This document has been created by Microsyslabs S.A.S. (hereinafter referred to as wolkvox or the Company), taking into account the guidelines established from ISO/IEC 27.001:2013 standard and documents from the Colombian government, which, considering the same regulations, provide the guidelines and directives in this regard.

This document is intended as a basic guideline to be considered in the management of information during the execution of information transfer procedures among wolkvox collaborators, whether in digital or physical form, automatic or scheduled, to and from wolkvox technologies with third parties or third-party technological components. The objective is to maintain the confidentiality, integrity, and availability of the information assets of the Company, its providers, and clients who have shared information with wolkvox. This is a necessary activity to carry out the use of the technological solutions contracted with wolkvox or for the development of business relationships.

Refer to the glossary available in the Information Security Policies document:
https://drive.google.com/file/d/1EbLj9OrURIy-9odM0h_vA1B-87Ua1HYB/view?usp=sharing

4.1. Channels for transferring information between wolkvox and external parties must be secured. This information should have been previously classified, assessed, and labeled as defined in the Procedure for the Classification and Registration of Information Assets. Therefore, the classification should be taken into account to establish the most suitable information transfer mechanism.

4.2. The exchange of information (electronic or physical) categorized as Restricted or For Internal Use, belonging to wolkvox, with third parties, may be conducted under the prior establishment of an agreement (convention or contract), including a confidentiality and non-disclosure clause for the provided information.

The request for information exchange may be due to requirements from wolkvox or a third party, which, due to legal provisions, government guidelines, or those associated with an ongoing business relationship, necessitate such interoperability.

The exchange of electronic information classified as Restricted or For Internal Use must be carried out through encrypted channels that guarantee the protection of information confidentiality and comply with the cryptographic controls policy (Refer to Information Security Policy, section 6.10). This must be documented in the agreements or information exchange agreements signed by the parties.

The exchange of Restricted or For Internal Use information belonging to Wolkvox, which is in physical formats, must be properly labeled. The exchange should take place in a sealed envelope when sending it to third parties.

For the transportation of physical media containing sensitive information, a log of the delivery and receipt of these media must be generated. These media should be transported in a container that protects the asset from environmental threats.

4.3. The exchange of information (electronic or physical) classified as Public, belonging to wolkvox, with third parties, may be carried out without any restrictions, except for the minimum conditions established for information exchange via email and physical means, i.e., ensuring recipients and the proper availability of means or channels for information exchange.

4.4. The exchange of information (electronic or physical) classified as Confidential, belonging to wolkvox, with third parties, may only be conducted if and only if the CEO of wolkvox authorizes its delivery (in writing), and always under the previous establishment of an agreement (agreement or contract), including a confidentiality and non-disclosure clause of the provided information.

The exchange of electronic information classified as Confidential must be carried out through encrypted channels to guarantee the protection of the information’s confidentiality and comply with the cryptographic controls policy (See Information Security Policy, section 6.10). This should be recorded in the agreements or exchange of information agreements signed by the parties.

The exchange of Confidential information belonging to wolkvox in physical formats must be properly labeled. The exchange should be carried out in a sealed envelope when sending it to third parties.

For the transportation of physical media containing sensitive information, a delivery and receipt log must be generated. These media should be transported in a container that protects the asset from environmental threats.

4.5. Information exchange via email from the Company. All information sent from wolkvox through email must include the following disclaimer in its footer:

“This email message is intended solely for the use of the intended recipient(s) and may contain confidential, restricted, or internal use information of wolkvox. As the recipient, you are not allowed to independently share this information with others. You must obtain prior authorization from the information sender before sharing. If you are not the intended recipient, any disclosure, dissemination, distribution, copying, or action taken based on the information herein is prohibited. Emails are not secure by default, and we cannot guarantee they are free from errors, as they may be intercepted, altered, or contain viruses. Anyone communicating with Microsyslabs via email is deemed to have accepted these risks. If you have received this message in error, please notify the sender and delete it immediately. Any retention, dissemination, distribution, or copying of this message by someone other than the intended recipient is prohibited and may be subject to legal action.”

4.6. Exchange of information via chat (web, WhatsApp and others). Any exchange of electronic information through the channels mentioned herein shall consider the definitions already established in 4.1 to 4.4. Therefore, the directors of these areas shall identify and ensure the classification guidelines of the information assets that may be exchanged through these channels, after which the measures to ensure the confidentiality and integrity of such information assets established in these Policies shall be followed. Access credentials to wolkvox applications may not be transferred through these channels. In case this exchange is required, the e-mail channel or direct call will be used.

4.7. Secure processes for sending information associated with customer data collected in wolkvox solutions must be provided, and the customer must express the need to maintain a copy of such data in their own storage systems or third-party contracted systems. The permitted mechanisms for information transfer will be Rsync (remote synchronization) and AWS S3 (Amazon Web Services). The Infrastructure department must document these procedures, ensuring security principles in client authentication and data transport over the internet to the configured destination, with encryption in accordance with the policies established in section 6.10 of the Information Security Policies.

4.8. The processes of uploading databases to wolkvox solutions by our customers and obtaining reports on interactions managed through wolkvox solutions must always be carried out following Security Policy section 6.3, as well as the procedures for access management and secure data transport to and from the Manager component (section 6.10 of the Information Security Policies).

4.9. Review. This policy document must be reviewed at least once a year by the Information Security Steering Committee, or earlier when it becomes evident that the defined policies need to be reviewed and/or adjusted to ensure the confidentiality, integrity, and availability of the company’s information assets.

Non-compliance with the Information Transfer Policy will result in legal consequences as per the regulations of the Company, including those established in the laws of the national and territorial Government of Colombia, and the countries where customers consuming the offered technologies are located, regarding Information Security and Privacy.