This document is intended as a baseline guideline to be considered in the management of information during the normal execution of business activities. Therefore, it includes not only guidelines but also the position and commitment of the company’s top management regarding maintaining the confidentiality, integrity, and availability of the information assets of the Company, its suppliers, and customers who have shared information with MICROSYSLABS. This is a required activity to utilize the technological solutions contracted with MICROSYSLABS or for the development of business relationships.

Information Asset: Refers to any complete unit of data or information that has been identified as existing in the company, whether created within the company or received from third parties, and is part of the management processes that the Company must carry out in its daily operations. The assets are the resources of the Information Security System necessary for the Company to function and achieve the objectives set by top management.

Threat: An external factor that exploits a weakness in information assets and can have a negative impact on the organization. There is no single classification of threats; it is important to consider all of them when identifying them.

Antivirus: It is a type of software used to prevent, detect, and eliminate malware from a computer. Once installed, most antivirus software runs automatically in the background to provide real-time protection against malicious attacks. Additionally, they help safeguard files and hardware from malware execution, such as worms, trojans, and spyware.

Authentication: It is the process of verifying the identity of a user or resource/technological system when trying to access a processing resource or information system.

Authenticity: Property that guarantees that the identity of a subject or resource is as declared.
Chain of Custody: Detailed record of the treatment of evidence in the incident response process, including who transported, stored, and analyzed it, in order to prevent alterations or modifications that may compromise it.

Information Characteristics: The main characteristics are confidentiality, availability, and integrity.

CCTV: It stands for “closed-circuit television,” which consists of one or more surveillance cameras connected to one or more video monitors or televisions that display the images transmitted by the cameras.

Computer Center: It is a specific area designated by companies for the storage of multiple computer equipment for their IT processes. These equipment are interconnected through a data network. The computer center must comply with certain industry standards to guarantee basic conditions of security, availability, and continuity, including physical access controls, fire-retardant materials for walls, floors, and ceilings, main and alternate power supply, suitable environmental conditions, among others.

Cable Rooms: These are rooms in the company where communication devices can be installed, and electrical and/or data cables that cover the spaces of the company’s headquarters are connected. Like computer centers, cable rooms must meet requirements for physical access control, materials for walls, floors, and ceilings, power supply, and temperature and humidity conditions.

Cybersecurity: Set of elements, measures, and equipment aimed at controlling the information security of an entity or virtual space.

Encryption: The transformation of data using cryptography to produce unintelligible (encrypted) data and ensure its confidentiality. Encryption is a very useful technique to prevent information leakage, unauthorized monitoring, and unauthorized access to information repositories, such as worms, trojans, and spy programs.

Management Commitment: It is the attitude and obligation assumed by top management regarding the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the ISMS.

Reliability: Defined as the probability that a product will perform its intended function without incidents for a specified period of time and under specified conditions.

Confidentiality: The level of access granted to information so that it is only accessed by authorized individuals.

Containment: Action formulated or implemented to prevent the incident from causing further damage.

Access Control: The ability to allow or deny the use of a particular resource to a particular entity.

Control: Any activity or process aimed at mitigating or preventing a risk. It includes policies, procedures, guidelines, organizational structures, and best practices, which can be administrative, technical, physical, or legal in nature.

Cryptography: The discipline that encompasses the principles, means, and methods for transforming data in order to hide the content of information, establish its authenticity, prevent undetected modification, prevent repudiation, and/or prevent unauthorized use.

Custodian of Information Asset: A designated part of the entity, a position, process, or working group responsible for administering and enforcing the security controls defined by the information owner, such as backup copies, allocation of access privileges, modification, and deletion.

Availability: The assurance that authorized users have access to information and associated assets when required.

Computer Equipment: An electronic device capable of receiving a set of instructions and executing them by performing calculations on numerical data or compiling and correlating other types of information.

Eradication: Removing the cause of the incident and any trace of damage.

Information Security Incident: An unwanted or unexpected event or series of events related to information security that has a significant probability of compromising the organization’s operations and threatening information security.

Integrity: The protection of the accuracy and complete state of assets.

Logs: Records of information systems that verify the tasks or activities performed by a specific user or system.

Malware: A general term for any type of malicious software designed to infiltrate a device without the user’s prior knowledge. There are many types of malware, and each one has its own objectives and methods. However, they all share two defining traits: they operate covertly and actively work against the interests of the targeted person, entity, or device.

Removable Media: Any removable hardware component used for information storage. Removable media includes tapes, removable hard drives, CDs, DVDs, and USB storage devices, among others.

Best Practice: A specific security rule or platform that is widely accepted within the industry as providing the most effective approach to a particular security implementation. Best practices are established to ensure that the security features of regularly used systems are configured and managed uniformly, guaranteeing a consistent level of security across the organization.

Partner: A legal or natural person with whom Microsyslabs has established an agreement to offer, sell, and maintain the portfolio of wolkvox solutions.

Phishing: A type of crime classified within the realm of scams. It uses techniques like social engineering, pretending to be a trusted person or company in an apparent electronic communication, with the aim of fraudulently acquiring confidential information.

Business Continuity Plan: A plan aimed at enabling the continuity of the organization’s operational functions in the event of an unforeseen incident that jeopardizes them.

Information Security and Continuity Risk Management Procedure: A management document that defines actions to reduce, prevent, transfer, or assume unacceptable information security risks and implement the necessary controls to protect it.

Policy: A high-level statement that describes the Company’s position on a specific topic.

Security Policy: A document that establishes the management’s commitment and approach to information security within the organization.

Clean Desk Policy: It is a policy that instructs employees, clients, suppliers, and other collaborators to clear their desk of any potentially misusable information at the end of their working day.

Procedure: Procedures specifically define how policies, standards, best practices, and guidelines will be implemented in a given situation. Procedures are technology or process-independent and refer to specific platforms, applications, or processes. They are used to outline the steps that a department must follow to implement security related to that specific process or system. Procedures are generally developed, implemented, and supervised by the process or system owner. Procedures will adhere to the Company’s policies, standards, best practices, and guidelines as closely as possible, and they will also conform to the procedural or technical requirements established within the department where they apply.

Information Owner: The organizational unit or process where information assets are created and maintained, with the ownership to modify, delete, or share them.

Recovery: Returning the affected environment to its natural state.

Information Asset Owner: The person or group of people designated by the owners to ensure the confidentiality, integrity, and availability of the information assets and decide how to use, identify, classify, and protect those assets under their responsibility.

Risk: The possibility that a specific threat may exploit a vulnerability to cause a loss or damage to an information asset.

Residual Risk: According to [ISO/IEC Guide 73:2002], it is the risk that remains after the risk treatment.

Segregation of Duties: Separating sensitive tasks among different employees, clients, suppliers, or other parties with contractual relationships with the Company to reduce the risk of misuse, whether intentional or due to negligence, of systems and information.

Information System: An organized set of data, operations, and transactions that interact to store and process information. A system of information requires the interaction of one or more information assets to perform its tasks. A system of information is any software component, whether internally developed by the company or externally acquired as a standard market product or developed for its specific needs.

Spamming: The act of sending unsolicited messages, typically of an advertising nature, in large quantities (even massive), which harm the recipient in one or several ways. The act of sending such messages is called spamming. The most common medium is email.

Sniffer: Software that captures packets traveling on a network to obtain network or user information.

Spoofing: Forging the origin identity in a session. The identity can be an IP address or a MAC address.

ISMS: Information Security Management System.

Risk Treatment: According to [ISO/IEC Guide 73:2002], it is the process of selecting and implementing measures to modify the risk.

Validation: Ensuring that the collected evidence is the same as presented to the authorities.

Virus: Hereafter, we refer to it as “malware.” See the definition of malware in this glossary.

Vulnerability: A condition that could allow a threat to exploit a vulnerability to occur more frequently, with greater impact, or both. A vulnerability can be the absence or weakness of administrative, technical, and/or physical controls.

PCI-DSS: The Payment Card Industry Data Security Standard (PCI DSS) was developed by a committee composed of the major card companies (debit and credit), known as the PCI SSC (Payment Card Industry Security Standards Council). It serves as a guide to help organizations that process, store, and/or transmit cardholder data ensure the security of such data and prevent fraud involving debit and credit payment cards.

CHD: Acronym for “Cardholder Data.” As a minimum requirement, cardholder data includes the primary account number (PAN) and may also include the expiration date and the cardholder’s name. The PAN is found on the front of the card and is encoded in the magnetic stripe of the card or the chip embedded within it. It is also known as cardholder data. Additionally, refer to Sensitive Authentication Data for other data elements that may be part of a payment transaction but should not be stored after the transaction is authorized.

PAN: Acronym for “Primary Account Number.” A unique number for debit and credit cards that identifies the cardholder’s account.

SAD: Acronym for “Sensitive Authentication Data,” which includes magnetic stripe data, PIN or PIN block, and the Card-not-present Authorization Value, commonly referred to as CVV2 but can take any of the following acronyms: CAV2/CVC2/CVV2/CID.

SPT: Acronym for “Store, Process, or Transmit,” meaning that a system or process comes into contact with CHD and/or SAD and is therefore automatically within scope (Processes, People, Technology).

CDE: Acronym for “Cardholder Data Environment,” which basically refers to what we are trying to protect, beginning with systems that SPT CHD or SAD but are not limited to them.

This policy applies to the entire Company, its employees, contractors, partners, and third parties associated with MICROSYSLABS.

All individuals covered by the scope and applicability must fully comply with the policy.

Non-compliance with the Information Security policy will result in legal and disciplinary consequences in accordance with the company’s regulations, including provisions established by national and territorial government authorities regarding Information Security.

Exceptions to this document may be granted, subject to approval by the General Management or the Security and Continuity Executive Committee.

The management of MICROSYSLABS, recognizing the importance of proper information management, is committed to implementing an information security management system to establish a framework of trust in carrying out its duties with third parties (customers, employees, partners, suppliers, and others) who may be interested in the company’s business activities. This commitment is in strict compliance with the laws in Colombia and in line with the Company’s mission and vision resulting from organizational planning and strategy review exercises carried out by the Company.

For MICROSYSLABS, information protection aims to reduce the impact on its assets from systematically identified risks in order to maintain an acceptable level of exposure that ensures the integrity, confidentiality, and availability of information according to the needs of different identified stakeholders. Accordingly, this policy applies to the Company as defined in its scope, including employees (including apprentices and interns), suppliers, partners, third parties, and the general public. The principles underlying the development of actions or decision-making within an Information Security Management System (ISMS) are determined by the following premises:

▪ Minimize risk in the development of the Company’s most important functions, including but not limited to project management, information technology management, physical and financial resource management, and human resource management.

▪ Comply with information security principles based on best practices.

▪ Comply with administrative function principles.

▪ Comply with national and international legislative frameworks where the organization chooses to have a presence.

▪ Maintain the trust of customers, partners, and employees.

▪ Support technological innovation.

▪ Protect information assets.

▪ Protect payment card data in accordance with the PCI-DSS standard.

▪ Establish policies, procedures, and instructions related to information security in line with best practices.

▪ Strengthen the culture of information security among employees, third parties, apprentices, interns, and customers of the Company.

▪ Continually improve information security management.

▪ Ensure business continuity in the face of incidents.

▪ Review and adjust policies at least once a year or whenever required due to a change.

Here are the 13 specific security policies that support MICROSYSLABS’ ISMS:

6.1. MICROSYSLABS has decided to define, implement, operate, and continuously improve an Information Security Management System (ISMS) based on clear guidelines aligned with business needs, best practices, and current regulatory requirements.

6.2. MICROSYSLABS is committed to complying with laws, standards, and regulations related to or relevant to Information Security in Colombia and in countries where customers consume the offered technologies. If any gaps or unfulfilled conditions are identified, the ISMS management will seek to address the need for adjustment and compliance.

6.3. Responsibilities for information security will be defined, shared, published, and accepted by each employee, contractor, or third party, considering the principles of segregation of duties to prevent these roles from accessing information assets unrelated to their assigned tasks or functions, reducing the possibility of unauthorized or unintentional modification, or misuse of information assets.

6.4. MICROSYSLABS will protect the information generated, processed, or stored by its business processes and the information assets involved in these processes.

6.5. MICROSYSLABS will protect the information created, processed, transmitted, or stored by its business processes to minimize financial, operational, or legal impacts due to misuse. This requires the application of controls according to the classification of the information owned or under its custody.

6.6. MICROSYSLABS will protect its information from threats originating from internal personnel, considering different moments or stages of employees during their contractual relationship with the Company and after the termination of such relationship.

6.7. MICROSYSLABS will protect processing facilities and the technological infrastructure that supports its critical processes.

6.8. MICROSYSLABS will control the operation of its business processes, ensuring the security of technological resources and data networks that support its operations.

6.9. MICROSYSLABS will implement access control to information, systems, and network resources, considering the principles of segregation of duties for employees, contractors, or third parties. Conflicting duties and areas of responsibility should be identified and resolved to reduce the possibilities of unauthorized or unintentional modification of the Company’s information or misuse of organizational assets.

6.10. MICROSYSLABS will ensure that security is an integral part of the life cycle of information systems.

6.11. MICROSYSLABS will ensure proper management of security incidents and events, as well as weaknesses associated with information systems, in order to effectively improve its security model.

6.12. MICROSYSLABS will ensure the availability of its business processes and the continuity of its operations based on the impact that events can generate.

6.13. MICROSYSLABS will ensure compliance with legal, regulatory, and contractual obligations established with third parties in Colombian territory and will respect and seek compliance with such obligations with third parties that contract its services in countries other than Colombia.

Non-compliance with the Information Security and Privacy Policy will result in legal consequences in accordance with the Company’s regulations, including provisions from national and territorial government regulations in Colombia and the regulations of countries where customers consume the offered technologies, in relation to Information Security and Privacy.

The specific policies for implementing the required controls in the Company’s ISMS management are listed below.

7.1. Information Security Organization

The Information Security and Continuity Steering Committee, composed of the CEO (or delegate), IT Operations Director, Software Engineering and Infrastructure Director, Risk Leader in Information Security and Continuity, Administration Director, Global Sales and Marketing Director, and Human Resources Director, is defined as the top governing body responsible for achieving the formulated purpose.

This committee will be responsible for reviewing and updating this Policy document, leading internal communications within the Company to promote an information security culture, ensuring compliance with the PCI-DSS standard for the determined environments, supervising the results of the information security management system and requesting adjustments or improvements when necessary.

The committee will be responsible for managing communications with third parties when information security and business continuity incidents occur. It will ensure proper handling and management of information security incidents that may arise. It will identify and ensure the necessary connections between the ISMS and the Occupational Health and Safety Management System (OHSMS) of the Company to maintain a unified view in managing risks that may affect information security and occupational safety.

The committee should hold meetings at a frequency determined on its own, seeking to ensure the timely execution of the aforementioned functions.

7.2. Asset Management

The guidelines for identifying, using, managing, and taking responsibility for information assets are established. The following are proposed:

Asset identification: An inventory of the Company’s information assets, whether owned or third-party, should be conducted. This inventory should include the identification of the owner or responsible party for each information asset and specify the support tools to be used for the task. The Risk Leader in Information Security and Continuity will be responsible for creating this inventory, which should be reviewed and updated as changes are made (updates, additions, removals).

Classification of information assets: The Company must classify information assets according to their criticality, sensitivity, and confidentiality. These definitions should be established in a management procedure defined by the Risk Leader in Information Security and Continuity. Third parties who have provided information assets to be stored and safeguarded by the Company will be invited to participate in this review to ensure their involvement in the assurance of these assets.

Labeling of information assets: All information assets should be labeled following criteria that allow for their quick identification, purpose, and assigned classification. These definitions should be documented in a procedure defined by the Risk Leader in Information Security and Continuity.

Return/Transportation/Disposal of Assets: The Risk Leader in Information Security and Continuity is responsible for defining the instruments and mechanisms for returning, transporting, and/or disposing of Information Assets when defined by third parties at the start of business relationships. They will also establish mechanisms and controls to ensure that employees deliver physical assets and information once their employment, agreement, or contract with the Company has ended. The possibility of eliminating assets should be considered as the first control action, documenting the executed activity and the possible scope. The IT Services Manager and the Software Engineering and Infrastructure department will be in charge of deploying and controlling this task.

Removable Media Management: The use of removable media is prohibited in the Company. Removable media refers to electronic devices that store information and can be disconnected from computers. Ongoing information campaigns and precautions will be implemented to prevent risks that could affect the availability, confidentiality, and integrity of the Company’s information assets through these devices. Exceptions may be considered, but they must be identified, properly justified, and approved by the Risk Leader in Information Security and Continuity and/or the respective director.

Asset Disposition/Information Backups: The Company must establish mechanisms for the proper custody and disposal of identified and classified information assets. These mechanisms will be described in a procedure that outlines how the final disposal, removal, transfer, or reuse of assets will be securely and properly executed when they are no longer needed.

Additionally, it is the responsibility of the Software Engineering and Infrastructure department, led by the IT Infrastructure Lead, to perform backups of information assets provided as products to customers. The IT Infrastructure Lead will establish guidelines and procedures for storing information assets, ensuring that backups are performed according to the organization’s strategy and technologies.

Regarding employee information in the course of their duties, storing information directly in cloud storage using the approved collaborative tool for use in the Company is permitted.

Authorized Software: The Company must define and keep an updated list of authorized third-party software products to be implemented in its technological infrastructure. Software control will be exercised after conducting an inventory of the software between the IT Operations and Software Engineering and Infrastructure departments, consolidating the inventory as an information asset of the Company. The control procedures defined by the Risk Leader in Information Security and Continuity must be verified. Any employee requiring software not listed in the authorized software inventory must submit a corresponding request following the defined procedures of the responsible departments.

Networks, Mobile and Personal Computing Devices: Employees in the Company may access wireless networks from their laptops, with minimum access from their workstations. Access to the Company’s wireless networks from mobile phones, tablets, or other personal devices is not permitted. Employees, through the Company’s data networks and internet links, may only access the Company’s email accounts and, for authorized roles, the internet-based production platform for each granted environment.

Visitors to the Company’s premises may access a visitor wireless network configured for this purpose only with authorization from the Software Engineering and Infrastructure Director or their delegate, using personal computing devices. They must not access the main data network of the Company. Access to components of the wolkvox platform from external locations other than the office is prohibited for all employees except the CEO, IT Infrastructure Lead, and their team. Valid IP addresses from which access to the platform will be allowed must be registered for these roles. However, in emergency situations preventing employees from attending the Company’s physical premises, the restriction on employee access to the wolkvox platform will be lifted for the duration of the emergency. The IT Infrastructure Lead, along with the IT Services Manager, must define and implement the necessary procedures to implement the defined requirements.

Collaborative Tools: Recognizing that the Company has established one or more collaborative platforms (such as Google Workspace and Microsoft Teams) as fundamental communication and asset management tools, it is important to ensure employees’ use of these tools adheres to the guidelines of these policies, particularly regarding access control. It is emphasized that assets not classified as Public should not be shared through collaborative channels (personal or company-provided) available on employees’ personal and company devices. Non-compliance with this rule will be considered a violation of the information security policies. The use of authorized collaborative tools on employees’ mobile devices is permitted.

Regarding remote work and telecommuting: Based on the guidelines established by Colombian regulations differentiating between these two remote work modalities for Company employees, the general risks associated with this work modality should be identified, and procedures and/or recommendations should be developed to enable secure remote work for employees and the benefit of the Company and its stakeholders. The Risk Leader in Information Security and Continuity, with support from the Human Resources department, will conduct this risk assessment.

Antivirus Tools: The Company must evaluate, define, and implement the necessary tools to mitigate or address potential risks arising from the intensive use of network-connected computer systems, including the internet. These risks include viruses or malware that could jeopardize the availability, confidentiality, and integrity of the Company’s information assets. The IT Services Manager will establish procedures to ensure the full implementation of the defined solution on employees’ computer systems, including maintenance (including periodic automatic updates) and active and continuous use. Furthermore, in

conjunction with the Risk Leader in Information Security and Continuity and the IT Infrastructure Lead, the relevance and risk level of using these tools (antimalware) on the information assets supporting the Company’s products and services provided and located in the cloud should be evaluated.

Clean Desk and Clear Screen: In order to ensure proper information security, employees who have access to information assets at the Company must adopt good practices for handling and managing physical and electronic information under their responsibility at their workstations to prevent unauthorized access. When computer systems are left unattended, employees should lock the session to prevent unauthorized access. The IT Operations department is responsible for implementing session locking controls. When printing confidential, restricted, or internal use information, the documents should be immediately removed to prevent unauthorized disclosure. Assets containing confidential, restricted, or internal use information should be stored in the Company’s designated storage tool, using routes that prevent third-party access, avoiding downloading to the computer. Physical and/or magnetic documentation should be stored in drawers, cabinets, or secure locations when employees are away from their workstations, keeping them free of physical documentation and electronic storage media.

7.3. Access Control

The following guidelines establish the protection mechanisms, limits, and procedures for administering and taking responsibility for information access, whether electronic or physical, in the Company:

User and password access control: The Software Engineering and Infrastructure Director and the IT Services Manager are responsible for defining the procedures for creating, modifying, suspending, or deleting users and passwords for the platforms under their responsibility. These procedures will be implemented by the Technical Support Leader and/or the IT Infrastructure Lead. Any user of the Company’s technology services, whether an employee, contractor, or third party, with an account and access to the Company’s platforms, must ensure the proper management of the provided user and password, understanding that they are personal and non-transferable and should not be shared. Therefore, the Company must create and provide each employee and user with a user and password for access according to the limitations set for information assets. A baseline for managing access to the Company’s information systems will be established. Additionally, every user should verify that the access granted to information assets corresponds to those granted based on their duties and tasks. Employees should avoid accessing information assets that are not relevant to their functions and tasks, reporting any unauthorized access they identify to their immediate supervisor and the Risk Leader in Information Security and Continuity.

Access control provision: The procedures for assigning, modifying, reviewing, or revoking rights and privileges for each user will be defined by the IT Operations and Software Engineering and Infrastructure departments, under the responsibility of the Technical Support Leader (for personal computing devices) and the IT Infrastructure Lead (for the wolkvox platform and network infrastructure). These procedures should include handling special cases, such as users with higher privileges used for administering the Company’s infrastructure, applications, and information systems. The scope of access granted to the platforms should be specified, and in no case is it authorized for users to delete, correct, or alter their usage records or alter data captured during the normal operation of information systems or platforms supporting the Company’s operations without the approval of the information security and continuity steering committee. The responsible departments should document the procedures.

Password Management: Passwords, as the basic mechanism for authenticating users’ access to the Company’s network, applications, and information systems, must meet certain requirements. Passwords should have a minimum length of 8 characters and include at least one special character, one number, and a combination of uppercase and lowercase letters. It is a general requirement to configure passwords with a maximum validity period of three months. Changing the password once it has been assigned by an internal system administrator is mandatory. The Risk Leader in Information Security and Continuity, along with the IT Infrastructure Lead, should identify components of the platform where these password requirements cannot be applied and inform the information security and continuity steering committee to evaluate the risk and determine possible actions.

Security Perimeters: Restricted access areas for employees, contractors, or third parties include the location where LAN and internet telecommunications equipment are located in the Company’s administrative premises. Any addition or modification to the condition of these physical security areas must be considered by the information security and continuity steering committee and documented by the Software Engineering and Infrastructure department, specifying which employee roles, contractors, or third parties will have access to these security areas. Additionally, access to these areas by unauthorized individuals must be requested from the designated person responsible for authorizing access under specified conditions. Therefore, a procedure must be documented by the Infrastructure team.

7.4. Secure Software Development

The Company, aware of the importance of offering secure software products to the market, must establish the ways, means, and competencies to achieve secure software artifacts in accordance with good practices for secure software development. It will incorporate methodologies that allow for cost-effective development of secure software according to industry guidelines. Additionally, the Company will establish controls to validate the strength of third-party software products in relation to security premises and manage them with the vendor to evolve the product towards the Company’s definition of secure software.

7.5. Confidentiality

For the Company, the management of information asset confidentiality is a relevant task. Therefore, any document regulating the Company’s relationships with employees, contractors, or others must contain confidentiality clauses that establish conditions for the delivery, custody, and handling of information assets that may be exchanged between the parties as a result of the employment or commercial relationship. The consequences of inappropriate handling of information assets by any party will also be stipulated.

7.6. Integrity

For the Company, all verbal, physical, or electronic information must be adopted, processed, and delivered or transmitted integrally, coherently, exclusively to the corresponding individuals, and through the specified means, without modifications or alterations unless authorized and/or responsible individuals determine otherwise. In the case of contractual relationships, the commitment to the integral and comprehensive administration and handling of internal and external information will be part of the clauses in the respective contract, under the name of the Information Integrity Clause.

7.7. Service and Information Availability

The Company must have a business continuity plan to ensure the availability recovery or restoration of the processes supporting the Information Security Management System and the Company’s mission-critical processes in the event of an information security incident.

The Company has established availability objectives for the services associated with the wolkvox platform, committing to levels of availability equal to or greater than 99.6% of the time per month.

To achieve this availability commitment, the Company, under the responsibility of the IT Operations Director, must design and implement management procedures in accordance with industry best practices to manage risks that may affect the achievement of the established availability objective.

Likewise, the Company, under the responsibility of the Software Engineering and Infrastructure Director, must define guidelines to achieve segregation of environments that minimize the risks associated with the implementation of changes and new developments in order to reduce the impact of service unavailability during the development, testing, and production phases. Change Management guidelines should also be incorporated to minimize the impact on availability and ensure changes are made under controlled conditions.

7.8. Information Security Incident Management

The Company, under the responsibility of the senior management, is committed to the proper management of information security events, incidents, and vulnerabilities. This management must be based on best practices and encompass all users who have authorized access to any information system.

It is the responsibility of the Risk Leader in Information Security and Continuity, as well as the IT Services Manager, to define the procedure for registering, addressing, and resolving incidents related to the impact on information assets owned by the Company or those under the custody of third parties. Best practices for managing the chain of custody of elements that may be subject to analysis to identify causes and those responsible for the events should be considered and documented.

The Risk Leader in Information Security and Continuity is responsible for presenting a monthly report to the security and continuity executive committee on the registered events, the actions taken, and the risk management measures being formulated to mitigate such risks.

7.9. Information Security Training and Awareness

The achievement of a culture that understands and promotes the benefits of information security is fundamental for the Company, as it will help reduce vulnerabilities and threats related to individuals. Therefore:

• The senior management is committed to allocating sufficient resources to develop training programs for employees and third parties, as well as to maintain the information security management system.
• An employee training program on the information security management system, conducted by the Human Resources department, must be established.
• All employees of the organization will receive training, and contractors and third parties related to the Company will be informed of the system’s guidelines and the responsibilities they have as a fundamental part of their commitment to information security.
• Employees will be monitored for attendance at training events related to the information security management system conducted by the Company, and this activity will be considered an integral part of employee performance.
• Periodic reviews of training results should be conducted to improve the processes.

7.10. Use of Cryptographic Controls and Key Management

Cryptographic Controls: The IT Operations, Software Engineering and Infrastructure, and Risk Leader in Information Security and Continuity will be responsible for defining the most appropriate information encryption mechanisms based on the Company’s needs, considering the risk analysis in information security and continuity. These mechanisms should consider authenticity, confidentiality, and integrity criteria, as well as non-repudiation in communications or information processing.

The following industry-recommended encryption standards should be applied to the different information assets and systems belonging to Microsyslabs where it is pertinent to use cryptographic controls: AES, 3DES with a dimension of 256 bits or higher, and RSA with a dimension of 2048 bits or higher. Additionally, relevant Colombian regulations regarding data protection, applicable standards, and existing technology should be considered.

Key Management: The IT Operations, Software Engineering and Infrastructure, and Risk Leader in Information Security and Continuity will be responsible for defining the guidelines for encryption key management. The Company must protect encryption keys from modification and/or destruction, and secret and private keys must be protected against unauthorized distribution. Techniques to ensure the integrity of the information should be used. Physical and logical protection controls should be implemented to safeguard the equipment and/or system used for key generation, storage, and custody.

Those responsible for encryption systems and cryptographic keys should establish controls to ensure the security of the system and keys, based on the risk analysis conducted by the Risk Leader in Information Security and Continuity, and grant access only to authorized individuals.

These systems or tools should be included in the list of authorized software, and the use of encryption tools or systems other than those authorized will not be allowed.

7.11. Operation of Technologies Subject to PCIDSS Compliance

In line with its strategic commitment to align with and comply with PCI-DSS standards, the Company must implement and maintain all current requirements of these standards, ensuring full compliance. The implementation and maintenance will be the responsibility of the team that supports the Company’s Information Security Management System, led by the IT Operations Director and the Risk Leader in Information Security and Continuity. It is established as a fundamental principle that the Company will never store payment card data in its IT components.

7.12. Relationship with Suppliers

The Company must establish control mechanisms in its relationships with suppliers that provide goods or services that configure or constitute the technological platforms forming the basis of the Company’s product and service offerings, as well as those involved in the collection and custody of personal data from wolkvox and its clients. The objective is to ensure that the information accessed or services provided by suppliers comply with the Company’s information security and data protection policies, standards, and procedures. The Administrative Department must establish procedures that ensure proper supplier management, where each interested party explicitly expresses adherence to industry standards for information security or compliance with good practices established by Microsyslabs.

Any access to the Company’s information assets by a supplier must have undergone adequate risk management by the Risk Leader in Information Security and Continuity and obtained the respective authorizations from the information owners.

When ending relationships with a supplier that handles Company information, the supplier must securely destroy the information or, if applicable, return the information. This process must be included in the contract with the supplier

.

7.13. Secure Information Erasure

The Company must establish guidelines and procedures for secure information erasure, considering customer operations and their data, with the premise of maintaining it for a certain period of time according to commercial definitions.

This policy document must be reviewed at least once a year by the Information Security Management Committee, or earlier when it becomes evident that the defined policies need to be reviewed and/or adjusted to ensure the confidentiality, integrity, and availability of the company’s information assets.

This document has been created by Microsyslabs S.A.S. (hereinafter referred to as MICROSYSLABS or the Company), considering the guidelines established by the Ministry of ICT in Colombia in its Guide No. 2 – Elaboration of the General Information Policy. The referenced document is based on good practices and international industry standards, and therefore, it provides comprehensive coverage to meet the needs of our customers regarding the guidelines followed by the Company in relation to Information Security.