Data Security and Privacy Protection Policy

I. Purpose

Concord New Energy Group Limited (“the Group”) strictly follows all laws and regulations on information security and privacy protection in the jurisdictions where it operates. The purpose of this policy is to clarify the Group’s responsibilities and obligations in respect of information security and privacy protection, and to ensure that the Group values and safeguards information security and customer privacy while pursuing business development.

II. Applicability

The Policy is applicable to all employees of the Group (including regular employees, part-time employees, temporary workers, Senior Management and Directors of the Group and its affiliates). The Group encourages suppliers and business partners to jointly adhere to this Policy.

The Policy shall be read together with all other Group policies relevant to the topics specified herein, including the ” Code of Ethics & Conduct”, etc.

III. Policy Statement

1. Management Method

• The Group attaches great importance to information security and privacy protection matters and has established a comprehensive information management process, including but not limited to information storage, transmission, use and destruction, to strictly abide by the red line of information security and guard the rights and interests of customers.

• The Group closely monitors changes in laws and regulations and continuously assesses possible information security and privacy protection risks in business segments. The Group incorporates information security and privacy protection risk management into the Group’s risk management system, prioritizes them annually according to their impact level, and formulates targeted risk mitigation measures.

• The Group clearly identifies the person responsible for information security and privacy protection. IT professional departments at all levels are responsible for the overall security of the information system and ensure the implementation of the management system related to information security and privacy protection. The Chair of the ESG Committee assumes the highest management responsibility for the Group’s information security and privacy protection matters.

• The Group maintains a zero-tolerance attitude towards incidents of information leakage and infringement of customers’ privacy. Individuals who intentionally leak important, sensitive or other information of the Group that is subject to the information security protection requirements, as well as those who steal or maliciously infringe upon the privacy of customers and other information that will cause an actual impact on the Group will be punished in accordance with the severity of the incident, including, but not limited to, interviews, performance deduction, termination of employment contracts, and report to the authorities.

2. Requirements on Information Security Management

• Adopting technical measures to strengthen the security of networks and information systems to prevent hacker attacks, computer virus attack and other risks.

• The Group manages computing resources in public and private clouds in a unified manner, which clarifies responsibilities of personnel, grants and withdrawals permission timely during IT O&M.

• External audits of the information security management system are conducted regularly, and immediate steps are taken to repair and remediate if any information security vulnerabilities and risks are identified.

• Information security emergency response mechanisms and incident response procedures are tested annually to determine security and effectiveness.

3. Requirements on Privacy Protection Management

• For businesses that have access to customers’ personal data, the Group will clearly inform customers of the types of information that will be collected and used, how the Group will use such information, how long the information will be retained by the Group, and how the Group will protect such data prior to data collection.

• When customers use the products/services provided by the Group, the Group also provides customers with convenient data management options so that they can make appropriate choices and manage their personal data effectively. The data management options we provide to our customers include:

• Before using our products and services, the Group will ask customers whether they allow us to collect their personal data and obtain their authorized consent.

• Customers can choose to change the scope of their authorization or withdraw their authorization, as well as to cancel their account and related information.

• Customers could submit requests to the Group for the transfer, correction and erasure of their personal data.

• The Group handles customers data in a prudent manner in accordance with the principles of necessity and data minimization when cooperating with third parties and restricts third parties’ involvement in processing user data.

• When responding to requests from regulatory and law enforcement authorities to access customers’ personal data, The Group will ensure compliance with all applicable laws and regulations of the jurisdictions in which the products or services are offered.

• Internal audit on privacy protection is conducted annually to confirm the effectiveness of privacy policy and management system. Where necessary, the Group will engage an external third party to conduct an independent audit on the privacy management system.

4. Employee Engagement

• Promoting information security-related training continuously to improve employees’ awareness of information security.

• Employees should follow “Network and Information System Security Incident Response Plan”, once they notice suspicious activities.

• For specific positions (including but not limited to information technology-related positions), the Group includes information security and privacy protection as part of performance evaluation.

IV. Compliance with the Code

• This policy shall take effect from the date of publication and shall be strictly observed by the relevant departments of the Group.

• The Group shall set up a supervision department on information security to supervise and inspect the implementation of the policy.

V. Policy Review

• The Group will conduct necessary reviews of the Code at regular intervals.