Governance
Promoting High-quality Development
SF is committed to achieving business values and social values together. Keeping in mind the good vision of sustainable development of the industry, we actively explore the path for sustainable development of the enterprise.
Certified to ISO 37301、27001、27701
Management System
100%
Integrity Agreement Signing Rate (Cooperative Suppliers)
100%
Coverage Rate of New Employees in Risk Compliance Training
SF integrates ESG principles into its corporate development strategy, builds a scientific and professional ESG management system and a clear and transparent ESG governance structure, fully implements ESG-related strategies, and supports the sustainable development of the Company's business.
《2025 Sustainability Report》
Strengthening Risk Management
SF has established a sound internal control and risk management system to strengthen and standardize the Company's internal management, constantly improves the Company's risk prevention and control effects, and promotes the sustainable and healthy development of the Company.
Risk Management System
SF has established the Risk Management Committee of the Board of Directors, as a specialized risk management organization, which leads the Group’s risk control and compliance management direction and guides the Group’s risk control and compliance management work on behalf of the Board of Directors. The Risk Committee under the Risk Management Committee of the Board of Directors is a professional decision-making body for overall management and control of risk control and compliance of the Company. It is led by the Chief Financial Officer (CFO) of the Company and is mainly responsible for deliberating and making decisions on the construction, system, process, authorization, prevention and response of major risks of the Company. The Risk Committee reports to the Risk Management Committee of the Board of Directors on a quarterly and annual basis. The Risk Control and Compliance Office of the Company coordinates the management of risk control and compliance; while the leader of each functional department, BG (Business Group), BU (Business Unit) and region has the primary responsibility for the relevant risk control, responsible for the formulation of specific risk control measures and implementation rules, as well as the identification and assessment of daily risks and the implementation of control measures.
ESG Risk Management
SF regularly carries out the identification and sorting of risk information database, and fully integrates environmental, social and governance risks into the original level 1, 2 and 3 risk level databases. The ESG risk management structure is consistent with SF’s risk management organizational structure, with the Risk Management Committee of the Board of Directors as the highest risk management body responsible for the identification, prevention and control of ESG risks.
SF incorporates various ESG risks – including data compliance, trade compliance, intellectual property, anti-corruption, occupational health and safety, human rights and human resource management, and environmental risks – into its risk management framework, and regularly assesses and monitors them. These include climate-related transition risks, carbon target management risks, and energy use monitoring risks, among other environmental risks.
Integrity Management System
SF has established a multi-tiered integrity oversight framework that extends from the Board's Audit Committee and headquarters supervisory departments down to the business units and regional branches. Within these operational units, three additional lines of oversight have been implemented, creating a comprehensive integrity management system that permeates the entire organization and all roles. To enhance oversight effectiveness, the Company has also constituted two dedicated committees: the Executive Disciplinary Inspection Committee led by the Chief Executive Officer (CEO), the Chief Human Resources Officer (CHO), and the Chief Audit Executive (CAE); and the Employee Disciplinary Inspection Committee led by the Chief Audit Executive (CAE), the head of the Culture and Employee Relations Office, and the head of the Audit and Supervision Office. These committees are responsible for the integrity and disciplinary oversight of senior management and other employees, respectively, forming a top-down, comprehensive supervision mechanism.
Ensuring Information Security
SF strictly complies with national laws, regulations, and industry norms, maintaining constant high vigilance against information and network security risks while continuously enhancing its internal management system in these areas.
The Company has established a three-tier information security and privacy protection management structure consisting of the decision-making level, management level, and executive level. The Information Security and Privacy Protection Committee serves as the highest decision-making body, responsible for decisions, appointments, and directives concerning information security and privacy protection. The Group's Information Security and Privacy Protection Working Group operates under this Committee. Under the overall leadership of the Chief Information Security Officer (CISO), the Working Group supports the Company's information security and privacy protection governance and ensures the efficient operation of the management system. Its responsibilities include coordinating group-wide efforts and leading the development and day-to-day operation of the network security, data security, and privacy protection frameworks.
Information and Network Security
SF's information and network security management system holds ISO/IEC 27001 Information Security Management System (ISMS) and ISO/IEC 27701 Privacy Information Management System (PIMS) certifications, covering its core business operations. Furthermore, the SF Express App obtained the 2025 Classified Protection of Cybersecurity Level 3 certification and the CCRC Mobile Internet Application (App) Android/IOS Security Certification, providing comprehensive safeguards for user data security.
To continuously strengthen its security posture, the Company conducts regular data security audits. Based on the latest regulatory requirements, these audits facilitate a comprehensive assessment of internal and external data security risks, with findings used to continuously improve the information and network security management system. In parallel, the Company performs routine network vulnerability assessments and conducts practical cybersecurity simulation exercises, systematically enhancing its overall defensive capabilities and emergency response efficiency for security incidents.
Personal Information Protection
SF attaches great importance to the protection of customers’ personal information security. Based on laws, regulations and industry best practices, SF has built a comprehensive privacy protection management system, formulated and continuously improved a personal information security and compliance system covering the entire life cycle of data, and ensured personal privacy protection work is carried out in an orderly manner. In order to implement the protection of personal information, the Company has taken diversified measures covering the entire digital life cycle to effectively protect customers’ privacy and security with a responsible attitude. In 2025, there were no major personal information security incidents in SF.
Information and Network Security
SF's information and network security management system holds ISO/IEC 27001 Information Security Management System (ISMS) and ISO/IEC 27701 Privacy Information Management System (PIMS) certifications, covering its core business operations. Furthermore, the SF Express App obtained the 2025 Classified Protection of Cybersecurity Level 3 certification and the CCRC Mobile Internet Application (App) Android/IOS Security Certification, providing comprehensive safeguards for user data security.
To continuously strengthen its security posture, the Company conducts regular data security audits. Based on the latest regulatory requirements, these audits facilitate a comprehensive assessment of internal and external data security risks, with findings used to continuously improve the information and network security management system. In parallel, the Company performs routine network vulnerability assessments and conducts practical cybersecurity simulation exercises, systematically enhancing its overall defensive capabilities and emergency response efficiency for security incidents.
Personal Information Protection
SF attaches great importance to the protection of customers’ personal information security. Based on laws, regulations and industry best practices, SF has built a comprehensive privacy protection management system, formulated and continuously improved a personal information security and compliance system covering the entire life cycle of data, and ensured personal privacy protection work is carried out in an orderly manner. In order to implement the protection of personal information, the Company has taken diversified measures covering the entire digital life cycle to effectively protect customers’ privacy and security with a responsible attitude. In 2025, there were no major personal information security incidents in SF.
