ethical Business Practices

The Company conducts its business based on the principles of fairness, honesty, and transparency. To implement its ethical business policy, prevent misconduct, eliminate corruption and bribery, and ensure legal compliance, the Company has established the “Code of Ethical Business Conduct,” “Operational Procedures and Guidelines for Ethical Business Conduct,” “Code of Ethics for Directors and Managers,” and the “Employee Code of Ethics,” all approved by the Board of Directors.

2. Responsible Unit

The Company has designated the Corporate Governance Task Force as the responsible unit for ethical business practices, with the following duties:

Formulate and revise regulations related to ethical business conduct.
Develop programs to prevent misconduct, including relevant standard operating procedures and guidelines.
Monitor implementation and promote ethical business measures.
Report the implementation status to the Board of Directors annually.

The implementation of ethical business practices in 2025 was reported to the Audit Committee and the Board of Directors on November 10, 2025.

Implementation of Ethical Business Practices

Assessment Item	Operational Status			Differences and Reasons Compared to Integrity Management Guidelines for Listed Companies
Assessment Item	Yes	No	Summary
1. Establishment of Integrity Management Policies and Programs
(a) Has the Company established an integrity management policy approved by the Board of Directors, clearly stating the policy and practices in internal regulations and external documents, and demonstrating commitment from the Board and senior management to actively implement the policy?			The Company has approved the "Integrity Management Procedures and Code of Conduct," specifying principles and procedures for integrity management as the Company's policy and guidance, and implements it accordingly.	No significant differences.
(b) Has the Company established a risk assessment mechanism for unethical behavior, regularly analyzing and evaluating business activities with higher risk, and developing prevention programs covering the measures listed in Article 7, Paragraph 2 of the "Integrity Management Guidelines for Listed Companies"?			The Company has established the "Integrity Management Procedures and Code of Conduct," "Code of Ethics," and "Insider Trading Prevention and Major Internal Information Handling Procedures," clearly regulating how personnel prevent unethical behavior and the handling process for violations.	No significant differences.
(c) Does the Company define operational procedures, conduct guidelines, disciplinary and appeal mechanisms in the prevention programs, implement them, and regularly review and revise the programs?			The Company has clearly defined operational procedures, conduct guidelines, disciplinary and appeal mechanisms in the "Integrity Management Procedures and Code of Conduct." Employees are encouraged to report any behavior violating laws or ethical guidelines. For personnel involved in higher-risk activities, the Company regularly provides guidance to prevent unethical behavior.	No significant differences.
2. Implementation of Integrity Management
(a) Does the Company assess the integrity record of business partners and include integrity clauses in contracts?			The Company has established the "Integrity Management Guidelines" and "Integrity Management Procedures and Code of Conduct" to properly assess the integrity records of business partners. Most partners are financial institutions or government agencies with reliable integrity.	No significant differences.
(b) Has the Company set up a dedicated unit under the Board to promote integrity management and report at least annually on policy implementation, prevention programs, and supervision?			The Company Governance Group is designated as the responsible unit to revise and supervise the procedures and code of conduct. The "Integrity Management Guidelines" were approved by the Board on July 27, 2023, and future implementation will be regularly reported to the Board.	Implementation will be reported to the Board as needed.
(c) Has the Company established conflict-of-interest policies, provided appropriate disclosure channels, and implemented them?			The Company specifies in the "Board Meeting Rules" that directors must declare significant interests with matters discussed, abstain from discussion and voting if interests conflict with the Company's, and cannot represent other directors to vote. The "Integrity Management Guidelines" prohibit unethical behavior, prevent conflicts of interest, and require related units to implement the rules.	No significant differences.
(d) Has the Company established effective accounting and internal control systems, and conducted audits according to risk assessment to ensure compliance with integrity programs?			To ensure effective integrity management, the Company has established accounting and internal control systems. The audit unit regularly conducts audits according to laws and annual audit plans and reports findings to the Audit Committee. Accounting firms also audit the internal control system annually.	No significant differences.
(e) Does the Company regularly provide internal and external training on integrity management?			The Company conducts periodic training for directors, managers, and employees on the "Integrity Management Guidelines" and "Procedures and Code of Conduct" to ensure understanding of the Company's commitment, policies, prevention programs, and consequences for violations.	No significant differences.
3. Operation of the Whistleblowing System
(a) Has the Company established a specific whistleblowing and reward system, convenient channels, and assigned responsible personnel for reported subjects?			The Company has the "Integrity Management Guidelines" and "Integrity Management Procedures and Code of Conduct." Employees may report any integrity violations to supervisors or the responsible unit at any time. The Company also provides independent channels on the website, such as phone, web portal, and dedicated email. Employees, suppliers, or other stakeholders can report suspected violations anonymously.	No significant differences.
(b) Has the Company established investigation SOPs, follow-up measures, and confidentiality mechanisms for handling reports?			Standard process for handling complaints: Receive → Investigate → Handle → Improve → Report. After receiving an issue, the responsible unit follows the standard process and regularly reports progress to the complainant or inquirer. Follow-up measures and confidentiality mechanisms are implemented after investigation.	No significant differences.
(c) Has the Company taken measures to protect whistleblowers from retaliation?			The personnel handling reports maintain confidentiality. The Company ensures whistleblowers are protected from any unfair treatment due to their report.	No significant differences.
4. Enhancing Information Disclosure
Does the Company disclose its integrity management guidelines and implementation results on its website and public information observatory?			The Company discloses the "Integrity Management Guidelines" on its website and public information observatory for investor reference, and updates it in real time.	No significant differences.
5. If the Company has established its own integrity management guidelines according to the "Integrity Management Guidelines for Listed Companies," please describe any operational differences: The Company has established the "Integrity Management Guidelines" and "Integrity Management Procedures and Code of Conduct" based on the "Integrity Management Guidelines for Listed Companies." Currently, there are no significant differences between operations and the established guidelines. The Company will continue to actively implement integrity management policies in accordance with these regulations.
6. Other important information helpful for understanding the Company’s integrity management operations (e.g., reviewing or revising the established guidelines): To foster a corporate culture of integrity, healthy development, and a sound business operation model, the Board has approved the "Integrity Management Procedures and Code of Conduct." It specifies that directors, managers, employees, or those with substantial control must not directly or indirectly offer, promise, request, or accept any improper benefits, or engage in other unethical, illegal, or fiduciary-breaching actions to gain or maintain benefits during business activities.

2025 Integrity Management Implementation Status	Download
2025 Integrity Management Declaration	Download

Risk Management

On March 13, 2025, during the 11th meeting of the 11th Board of Directors, the Company approved the "Risk Management Policy and Procedures" as the highest guiding principle for implementing risk management. The Company conducts annual risk assessments, considering all risks that may affect the achievement of corporate objectives, formulates corresponding risk management policies, and ensures their implementation. Through systematic identification, measurement, and control mechanisms, the Company effectively manages risks arising from business activities, keeping them within acceptable levels and enhancing operational stability and corporate resilience.

The key risk management priorities and implementation status for 2025 were reported to the Board of Directors on November 10, 2025.

Risk Management Organizational Structure and Responsibilities

Board of Directors: The Board of Directors serves as the highest supervisory body for the Company’s sustainable development and risk management. It is responsible for overseeing the establishment and promotion of the Company’s sustainability policies, objectives, and risk management framework. The Board also regularly reviews reports on implementation progress to ensure that the Company’s operational strategies incorporate both sustainable development and effective risk control.
Audit Committee: The Audit Committee assists the Board of Directors in overseeing the operation of the Company’s internal control and risk management systems. It also reviews the effectiveness of relevant management mechanisms to strengthen corporate governance and risk control.
Corporate Governance Task Force: The Company’s sustainability-related affairs are currently coordinated and promoted by the Corporate Governance Task Force. Its primary responsibilities include planning and advancing policies and systems related to Environmental, Social, and Governance (ESG) matters; consolidating implementation results from various departments; conducting stakeholder communication and materiality analysis; and managing sustainability disclosures and corporate social responsibility initiatives. The Task Force regularly reports progress to the Board of Directors.
Internal Audit: The Internal Audit unit reports directly to the Board of Directors and is responsible for reviewing the implementation of the Company’s internal control systems and related management mechanisms. It also provides recommendations for improvement regarding the implementation of risk management and sustainability frameworks to help enhance corporate governance and management effectiveness.
Operating Units: Each operating unit implements sustainability initiatives and risk management measures in accordance with the Company’s sustainability policies and related management systems. They also collaborate with the Corporate Governance Task Force to advance related initiatives and jointly achieve the Company’s sustainable development objectives.

Risk Management Implementation

Risk Dimension	Risk Factor	Response Measures
Information Security Risk	Information Security	Obtain ISO27001 certification, conduct regular information security training, perform security drills, regularly review external security risks, and update internal systems. Implement security technologies and promote security awareness training in accordance with the company's management and IT policies.
Financial Risk	Credit Risk	CRM system overdue section: Built-in accounts receivable overdue section allows sales personnel to track overdue customers and amounts in real time, enhancing risk monitoring and early warning capabilities. Regular aging analysis reports: The finance department compiles monthly aging reports and proactively provides them to sales and management for collection and risk response planning. Overdue reporting in sales meetings: Weekly sales meetings include overdue account tracking; sales staff report collection progress and overdue handling to supervisors and develop timely response measures.
	Market Risk	Monitor domestic and international economic trends, pay attention to exchange rate and interest rate fluctuations, and respond promptly. Offer foreign clients stricter credit conditions to shorten collection periods and reduce exposure to exchange rate fluctuations. The finance department primarily invests in short-term or easily convertible financial instruments; when international interest rate policies are unfavorable, adjust fund allocation quickly while maintaining good relationships with banks to enhance liquidity and risk response capability.
	Tax Risk	Monitor tax law revisions and draft bills regularly for proactive tax planning. For major company decisions, consult professional tax advisors to address uncertain tax risks. All transactions comply with applicable tax laws and legislative intent. Utilize legal and transparent tax incentives; do not exploit laws for improper tax benefits. Tax planning is not conducted for the purpose of tax avoidance. Financial information is transparent; tax disclosures in financial reports comply with regulations and are audited by certified accountants. Maintain honest tax practices and good communication with tax authorities.
Operational Risk	Operational Risk	Establish teams for R&D, technical services, project services, quality assurance, and sales, with clear division of responsibilities. Emphasize training for new and current employees to continuously improve professional capabilities. Implement internal controls for R&D, production, and sales; conduct regular audits and reviews to reduce operational risks.
	Brand Reputation	Establish marketing audit processes, promote responsible marketing principles, and conduct regular brand reputation monitoring.
	Regulatory Compliance	Participate in compliance training courses and establish a marketing content review mechanism.
	Customer Satisfaction	Provide diverse and real-time customer service channels, including dedicated email and Line accounts, to respond quickly to inquiries; regularly conduct customer satisfaction surveys to continuously improve service processes and quality.
	Market Trend	Enhance green product marketing strategies, adjust product mix, and proactively educate the market and customers.

Risk Management Policies and Procedures	Download
2025 Risk Management Operation Status	Download

Supplier Sustainability Management

CHANGING refers to internationally recognized standards, including the UN Guiding Principles on Business and Human Rights, the International Labour Organization’s Declaration on Fundamental Principles and Rights at Work, and the UN Universal Declaration of Human Rights, to formulate its Supplier Code of Conduct. This ensures that CHANGING Information Technology Inc.'s supply chain upholds the principles of corporate governance, social responsibility, sustainable operations, and integrity in business.

Supplier Types and Proportions

CHANGING Information Technology Inc. collaborates with partners across various industries, while its upstream supply chain mainly consists of domestic and international hardware/software suppliers, distributors, and outsourced project vendors. In 2024, CHANGING procured from nearly 80 supplier partners, which can be categorized into three types: Original Manufacturers, Distributors, and Outsourced Vendors.

Local Procurement Expenditure Ratio

In 2024, CHANGING Information Technology Inc.'s local procurement amounted to NT$73 million, with domestic procurement making up the majority of total purchases. CHANGING will continue to promote local sourcing, reducing carbon footprint and demonstrating its commitment to sustainable development.

Supplier Selection and Management

CHANGING is committed to establishing a responsible and sustainable supply chain management mechanism. According to the Procurement Management Procedures, we conduct comprehensive evaluations for new suppliers, covering financial stability, technical capabilities, and quality management, ensuring suppliers maintain consistent quality and service standards. Through the annual CHANGING Supplier Satisfaction Survey, we continuously monitor and assess the performance, technical support, and service quality of both new and long-term suppliers.

To further strengthen sustainable governance across the supply chain, CHANGING will gradually implement more comprehensive supplier sustainability management systems. Corporate social responsibility, integrity in business, and sustainable development principles will be integrated into the Procurement Management Procedures, Supplier Management Procedures, and the Annual Supplier Performance Evaluation Form, serving as key references for supplier selection and management. Through these institutionalized measures, we jointly advance the practice of social and environmental responsibility.

We recognize that pursuing business growth and economic benefits must be balanced with awareness of the potential impacts on society, the environment, and local communities. Therefore, CHANGING commits to sustainable operations in its business activities, promoting responsible supply chain governance, and achieving mutual prosperity with stakeholders.

Supplier Types and Proportions

In 2024, 13 suppliers completed their annual audits covering quality, technology, and service. The audit results showed 11 suppliers passed, 1 supplier failed but improved after notification, and 1 supplier failed and is no longer engaged.

Intellectual Property Management Plan

1. Intellectual Property Management Implementation Status

The Company has established an Intellectual Property (IP) Management Plan, which is promoted and implemented by the responsible departments. The implementation status of the IP Management Plan is reported to the Board of Directors on a regular basis (at least once a year), enabling the Board to oversee the Company’s IP management and protection practices and supervise the continuous improvement of related mechanisms. The 2025 IP Management Plan and its implementation status were reported to the Board of Directors on August 11, 2025.

2. Purpose

The Company has established an Intellectual Property Management Plan to ensure effective protection and proper utilization of trademarks, patents, copyrights, and trade secrets. This strengthens corporate governance and board oversight, safeguards business interests and competitive advantage, and demonstrates our governance philosophy and core values.

To reduce the risk of intellectual property infringement, the company implements a systematic management mechanism that covers the entire lifecycle from creation, protection, management, to utilization. Regular training and internal awareness programs are conducted to enhance employees' understanding and management of intellectual property, thereby ensuring effective implementation of IP management and supporting sustainable growth and continuous innovation.

3. Strategy

Trademark Registration: Strategically name products and services and register trademarks to enhance market competitiveness and prevent infringement.
Enhance IP Awareness: Conduct periodic training and internal campaigns to improve employees' understanding and appreciation of intellectual property, developing their ability to identify, use, manage, and protect company IP.
Systematic Trade Secret Management: Protect core technologies that cannot be covered by patents or other registrations (e.g., algorithms, business models, customer data processing) as trade secrets, using documentation, labeling, access control, and other systematic measures for risk management.
Strengthen Information and Confidential Data Protection: Establish clear confidentiality policies, implement data classification and access control mechanisms to reduce the risk of leaks. The company has formulated a Confidential Information Management Procedure to manage sensitive files and guide internal departments in handling confidential data.

4. Implementation

Trademarks and Patents:
1. Registered 17 trademarks including FastSIGN, IDExpert, inSAFE, and obtained trademark certificates in Taiwan. Filed 4 patent applications. All trademark certificates and expiration dates are systematically managed with regular renewal tracking.
2. To strengthen employees' IP protection awareness, the company continuously conducts IP-related training covering trademarks, patents, and software copyrights, effectively improving overall patent and R&D management efficiency.

Trade Secrets:
1. Established comprehensive information security mechanisms and internal access controls. Using version control, access logs, authentication, and encryption technologies to prevent confidential information leaks, with regular risk assessments and audits to ensure continued effectiveness.
2. All new employees sign a Confidentiality Agreement on their first day to enforce trade secret management, increase awareness of trade secret protection, and reduce the risk of leaks.

CorporateGovernance

CHANGING Information Technology Inc. Code of Integrity Management

Article 1: Purpose and Scope

Article 2: Prohibition of Unethical Behavior

Article 3: Forms of Benefits

Article 4: Compliance with Laws

Article 5: Policies

Article 6: Prevention Programs

Article 7: Scope of Prevention Programs

Article 8: Commitment and Implementation

Article 9: Ethical Business Activities

Article 10: Prohibition of Bribery and Acceptance of Bribes

Article 11: Prohibition of Illegal Political Donations

Article 12: Prohibition of Improper Charitable Donations or Sponsorships

Article 13: Prohibition of Unreasonable Gifts, Services, Entertainment, or Other Improper Benefits

Article 14: Prohibition of Intellectual Property Infringement

Article 15: Prohibition of Unfair Competition

Article 16: Prevention of Product or Service Harm to Stakeholders

Article 17: Organization and Responsibility

Article 18: Compliance in Business Execution

Article 19: Director and Manager Conflict of Interest

Article 20: Accounting and Internal Control

Article 21: Operating Procedures and Guidelines

Article 22: Education, Training, and Assessment

Article 23: Reporting and Whistleblower System

Article 24: Information Disclosure

Article 25: Review and Amendment

Article 26: Enforcement

CHANGING Information Technology Inc.Procedures & Guidelines for Ethical Management

Article 1

Article 2

Article 3

Article 4

Article 5

Article 6

Article 7

Article 8

Article 9

Article 10

Article 11

Article 12

Article 13

Article 14

Article 15

Article 16

Article 17

Article 18

Article 19

Article 20

Article 21

Article 22

Article 23

Article 24

Ethical Business Practices

1. Ethical Business Practices

2. Responsible Unit

Implementation of Ethical Business Practices

Risk Management

Risk Management Organizational Structure and Responsibilities

Risk Management Implementation

Supplier Sustainability Management

Supplier Types and Proportions

Local Procurement Expenditure Ratio

Supplier Selection and Management

Supplier Types and Proportions

Intellectual Property Management Plan

1. Intellectual Property Management Implementation Status

2. Purpose

3. Strategy

4. Implementation

Corporate
Governance