Information Security Policy

INTRODUCTORY PROVISIONS

This document provides a summary of the overarching security policy and a summary of the security controls and procedures to ensure information security. It is intended for the Company’s business partners.

The summary is only available to the Company’s business partners via the Company’s website. The Company reserves the right to change the content of this document in accordance with its business needs and information security standards.

The Executive Summary is publicly available on the Company’s website and the Company does not inform its business partners of any changes.

PURPOSE AND OBJECTIVES

The Company recognises that secure and reliable information and information assets are critical to the success of the Company’s business. To this end, the Company determines how to protect information assets through organisational regulations and work instructions.

The purpose of the Security Policy is to identify the relevance of information to the Company’s business and to protect it appropriately in terms of ensuring confidentiality, integrity and availability (CIA).

The objective of information security is to prevent or minimise the consequences of security incidents and to ensure business continuity.

SCOPE OF THE SECURITY POLICY

The Company’s information security policy, instructions and procedures govern all business processes for the provision of the Company’s information services.

In particular, the following shall be taken into account in the development of security policies, rules, instructions, statements and procedures: - applicable national and EU legislation - ISO/IEC 27001:2022 standard - information security practices that comply with the legislation.

The main and sectoral policies as part of the ISMS, include information security procedures, which are presented in the four domains of the ISO/IEC 27001:2022 information security standard and are consistent with the information security objectives:

â–ª Organisational controls
â–ª People controls
â–ª Physical controls
â–ª Technological controls

CLASSIFICATION OF INFORMATION

The Company has classified information according to its importance and nature and has defined a management approach for each level of information classification.

-

BUSINESS COOPERATION

The Company strictly takes care of the protection of information and personal data by concluding Trade Secret and Personal Data Protection Agreements with all entities (customers, suppliers, partners, employees).

Entry to the Company’s premises

External parties who have arranged a meeting with us are received at the entrance to the Company’s premises and taken to the meeting room where all meetings with external parties are held.

Once the meeting is over, we escort the outsider to the exit.

Business secrecy

Information which is a trade secret of the Company must also be protected by persons outside the Company if they knew or ought reasonably to have known, in view of the nature of the information, that it was a trade secret. It is prohibited for persons outside the Company to attempt to obtain information which is a trade secret of the Company contrary to the law and the will of the Company.

Outside persons who cooperate in any way with the Company and who, as a result of that cooperation, may become aware of information classified as a trade secret must undertake to protect the confidentiality of the information. To this end, each external contractor must sign a Confidentiality Statement before being made aware of information classified as a trade secret.

It is prohibited for any person outside the Company to attempt to obtain information which is a trade secret of the Company contrary to the law and the will of the Company.

Protection of personal data

The Company takes measures to prevent data leakage for systems, networks and any other devices that process, store or transmit sensitive information, in order to detect and prevent unauthorised disclosure and retrieval of information by individuals or systems.

These measures include a wide range of technical, organisational and legal measures designed to prevent unauthorised access, use, disclosure, alteration or destruction of data.

RISK MANAGEMENT

In order to avoid or mitigate potential consequences, we have identified risks and determined potential threats that could lead to the loss of confidentiality, integrity and availability of the information asset.

The Company has in place a system of identifying security controls to mitigate vulnerabilities.

RESPONSIBILITIES AND AUTHORITIES

The Company’s management is responsible for implementing the information security management system, monitoring and controlling the effectiveness of security measures and procedures. All employees are responsible for compliance with and implementation of individual security measures and procedures, and the Company’s management is responsible for the overall implementation of the security policy and for providing the necessary financial and human resources.

All employees are involved in the process of continuous improvement of the security of information and information assets. It is the responsibility of the responsible person to ensure that employees are properly informed of security requirements and controls and trained in the safe use of information, information assets and information technology devices.

MAINTENANCE OF THE SECURITY POLICY

In the event of changes in legislation, the emergence of new threats, new security incidents, changes in organisational or technical infrastructure affecting the protection of information and information systems, the Company continuously adapts its information security system by introducing new and supplementing existing security measures and procedures.

SECURITY INCIDENT MANAGEMENT

The Company has established security mechanisms through its Incident Management Policy to eliminate or reduce the undesirable consequences of incidents in the conduct of its business. The Company has defined in the Incident Management Policy that incidents will be handled according to the criticality of each incident and in accordance with the adopted information security and business continuity policies and legislation.

The Company has designated an Information Security Management System Administrator (ISMS Administrator) to whom all employees and contractors are required to report perceived security events and incidents.

In accordance with the adopted acts and its powers, the SUVI Administrator is required to record all information on reported events and incidents, to keep a record of incidents and, together with employees and contractors, to carry out activities to remedy or mitigate the consequences of incidents.

COMMUNICATION

We use a variety of communication facilities to share information, ranging from email, uploading from the Internet, using telephones, to using different data carriers.

When sharing information, we ensure that information is protected from interception, copying, modification, misdirection and destruction, and that it is protected from malicious code.

We use cryptographic techniques where appropriate to protect the confidentiality and integrity of confidential information.

ACCESS CONTROL

Physical access to secure areas where data and documents and information and communication equipment are located shall be limited by measures to ensure adequate protection of the information and assets of the company.

Third party users are required to return all assets in our possession, which may include software, hardware, documents and other assets received, upon termination of the contract or agreement.

Third party users must return all access rights at the end of the engagement. If the contractor or third party user has used passwords for accounts that remain active, we will change those passwords.

We may also reduce or withdraw access rights before the formal end of the cooperation itself. BUSINESS CONTINUITY

In order to properly manage business continuity, the Company has established business continuity strategies that define procedures in the event of incidents.

The Company ensures regular testing and review of its business continuity policy. Business continuity testing ensures that all members of the Crisis Response Team and, where appropriate, other staff of our Company are aware of the policy and their responsibilities in this regard.

MONITORING LEGISLATION

The Company regularly monitors sector-specific legislation as well as legislation governing the protection of personal data, professional secrecy and information security. We keep all employees and, where appropriate, partners regularly informed of changes.

PUBLICATION AND VALIDITY OF THE DOCUMENT

This document is published on the Company’s website and is valid from the date of publication.

Date of publication: 7. 3. 2025

EBA d.o.o. CEO