Handling of Pseudonymized Information

1. Use of Pseudonymized Information

   • Classification: Scientific research (technology development)

   • Purpose of processing: Development and analysis of credit rating models

   • Items processed: App activity information collected through the Tomoarrow service and summary information processed from account and card transaction information, etc.

     • Service usage information

     • Account information

     • Card information

     • Integrated spending information

     • Remittance information

     • App usage information

   • Retention period: Until the purpose is fulfilled after receiving the combined information (1 year)

2. Provision of pseudonymized information to third parties

• To whom: (to be disclosed after finalizing the financial institution)

• Purpose of provision: (to be disclosed after finalization)

• Items to be processed: Personal credit information and alternative information

• Retention period: Until the purpose is fulfilled or the contract is terminated

3. Measures to secure the safety of pseudonymized information

1. Administrative measures

   • Establish and implement an internal management plan for pseudonymized information

   • Periodic training of pseudonymized information handlers

2. Technical measures

   • Manage access rights to the personal information processing system

   • Installation and operation of intrusion prevention system and intrusion detection system

   • Blocking external internet networks (network separation)

   • Secure password management (setting and operating standards such as password creation method and change cycle)

   • Manage access log records

   • Encrypt and securely store and transmit pseudonym information

   • Installing antivirus software and periodically updating and checking it

3. Physical measures

   • Implementing access control for computer rooms, archives, etc.