Cybersecurity Risk Management Strategy

Cybersecurity risk management is an integral part of our overall risk management program. Currently, we have implemented a comprehensive risk management process to identify, oversee, assess, and manage material risks related to cybersecurity threats. We have also devised corresponding management measures to prevent, oversee, mitigate, and rectify material cybersecurity incidents.

We have established a comprehensive cybersecurity defense system to effectively mitigate both internal and external cybersecurity risks. We employ various methods to manage cybersecurity risks and safeguard information security. These methods include, implementing technical safeguard measures, establishing and adhering to compliance procedures, implementing vulnerability discovery and reward mechanisms, conducting real-time monitoring of our network, evaluating cybersecurity measures of third-party suppliers, maintaining a robust response mechanism for cybersecurity incidents, providing quarterly cybersecurity training for employees, and participating in cybersecurity drills organized by the local administrative department. In particular, our IT department regularly monitors the performance of our platforms, applications and infrastructure, which enables us to swiftly respond to any potential cybersecurity vulnerabilities and mitigate associated threats.

Cybersecurity Risk Management Practice

In 2025, we have not experienced any cybersecurity incidents or cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. Additionally, we obtained a Level 3 certification for Information System Security Protection in 2017 in accordance with the standards promulagated by the Chinese Ministry of Public Security, a Level 3 certification for Communication Network Security Protection in 2022 in accordance with the standards promulagated by Chinese Ministry of Industry and Information Technology, and successfully completed annual assessments for the relevant security certifications in the subsequent years.

However, despite our abovementioned efforts, as the complexity of cybersecurity threats continues to evolve, there may still persist vulnerabilities in the cybersecurity risk prevention and network information system protection measures. Even with a meticulously crafted and implemented prevention mechanism, we may not be able to completely eliminate all risks from cybersecurity threats, including those risks caused by improper use of artificial intelligence technology by third-parties. Moreover, we may not be able to predict new type of cybersecurity threats amidst rapid technological advancements, which could result in our inability to timely implement effective preventive measures. Consequently, these potential cybersecurity incidents could introduce new risks to our business operations in the future. For more information about these risks, please see “Item 3. Key Information—3.D. Risk Factors—Risk Related to Our Business and Industry— We rely significantly on information technology and any failure, inadequacy, interruption or security lapse of that technology, including any cybersecurity incidents, could harm our ability to operate our business effectively.” on page 56 of this annual report.

Cybersecurity risk management is an integral part of our overall risk management program. Currently, we have implemented a comprehensive risk management process to identify, oversee, assess, and manage material risks related to cybersecurity threats. We have also devised corresponding management measures to prevent, oversee, mitigate, and rectify material cybersecurity incidents.

We have established a comprehensive cybersecurity defense system to effectively mitigate both internal and external cybersecurity risks. We employ various methods to manage cybersecurity risks and safeguard information security. These methods include, implementing technical safeguard measures, establishing and adhering to compliance procedures, implementing vulnerability discovery and reward mechanisms, conducting real-time monitoring of our network, evaluating cybersecurity measures of third-party suppliers, maintaining a robust response mechanism for cybersecurity incidents, providing quarterly cybersecurity training for employees, and participating in cybersecurity drills organized by the local administrative department. In particular, our IT department regularly monitors the performance of our platforms, applications and infrastructure, which enables us to swiftly respond to any potential cybersecurity vulnerabilities and mitigate associated threats.

Our board of directors has overall oversight responsibility for our risk assessment and management of crises resulting from material risk events. Our audit committee is delegated to oversee our cybersecurity-related management. Supported by our internal audit and internal control departments, the audit committee receives reports concerning cybersecurity from our internal audit and internal control departments at least once a year.