Corporate Social Responsibility

Adhere To The Principle Of Sustainable Development To Create A Better Life

Corporate Governance


We consistently comply with applicable laws, regulations, and regulatory requirements, and continuously enhance our governance standards to ensure the lawful and compliant operation of our business.

Compliance Management


Joincare adheres to a path of compliance and prudent operations, actively contributing to the creation of social value. We are committed to building a robust compliance management system to ensure high-quality and standardized operations. In addition, the Group conducts comprehensive audits of all subsidiaries on an annual basis, with audit coverage spanning all areas of operation. In 2025, the Risk Management Department conducted comprehensive audits of all the Group's subsidiaries in strict accordance with the annual plan, covering all business segments. Joincare Haibin has obtained ISO 37301 Compliance Management System certification, which remains valid as of 2025.

 

The compliance management performance in 2025 is as follows

0 cases of embezzlement and bribery;

0 cases of fraud;

0 cases of money laundering;

0 conflicts of interest;

0 cases of discrimination and harassment;

0 cases of customer privacy data breaches.

Risk Management


The Group has established a well-developed risk management system. It has formulated and implemented the Comprehensive Risk Management System, and established and improved the "Three Lines of Defense" framework for risk management and internal control to regulate risk assessment and management process. We also set overall risk management goals to improve overall risk prevention and control. The Board of Directors, as the highest decision-making body in comprehensive risk management, takes charge of supervising risk management practices. The Strategy and Risk Management Committee takes charge of reviewing the effectiveness of overall risk identification, assessment, internal management and monitoring procedures. The management, as the execution body, takes charge of the effectiveness of comprehensive risk management to the Board of Directors. All functional departments play their roles in supporting the implementation of risk management procedure. The Risk Management Department, as the leading management department of comprehensive risk management, takes charge of conducting risk management under the guidance of the Strategy and Risk Management Committee.

 

We formulate effective risk management processes, committed to minimizing the impact of adverse factors and ensuring the Group's stable and high-quality development. We continuously collect information, identify internal and external risks of the company, formulate comprehensive risk management strategies, implement risk response measures, and monitor and warn against risks. We regularly conduct risk reports, supervise and evaluate the implementation and effectiveness of risk management, and improve identified issues. Annually, we review the company's risk exposures, conduct internal control evaluations for financial and non-financial risks in the company's main businesses and high-risk areas, and, when necessary, engage independent third-party institutions to conduct external risk audits. Risk management implementation and audit results will be incorporated into the performance appraisals of managers and employees at all levels.

Information Security


Joincare has established a comprehensive information security management system, formulating group-wide information security management policies and standards including the Information Security and Privacy Protection Policy, Management System for the Security of Computer Information System, the Management Requirements for IDC Data Center Operation and Maintenance, the Backup System and the Process of Reporting Suspicious Affairs of Information Security. We have established a Group information security management organizational structure, with the CEO serving as the highest responsible person for information security management. We have also established a Chief Information Officer (CIO) to comprehensively oversee information security management, data governance, and IT construction work. The CIO has extensive experience in the field of information security strategy, ensuring the efficient and stable operation of the Group's information security system. Our information security and technology team members also hold certifications including Microsoft Certified Systems Engineer (MCSE), Microsoft Certified IT Professional (MCITP) and Cisco Certified Network Associate (CCNA). Drawing on their deep expertise in large-scale enterprise-level network architecture design, secure communications, and system stability operations and maintenance, the team has built a multi-dimensional defense system, providing security, stability, and reliability for the Group's information assets and network environment.

 

To rigorously safeguard customer data security, the Group continuously monitors the use of customer data for secondary purposes—defined as any application of customer data beyond its initially intended scope. This includes utilizing data for targeted advertising, enhancing corporate products or services, and transferring data or information to third parties through selling, renting, or sharing. In 2025, the Group did not use any customer data for secondary purposes.

 

Information Security-Related Business Continuity Plans

To effectively respond to unexpected disaster events, the Group has formulated and implemented the Network Server System Emergency Plan and Information System Disaster Recovery Plan. These plans clearly define the response mechanisms, handling procedures, and mitigation measures in the event of an emergency. Regular emergency drills are conducted to test the feasibility and completeness of these plans, thereby strengthening our information security defenses and ensuring business continuity. We also conduct annual tests on backup appliances and carry out data disaster recovery drills to verify the effectiveness of related contingency plans.

 

Annual Information Security Vulnerability Analysis

As part of our daily operations, the Group has deployed Endpoint Detection and Response (EDR) systems to defend against malware attacks on endpoint devices. We have implemented next-generation firewalls and conducted network penetration testing to assess system security in depth, alongside regular security assessments, vulnerability scanning, and analysis. In addition, we have established an Intrusion Prevention System (IPS) centered on intrusion detection, leveraging multi-layered defense technologies to accurately identify security threats in real time and promptly halt intrusion activities.


Information Security Audits

The Group is committed to continuously enhancing its information security management. Each year, we engage independent third-party institutions to conduct audits of our information systems and related security policies. In parallel, we carry out internal audits covering the information security management system, IT infrastructure, and operational environments to ensure the effective functioning of our information security framework. We protect the identity, disease, biological sample, and other information of trial subjects from disclosure through measures such as anonymization, coding, and dedicated management. During the year, the Group had no information security or privacy breach incidents.

 

Escalation Process for Employees to Report Incidents, Vulnerabilities or Suspicious Activities

Joincare has established a structured procedure for employees to report information security incidents, vulnerabilities, or suspicious activities. This process covers detection, internal reporting, incident assessment, response, feedback, and communication, with detailed guidelines provided for each stage. Employees who identify any suspicious activities, vulnerabilities, threats, or violations related to information security are required to promptly document the relevant details—such as time, location, individuals involved, and a description of the incident—and report them to the Information Security Team via email, the internal reporting system, or other designated channels. The Information Security Team will then assess and investigate the reported incident and take appropriate actions, which may include patching vulnerabilities, enhancing security measures, activating the incident response plan, initiating legal procedures, or other necessary steps. Timely updates and feedback will be provided to the reporting employee throughout the process.

 

Information Security and Privacy Protection Training,

We require all Group employees to participate in information security and privacy protection training. We regularly organize information security training courses and incorporate them into the new employee onboarding training system; we also use online training formats to impart information security knowledge to employees, covering high-risk information security risks and defensive measures and key security precautions in daily work. During the National Cybersecurity Awareness Week, we push information security prevention knowledge through the Feishu platform, committed to improving all employees' information security awareness and risk prevention capabilities. In 2025, data security and privacy protection training covered all employees.