GENERAL INFORMATION SECURITY, CYBERSECURITY AND PIVACY POLICY

1. INTRODUCTION

Simetrik INC. and all its present and/or future affiliates and/or subsidiaries (hereinafter, “The Company”), understanding the importance of proper information management, has committed to implementing an information security and cybersecurity management system, seeking to establish a framework of trust in the exercise of its duties with its collaborators and third parties, all framed in strict compliance with laws, international standards and in accordance with the mission and vision of The Company.

The Security, Cybersecurity, and Information Privacy Policy is the general statement that represents the position of the management of The Company regarding the protection of all assets, Collaborators (employees – contractors), and third parties that support The Company’s processes and support the implementation of the Information Security and Cybersecurity Management System, through the generation and publication of its policies, procedures, and other documents, as well as the assignment of general and specific responsibilities for the management of information security and cybersecurity.

Roles are required within the organization to provide clear and defined responsibilities, as well as to understand how information can be protected and are thoroughly detailed in their respective job profile document.

2. OBJECTIVE

With this policy, The Company aims to primarily reduce the impact generated on its assets by systematically identifying risks to maintain a level of exposure that allows for the integrity, confidentiality, and availability of the same, according to the needs of the different identified interest groups.

The specific objectives of this policy are:

• Establish general guidelines related to information security and cybersecurity.
• Minimize the risk in the most important functions of The Company.
• Maintain the trust of The Company towards its customers, investors, and collaborators (employees – contractors).
• Support technological innovation safely and as an added value to the product.
• Protect technological assets.
• Strengthen the culture of information security and cybersecurity in employees (employees – contractors), third parties and clients of The Company.

3. SCOPE

This policy applies to the entire company, its employees (both direct and contracted) and third parties.

4. INFORMATION SECURITY OBJECTIVES

The Company defines the following objectives:

• Manage information security and cybersecurity risks to keep them at acceptable levels, ensuring that the strategy, policies, standards, solutions, and resources are aligned with business objectives and consistent with laws, regulations, and contracts.
• Minimize extreme and high risks of information security and cybersecurity.
• Manage vulnerabilities that arise in the technology platform.
• Control and prevent information security and cybersecurity incidents.
• Build a culture of information security and cybersecurity within The Company.
• Maintain continuous improvement of the ISMS through timely and effective management and/or attention to internal controls and management of action plans.

5. ROLES AND RESPONSIBILITIES

The responsibilities associated with each role identified in the Information Security and Cybersecurity Management System are defined in the SI-PLT-002- Information Security, cybersecurity and Privacy Roles and Responsibilities Policy.

6. POLICY

Through this general policy, as well as the SI-MA-003 Information Security and Privacy Policy Manual or any other policy, Company is committed to complying with the following guidelines:

• Define, implement, operate, maintain and continuously improve the Information Security and Cybersecurity Management System, supported by clear guidelines, adjusted to business needs, and regulatory requirements that apply to its nature.
• Measure compliance with defined Security and Cybersecurity Objectives.
• Ensure compliance with established legal, regulatory, and contractual obligations.
• Verify that responsibilities for Information Security and Cybersecurity are defined, shared, published, and accepted by each of the employees, contractors, or third parties.
• Protect the information created, processed, transmitted, or stored by its business processes, in order to minimize financial, operational, or legal impacts due to misuse. This requires the application of controls according to the classification of the information owned or in custody.
• Protecting the Company’s information against threats originating from collaborators (employees – contractors) and third parties.
• Control the operation of its business processes, ensuring the security of technological resources and data networks.
• Implement access control to information, systems, and network resources.
• Ensure that security is an integral part of the life cycle of information systems.
• Ensure adequate management of security and cybersecurity events and weaknesses associated with information systems to improve the effectiveness of the security and cybersecurity model.
• Ensure the availability of its business processes and the continuity of its operation based on the impact that events can generate.

This policy, as well as the other policies defined for the ISMS, must be subject to annual review and updating or when deemed necessary in response to an internal, external, or regulatory requirement.

7. CHANGE MANAGEMENT

When the ISMS receives any relevant modification, whether in any of its processes, policies, manuals, matrices or guides, the following must be complied with:

• The leader of the ISMS will inform the entire company of the change (and the reason for it), through the official internal communication channel.
• Each document related to the ISMS must contain a table that allows control and monitoring of the changes made, which must include the date on which the change was made, the person who authorized it, and a brief description of the points that were modified. At the time of making a change to the content of each document, a record must be left in the change control.
• If applicable, the responsibilities that affect a specific role in their respective job profile must be modified so that it reflects the updated responsibilities within the ISMS.
• In the event that the change has a significant impact on a process within The Company, training or re-induction must be carried out for this process to ensure its understanding and compliance. Such training or re-induction will be done sporadically, within a period not exceeding 2 weeks from the publication of the change, and will be managed as an additional sporadic training session in addition to those established in the ISMS Training Schedule, which will not have an impact or affect the compliance of the sessions established therein.
• As a final step, each change that is significant enough or that modifies something referenced in the SI-MA-003-Information Security and Privacy Policy Manual, must also be updated in this document, in order to keep it completely up to date.

8. PROJECT SECURITY

All projects developed within the framework of The Company’s Process objectives must have an information security component, which must be accompanied and advised by the Information Security Leader or their delegate. Information security risks and objectives must be taken into account in such projects.