Safe and Stable Operations

Operational safety and stability represent one of our core value objectives. With comprehensive security strategies and advanced technical measures, the Group spares no effort to ensure business continuity and data security.

Operation Safety and Business Continuity

VNET has always adhered to delivering high-quality and sustainable internet infrastructure services. It pays close attention to and effectively manages the internal and external risks faced in business operations to ensure the security, stability, and continuity of business operations.

In terms of safety operations, we first prioritize site selection of data centers in regions that are far from significant natural and geographical risks to minimize the impact of natural disasters on operations. Data center designs strictly adhere to Level A standards outlined in the Code for Design of Data Centers (GB 50174-2017) and meet the physical environment security requirements of Level 3 Cybersecurity Protection Standards. A rigorous physical access control system has been established, including security personnel, smart turnstiles, and access authorization systems at data center and office entrances to strictly manage entry permissions according to access authorizations. Comprehensive surveillance systems cover all internal and perimeter areas of data centers, ensuring no security blind spots.

The Group has established and effectively operated a business continuity management system. We have formulated and continuously evaluated the Business Continuity Management Strategy, Business Impact Analysis, and Business Continuity Plan with timely updates based on actual needs to ensure that the control measures of the strategies and procedures remain appropriate, sufficient, and effective. Comprehensive business impact analysis and risk assessments are conducted for data centers to ensure key businesses can operate continuously, or that they recover to acceptable service levels within predefined timelines during major security incidents, disasters, or operational disruptions. Additionally, the Group has established a dual supervision mechanism combining annual internal audits and unannounced inspections to assess the operation and maintenance quality of data centers nationwide, ensuring safe operations and business continuity of data centers.

Meanwhile, each business unit has developed Emergency Response Plans tailored to their operational activities and risk scenarios, conducts regular drills, and refines emergency procedures through post-event reviews to enhance emergency management capabilities. Currently, multiple sites involved in the main business have been certified with the Business Continuity Management System (ISO 22301). In 2025, Building A of VNET’s Taicang data center was awarded the Uptime Institute Management & Operations (M&O) certification, fully demonstrating our professional capabilities in data center operation management and resilience.

Cybersecurity and Privacy Protection

Leveraging its extensive security management expertise, VNET continuously enhances operational capabilities for data centers and cloud service platforms through a robust cybersecurity management framework, rigorous data protection protocols, and advanced risk management procedures. Operational management capabilities of data centers and cloud service platforms are strengthened to provide solid safeguards for cybersecurity and privacy protection. In April 2025, VNET became one of the first enterprises to join the “IDC Customer Data Security Protection Initiative”.

· Management Structure and System

VNET strictly adheres to cybersecurity and privacy protection laws and regulations in the regions where we operate and continuously strengthens the management system construction and implementation. We have formulated and implemented policies such as the Network and Information System Management Regulations, Information Security Management Requirements, and Information Security Risk Management Procedures. These policies define cybersecurity management responsibilities across all business processes and provide clear, standardized guidance for daily operations. Meanwhile, we have established a group-wide Privacy Statement, which clarifies the type and nature of the information that may be collected, usage methods and purposes, consent mechanisms, information retention, storage, and protection, to comprehensively safeguard customer privacy security.

The Group has established a sound information security governance structure to oversee and execute information security (including data and privacy protection). The Audit Committee of the Board of Directors is responsible for ensuring that management establishes corresponding processes to identify and assess cybersecurity risks faced by the Company and formulate relevant response measures, while supervising the disclosure of cybersecurity matters in the periodic reports of the Group. The Group’s information security program is coordinated and overseen by the Chief Information Security Officer (CISO), with collaboration across businesses and functions and input from both management and the Board of Directors. The CISO is responsible for developing and executing the Group’s information security strategy, with the primary goal of safeguarding the Group’s information and technical assets. This includes monitoring, reporting, managing and remediating cyber threats.

The Group actively engages in certification efforts related to information security and privacy protection to consolidate and enhance its information security protection capabilities. At present, the Group has obtained the Information Technology Service Management System (ISO/IEC 20000) and the Information Security Management System (ISO/IEC 27001) certifications across all business types1. Furthermore, the online services operated by VNET have obtained the Code of practice for protection of personally identifiable information in public clouds (ISO/IEC 27018) certification.

Guided by our information security policies and objectives, the Group conducts regular internal audits focused on management compliance reviews, covering operational management, service delivery, information security, business continuity, etc. Additionally, the Group annually employs external professional institutions to perform third-party security audits, providing objective evaluations of data center operational management, identifying and eliminating security risks, and continuously advancing business management toward greater standardization and security. For validating the security and availability of internet data center services, we engage independent third parties to conduct SOC 2 Type II audit. 21Vianet Blue Cloud has obtained 9 Trusted Cloud certifications from the China Academy of Information and Communications Technology and passed SOC 1 Type II, SOC 2 Type II, and SOC 3 audits by independent third parties.

· Guarantee Measures

◇ Cybersecurity

VNET primarily offers data center colocation services, which involve leasing IT equipment hosting space, internet access bandwidth, and network links to clients, along with providing data center O&M support. Customers retain full management authority over their servers, and the Group does not directly or indirectly access data or information stored within their servers. Physical security protection capabilities are further strengthened to provide a reliable physical environment for stable operation of customer IT equipment, effectively safeguarding both physical integrity and operational reliability.

Regarding cybersecurity and network perimeter defense, we strictly adhere to the Group’s cybersecurity management and data protection policies to ensure that all kinds of risks are timely and effectively controlled, thereby protecting the security of the Group’s networks and data assets.

◇ Privacy Protection

To more precisely identify sensitive information and prevent privacy leaks, we have implemented data classification and grading management for corporate data and information. In 2025, a data security risk assessment report was completed, and targeted measures were created for data of varying risk levels and identified issues.

VNET has integrated privacy protection measures into the development of products and services. We conduct privacy impact assessments and, by deploying a private cloud and implementing data encryption, access control, backup and disaster recovery and other measures, this fosters a highly secure and controllable data storage and processing environment for products and services development.

We have set the Personal Information Collection Notice applicable to all visitors, which clarifies that the Group only collects the personal information necessary for visitor management and keeps the information collected and used strictly confidential. We uphold our responsibility in not disclosing, tampering with, selling, or illegally providing information to third parties. The relevant information is deleted proactively and securely handled after visitors leave. For confidential or sensitive data such as information on customer projects and personal identifiable information, we enforce stringent access control management to strengthen the security of data access. To prevent data leakage, the Group enables hard disk encryption and installs data loss prevention software on office computers. Third-party vendors operating on-site must use laptops provided by the Group with designated internally managed accounts that adhere to the principle of least privilege for system access. In addition, the Group collaborates with qualified data destruction service providers to ensure that end-of-life IT equipment undergoes rigorous degaussing, secure erasure, and physical destruction of storage media, thereby eliminating residual data exposure risks.

· Capability and Culture Building

To strengthen employees’ awareness and capabilities in cybersecurity and privacy protection, we offer targeted training that encompasses various aspects such as information security laws and regulations, systems, concepts, and technologies. The training is tailored to the diverse data security risks associated with different positions. All new employees are required to complete the specialized information security training and pass the examination. The Group regularly issues phishing alert notifications and organizes company-wide phishing simulation drills, aimed at elevating the organization’s collective ability to identify and mitigate cybersecurity threats. As of the reporting period end, 100% of employees have received cybersecurity training.

The Group has established an internal information security reporting mechanism, allowing employees to report security incidents, system vulnerabilities, or suspicious activities via internal messaging platforms, email, or phone calls to the cybersecurity and information system security working group. The working group reviews submissions, verifies sources, and takes appropriate actions.

VNET has set up a compliance and information security excellence award fund to recognize and reward teams and individuals demonstrating outstanding contributions in these aspects. Conversely, those who delay, falsify, conceal, or omit reporting security incidents, or engage in dereliction of duty, will face disciplinary actions in accordance with the Regulation on Assessment and Accountability of Cybersecurity and Information System Security. Criminal offenses will be prosecuted under relevant laws.

Responsible AI Application

VNET continuously explores the application of AI technologies in business operations and daily office work to enhance quality, efficiency, and optimize decision-making. We consistently uphold a responsible approach, ensuring compliant AI deployment and mitigating associated risks through robust management systems, institutional frameworks, and safeguard measures.

◇ Adhere to the “legality, minimization, and necessity” principle: Collect and use data only when legally required for business purposes; avoid non-essential mandatory AI usage and sensitive capabilities such as facial recognition,while enforcing tiered access control mechanisms.

◇ Identify and mitigate model bias: Ensure that AI models treat all users fairly and without discrimination regardless of race, gender, age, or other background.

◇ Safeguard the user right to information: Clearly label all AI-generated content, including text, images, and audios to ensure transparency.

◇ Establish a “responsibility chain mechanism”: Ensure all AI system designs retain human final oversight and decision-making authority.Embed human-in-the-loop review checkpoints and maintain comprehensive operation logs to guarantee traceability and human intervention capability for automated decisions.

◇ Establish a clear AI decision appeal mechanism: Provide accessible channels for users to challenge AI-generated outcomes—such as customer service channels, a dedicated email address, or in-system reporting tools. Ensure human review of cases, with material incidents incorporated into ongoing model optimization.

◇ Continuously improve performance: Leverage backend monitoring logs, scheduled automated testing, and performance alerting mechanisms to drive continuous improvement and ensure stable model performance.

◇ Empower through training: Provide organization-wide training on responsible AI use and ethics to align employee behavior with corporate values. Deliver specialized AI security development training for R&D personnel covering data privacy, cybersecurity, and incident response to embed compliance and risk prevention capabilities at source.

DYXnet, a wholly owned subsidiary of VNET, has formulated the AI Ethics Statement. The statement is centered on core ethical principles including fairness and inclusion, transparency and accountability, governance and compliance, and education and awareness. DYXnet is committed to developing and deploying AI systems that meet the highest ethical standards. In 2025, DYXnet has obtained ISO/IEC 42001:2023 certification for its Artificial Intelligence Management System (AIMS).