INFORMATION SECURITY ON THE IGUIDE.AI E-COMMERCE PLATFORM

1. Objectives

iGuide.ai employs technical and organizational measures to:

• Ensuring the safety, integrity, and security of User and Service Provider (SPP) data on the iGuide.ai e-commerce platform;
• Prevent and minimize the risk of unauthorized access, misuse, unauthorized disclosure, loss, misplacement, alteration, or destruction of data;
• Comply with Vietnamese laws and regulations regarding information security, cybersecurity, and personal data protection.

2. Security Principles

Information security on the iGuide.ai platform is implemented according to the following principles:

• Minimize data: Data will only be collected and stored to the extent necessary to provide services, fulfill contractual obligations, and comply with legal regulations;
• Restrict access and ensure use is for its intended purpose: Personal data and transaction data are only accessed by authorized individuals/departments for purposes that have been disclosed and/or required by law;
• Protection through appropriate technical and organizational measures.Applying a combination of technical, operational, and internal governance measures to protect information throughout the data processing lifecycle;
• Regular review and improvementRegularly assess, review, and upgrade security measures as needed to meet changes in technology, operating models, and legal requirements.

3. Technical measures for information protection

3.1. Security during data transmission and storage

• All data transmission between the User/Credential device and the iGuide.ai system is carried out via a secure protocol (HTTPS/TLS) to encrypt the content exchanged during transmission;
• User and vendor account passwords are encrypted/hashed using appropriate algorithms before being stored in the system;
• Depending on the nature of the data, iGuide.ai applies encryption, anonymization, or spoofing measures to minimize the risk of data leakage in the event of an incident;
• iGuide.aiWe do not store bank card or credit card details.of the User. All payment transactions are conducted through licensed intermediary payment gateways that apply encryption and security mechanisms that meet standards (including PCI DSS standards or equivalent as prescribed by law and industry standards).

3.2. Access control and system infrastructure

• The database system and application servers are deployed in a data center environment located in Vietnam, meeting appropriate operational safety standards (e.g., Level I or higher), with physical access control and security monitoring;
• Restrict direct access to the database; only authorized technical accounts are permitted to operate it, based on strict role-based access control and the "need-to-know/need-to-use" principle.
• Implement infrastructure-level protection measures such as firewalls, network separation, secure configuration of operating systems and server software, and security patch updates when necessary;
• Internal system login is controlled through a mechanism of employee account authentication, functional authorization, and recording of transaction history on the administration system.

3.3. Security logging, monitoring, and alerts

• The iGuide.ai system stores access logs, system logs, and application logs only as much as necessary for monitoring, reconciliation, and investigation purposes when anomalies are detected.
• Implement security monitoring mechanisms and alert systems for unusual access, exceeding thresholds for failed login attempts, and detecting suspicious activity such as attacks or vulnerability exploitation.
• System logs are retained for a reasonable period, in accordance with legal requirements and operational needs, and then deleted, cold-stored, or anonymized when no longer needed.

3.4. Data backup, recovery, and service continuity

• Perform automatic/periodic data backups for critical system components (databases, system configurations, source code as needed) to ensure recovery in case of failure;
• Backup data is stored securely, with controlled access, and undergoes regular recovery testing according to internal procedures.
• Develop contingency plans and disaster recovery plans (DRP/BCP) appropriate to the scale and nature of the Exchange's operations to minimize service downtime in the event of an incident.

3.5. Payment and Financial Information

• Online payment transactions are conducted through authorized payment gateways licensed by competent authorities;
• Sensitive payment information (card number, CVV code, PIN, etc.) is not stored on iGuide.ai's system; payment partners are responsible for applying card information security standards as prescribed (e.g., PCI DSS) and relevant legal regulations;
• iGuide.ai only retains essential transaction information (e.g., transaction code, status, payment method, order value) for reconciliation, accounting, and legal purposes.

4. Organizational and management measures for security.

4.1. Internal confidentiality regulations and delegation of responsibilities

• iGuide.ai issues, maintains, and updates internal regulations and procedures regarding information security, personal data protection, system access management, and security incident management;
• Clearly define the responsibilities and authority of the relevant departments (technical, operations, customer service, legal, etc.) in receiving, processing, and protecting information;
• All personnel with access to User/Credential data must adhere to a confidentiality agreement and must not disclose or misuse the data for any purpose outside the scope of their assigned duties.

4.2. Training and raising awareness on information security

• Regularly organize or integrate training and guidance on information security, personal data protection, and recognizing phishing attacks (phishing, social engineering, etc.) for internal staff;
• Timely updating and dissemination of new legal regulations, standards, and recommendations on information security related to e-commerce platform operations.

4.3. Managing infrastructure service providers, partners, and suppliers.

• This includes binding obligations regarding data security and the protection of User and Supplier information in contracts/partnerships with:
• • Partners providing technical infrastructure (data centers, cloud computing, etc.);
  • Partners providing payment services, technical support, or operational services related to data processing;
  • Travel and related service providers (NCCs) may access User data transferred by iGuide.ai for the purpose of providing services.
• Require third parties to adhere to appropriate security standards and only process data for the purposes and scope permitted by iGuide.ai or as required by law.

5. Handling information security incidents

5.1. Incident reception and assessment

Upon detecting or suspecting a data leak, loss, unauthorized access, or cyberattack related to data on the iGuide.ai platform, we will:

• Gather initial information from monitoring systems, user/supplier feedback, or partner reports;
• Assess the level of impact and scope of influence (data type, number of records, related parties).

5.2. Isolation and troubleshooting

Based on initial assessments, iGuide.ai will proceed urgently:

• Implement necessary technical measures to isolate the source of the incident, preventing further unauthorized access or spread of the attack;
• Collaborate with infrastructure partners, payment partners, and stakeholders to investigate the root cause and restore the system to a safe state;
• Fix, patch, adjust configurations, or implement additional security measures (if necessary) to limit the likelihood of recurrence.

5.3. Notifying Users and competent government agencies

• Where required by law or deemed necessary to protect the legitimate rights of Users/Suppliers, iGuide.ai will notify relevant parties about the security incident, its impact, and recommend self-protection measures (e.g., changing passwords, reviewing transactions, etc.);
• Notification and reporting to competent state authorities (if mandatory) will be carried out in accordance with the procedures, formalities, and deadlines stipulated by current law.

5.4. Review and prevent recurrence

After the issue is resolved, iGuide.ai will:

• Review and reassess the relevant internal technical systems and processes;
• Record and summarize lessons learned, update policies/procedures, and strengthen technical and organizational measures to prevent similar incidents in the future.

This policy is part of the iGuide.ai e-commerce platform's operating regulations and may be reviewed and updated periodically to comply with legal requirements and operational realities. Any modifications or additions (if any) will be publicly announced on the iGuide.ai system as per regulations.