Information Security Policy

Public version

Effective Date: 01 July 2025

Owner: Chief Information Security Officer (CISO)

Applies To: All employees, contractors, and systems of Advntg.AI

ISO 27001 & SOC 2 Mapping

ISO 27001 Annex A Controls

• A.5 – Information Security Policies

• Establishing and maintaining policies to provide management direction and support for information security.

• A.6 – Organization of Information Security

• Defining and assigning information security roles and responsibilities (e.g., CISO, Cybersecurity Team, HR, Department Heads).

• A.7 – Human Resource Security

• Addressing security requirements during employee onboarding, employment, and termination.

• A.8 – Asset Management

• Maintaining inventories of information assets and assigning ownership and handling rules.

• A.9 – Access Control

• Enforcing the principle of least privilege, authentication standards, MFA, and access reviews.

• A.12 – Operations Security

• Implementing operational procedures, malware protection, logging, and monitoring.

• A.13 – Communications Security

• Protecting information in networks and during transfer, including encryption in transit and at rest.

• A.15 – Supplier Relationships

• Defining and monitoring security requirements for vendors and third parties.

• A.16 – Information Security Incident Management

• Establishing processes for incident reporting, escalation, and resolution.

• A.18 – Compliance

• Ensuring adherence to relevant legal, regulatory, and contractual obligations.

SOC 2 Trust Services Criteria (TSC)

• Security (CC1.x, CC6.x, CC7.x)

• Establishing governance, risk management, and logical access controls; detecting and responding to incidents.

• Availability (A1.x)

• Maintaining systems and processes to meet availability commitments.

• Confidentiality (C1.x)

• Protecting confidential and proprietary information from unauthorized access and disclosure.

• Processing Integrity (PI1.x) (if applicable)

• Ensuring system processing is complete, valid, accurate, timely, and authorized.

• Privacy (P1.x) (if applicable)

• Collecting, using, retaining, disclosing, and disposing of personal information in accordance with commitments.

Table of Contents

1. Purpose

2. Scope

3. Information Security Objectives

4. Roles and Responsibilities

4.1. Information Security Team: Risk Function and Information Technology Security (ISO) Function

4.2. Functional Responsibilities beyond Information Security Team

4.2.1. Cybersecurity Team

4.2.2. Other Technical Teams

4.2.3. Other Employees, Contractors, Consultants and Third-Party Vendors

4.3. Segregation of Duties

4.4. Executive Governance and C-Level Roles in Information Security

5. Risk Management

6. Technology Asset Management

7. Acceptable Use of Information Technology

8. Information Classification & Handling

9. Access Control

10. Security

10.1. Security in general

10.2. Employees’ Security

10.3. Systems Security

10.4. Encryption

10.5. AI Training Security

10.6. Operations Security

10.7. Vulnerability Management

11. Incident Response and Disaster Recovery

12. Compliance & Audits

13. Enforcement

1. Purpose

The purpose of this Advntg.AI (hereinafter – the “Company”) policy is to establish security requirements and responsibilities to protect the confidentiality, integrity, and availability of advntg.ai’s systems, services, data, and customer information, including data processed by our AI and advertising technologies.

The Company may, based on its individual business needs and specific legal requirements, exceed the security requirements put forth in this document, but must, at a minimum, achieve the security levels required by this policy.

This Policy acts as an umbrella document to all other security policies and associated standards. This policy defines the responsibility to:

• protect and maintain the confidentiality, integrity and availability of information and related infrastructure assets;
• manage the risk of security exposure or compromise;
• assure a secure and stable information technology (IT) environment;
• identify and respond to events involving information asset misuse, loss, or unauthorized disclosure;
• monitor systems for anomalies that might indicate compromise; and
• promote and increase the awareness of information security.

This policy shall define a framework that will assure appropriate measures are in place to protect the confidentiality, integrity, and availability of data; and assure staff and all other affiliates understand their role and responsibilities, have adequate knowledge of security policy, procedures and practices and know how to protect information.

2. Scope

This Policy applies to all the Company’s computer systems and facilities, including those managed on the Company’s behalf by third parties. In particular, this Policy applies to:

• All employees, contractors, and third-party vendors
• All information systems, devices, and applications managed by the Company
• All data handled by the Company, including personal data, client data, and proprietary information.

The information systems, devices, and applications and the data handled by the Company shall be referred to collectively as the Technology Assets. More specifically, the Technology Assets may include, but are not limited to:

• Bluetooth
• Cameras
• Data
• Email
• External drives
• Freeware/Shareware
• Cloud Infrastructure, including Websites
• Cloud storage
• Internal Network
• Message boards and blogs
• Passwords
• Password cracking software
• Personal Information
• Phones
• Physical security elements
• Printers
• Remote access fixtures
• Scanners
• Social networks instances
• USB drives
• Wireless devices.

Violations to this Policy may be subject to disciplinary action up to and including termination of employment. In addition, when circumstances warrant, breaches of security and failure to comply with this Policy will be referred to external law enforcement when appropriate. Users who discover a violation of this Policy must promptly notify their manager, Human Resources or the Help Desk. Business partners and managed service providers should report any violation of this Policy to their designated point of contact.

3. Information Security Objectives

The Company is committed to maintaining a mature, risk-driven information security program that supports its mission, operations, and client trust. To achieve this, the Company will pursue the following objectives:

1. Protection of Information Assets

Protect all data-whether customer, employee, or proprietary-against unauthorized access, alteration, destruction, loss, or disclosure through a layered defense strategy, including encryption, access controls, monitoring, and physical safeguards.

2. Assurance of Integrity, Confidentiality, and Availability (CIA)

Ensure that systems, networks, and information remain accurate, reliable, and available to authorized users, even in the face of security incidents, system failures, or disasters.

3. Regulatory and Contractual Compliance

Adhere to all applicable laws, regulations, and industry standards, including but not limited to GDPR, CCPA, CPRA, and other global privacy and security frameworks, while also honoring all contractual security obligations to clients and partners.

4. Risk Management and Continuous Improvement

Identify, assess, and mitigate risks to the Company's information assets and systems on a continual basis, integrating risk management into strategic and operational decision-making and fostering a culture of ongoing improvement.

5. Responsible AI and Data Ethics

Implement artificial intelligence and machine learning solutions in a manner that safeguards privacy, minimizes bias, and incorporates appropriate security and ethical controls, ensuring all automated processing supports fairness, transparency, and accountability.

6. Incident Preparedness and Resilience

Maintain documented and tested incident response and business continuity plans to ensure swift detection, containment, and recovery from security events, minimizing impact to operations and clients.

7. Security Awareness and Culture

Promote a culture of security through mandatory training, awareness campaigns, and leadership support, ensuring that all employees and contractors understand their roles in protecting the Company's information and systems.

4. Roles and Responsibilities

4.1. Information Security Team: Risk Function and Information Technology Security (ISO) Function

Information security requires (i) information risk management function and (ii) information technology security function.

Depending on the Company’s structure, such functions may be performed separately by different individuals, groups, or performed jointly by the same individual or group. These functions must be performed by a high-level executive or a group that includes high level executives.

Therefore, first, the Company shall appoint Chief Risk Officer to be responsible for the risk management function assuring that:

1. risk-related considerations for information assets and individual information systems, including authorization decisions, are viewed as an enterprise with regard to the overall strategic goals and objectives of carrying out its core missions and business functions;
2. the management of information assets and information system-related security risks is consistent, reflects the risk tolerance, and is considered along with other types of risks, to ensure mission/business success;
3. any relevant risks are promptly and properly identified, registered in relevant risk registers and assessments, and the relevant mitigation measures are identified and managed;
4. additionally, Chief Risk Officer shall advise the Company on security risks and compliance obligations, participate in security audits and oversee the vendor and third-party assessments.

And, second, the Company shall appoint Chief Information Security Officer to be responsible for evaluating and advising on information security risks, assuring that:

1. Security controls (technical, administrative, and physical) are effectively implemented to protect the confidentiality, integrity, and availability of Company systems, applications, and data, including AI and advertising systems;
2. Information security risks identified by the Risk Management Function are analyzed, prioritized, and addressed through appropriate safeguards, monitoring, and mitigation strategies;
3. The Company maintains a comprehensive security program aligned with recognized standards (ISO 27001, SOC 2) and complies with applicable laws and regulations (e.g., GDPR, CCPA);
4. Security monitoring and incident response capabilities are established, tested, and regularly reviewed to detect, respond to, and recover from threats;
5. Security awareness and training programs are developed and delivered to all employees and contractors to ensure proper understanding of responsibilities; and
6. The CISO provides regular reporting to the executive team and board on the Company’s security posture, incidents, and emerging risks.4.2. Functional Responsibilities.

The Chief Risk Officer’s team and the CISO’s team are collectively referred to as the Information Security Team.

4.2. Functional Responsibilities beyond Information Security Team

This chapter relates to the responsibilities of the groups outside the Information Security Team. This includes

• Cybersecurity Team
• Other Technical Teams of the Company,
• Other Employees, Contractors, Consultants and Third-Party Vendors of the Company

4.2.1. Cybersecurity Team

Cybersecurity Team is responsible for:

1. providing in-house expertise as security consultants as needed;
2. developing the security program and strategy, including measures of effectiveness;
3. establishing and maintaining enterprise information security policy and standards;
4. assessing compliance with security policies and standards;
5. advising on secure system engineering;
6. providing incident response coordination and expertise;
7. monitoring infrastructures for anomalies;
8. monitoring external sources for indications of data breaches, defacements, etc.
9. maintaining ongoing contact with security groups/associations and relevant authorities;
10. providing timely notification of current threats and vulnerabilities; and
11. providing awareness materials and training resources.
12. maintaining familiarity with business functions and requirements;
13. maintaining an adequate level of current knowledge and proficiency in information security through annual Continuing Professional Education (CPE) credits directly related to information security;
14. assessing compliance with information security policies and legal and regulatory information security requirements;
15. evaluating and understanding information security risks and how to appropriately manage those risks;
16. representing and assuring security architecture considerations are addressed;
17. advising on security issues related to procurement of products and services;
18. escalating security concerns that are not being adequately addressed according to the applicable reporting and escalation procedures;
19. disseminating threat information to appropriate parties;
20. participating in the response to potential security incidents;
21. participating in the development of enterprise policies and standards that considers the Company’s needs; and
22. promoting information security awareness

4.2.2. Other Technical Teams

Other Technical Teams of the Company are responsible for:

1. supporting security by providing clear direction and consideration of security controls in the data processing infrastructure and computing network(s) which support the information owners;
2. providing resources needed to maintain a level of information security control consistent with this policy;
3. identifying and implementing all processes, policies and controls relative to security requirements defined by the business and this policy;
4. implementing the proper controls for information owned based on the classification designations;
5. providing training to appropriate technical staff on secure operations (e.g., secure coding, secure configuration);
6. fostering the participation of information security and technical staff in protecting information assets, and in identifying, selecting and implementing appropriate and cost-effective security controls and procedures; and
7. implementing business continuity and disaster recovery plans.

4.2.3. Other Employees, Contractors, Consultants and Third-Party Vendors

Other Employees, Contractors, Consultants and Third-Party Vendors of the Company are responsible for:

1. keeping up to date with this policy and related procedures and standards, understanding the baseline information security controls necessary to protect the confidentiality, integrity and availability of information entrusted;
2. protecting information and resources from unauthorized use or disclosure;
3. protecting personal, private, sensitive information from unauthorized use or disclosure;
4. abiding by Acceptable Use of Information requirements and this Policy and related procedures and standards, and reporting suspected information security events, incidents or weaknesses to the relevant manager and CISO;
5. in the case of employees occupying a strategic and/or executive position at the Company:

1. ensure compliance with this policy by their subordinates;
2. evaluating and accepting risk on behalf of the Company;
3. identifying information security responsibilities and goals and integrating them into relevant processes;
4. supporting the consistent implementation of information security policies and standards;
5. supporting security through clear direction and demonstrated commitment of appropriate resources;
6. promoting awareness of information security best practices through the regular dissemination of materials provided by the ISO/designated information security representative;
7. implementing the process for determining information classification and categorization, based on industry recommended practices, organization directives, and legal and regulatory requirements, to determine the appropriate levels of protection for that information;
8. implementing the process for information asset identification, handling, use, transmission, and disposal based on information classification and categorization;
9. determining who will be assigned and serve as information owners while maintaining ultimate responsibility for the confidentiality, integrity, and availability of the data;
10. participating in the response to security incidents;
11. complying with notification requirements in the event of a breach of private information;
12. adhering to specific legal and regulatory requirements related to information security;
13. communicating legal and regulatory requirements to the ISO/designated security representative; and
14. communicating requirements of this policy and the associated standards, including the consequences of non-compliance, to the employees and third parties, and addressing adherence in third party agreements.

4.3. Segregation of Duties

• To reduce the risk of accidental or deliberate system misuse, separation of duties and areas of responsibility must be implemented where appropriate.
• Whenever separation of duties is not technically feasible, other compensatory controls must be implemented, such as monitoring of activities, audit trails and management supervision.
• The audit and approval of security controls must always remain independent and segregated from the implementation of security controls.

4.4. Executive Governance and C-Level Roles in Information Security

Information Security requires direct involvement and oversight from multiple C-level executives to ensure comprehensive risk management, compliance, and alignment with business objectives. The following executives are designated with specific roles and responsibilities:

1. Chief Executive Officer (CEO)

• Provides overall sponsorship and ensures information security aligns with corporate strategy and objectives.
• Approves the Information Security Policy and allocates sufficient resources to support security initiatives.

2. Chief Information Security Officer (CISO)

• Owns and maintains the Information Security Policy.
• Leads the Information Technology Security Function, ensuring effective implementation of technical, administrative, and physical security controls.
• Oversees incident response, security monitoring, and compliance with standards (ISO 27001, SOC 2, GDPR, CCPA).

3. Chief Risk Officer (CRO)

• Leads the Information Risk Management Function to ensure information security risks are identified, documented, prioritized, and managed alongside other enterprise risks.
• Maintains the Risk Register and reports findings and recommendations to the executive team and board.
• Carries out regular security risk assessments.

4. Chief Technology Officer (CTO)

• Ensures security is embedded into all technology architectures and product development processes.
• Oversees secure software development lifecycle (SSDLC) practices across engineering and development teams.
• Manages all technical teams, including Cybersecurity Team.

5. Chief Legal Officer (CLO), acting also as Chief Compliance Officer

• Ensures the Information Security Policy meets all relevant legal and regulatory requirements (GDPR, CCPA, CPRA, HIPAA, etc.).
• Advises on breach notification obligations and oversees reporting to regulators and affected stakeholders.

7. Chief Financial Officer (CFO)

• Approves budgets for cybersecurity initiatives, tools, audits, and insurance coverage.
• Assesses financial risks associated with cybersecurity incidents and risk transfer strategies.

8. Data Privacy Officer (DPO)

• Oversees data governance and privacy functions, ensuring personal and sensitive data is handled lawfully and ethically.
• Works with the CISO to implement robust data protection measures and privacy controls.

These executives collectively form the Information Security Steering Committee, meeting at least quarterly to review risk assessments, audit findings, major incidents, and the Company’s strategic security roadmap.

5. Risk Management

The Company must ensure that risk management processes are managed and agreed with the Company’s strategy, observing regulatory, legal, environmental, technological, and operational requirements. For that it shall:

1. Consider vulnerabilities, threat sources, and security controls that are planned or in place to proper Information security risk management.
2. Develop, document, and maintain risk management processes and regularly review to ensure they remain effective and relevant and that all stakeholders are aware of their responsibilities and the steps to be taken to protect the organization's information and assets.
3. Make sure that the risk management process remains iterative and is followed throughout a system’s or process’s life cycle.
4. Monitor the effectiveness of its risk response measures, by verifying that the controls put in place are implemented correctly and operating as intended. This must occur annually, at a minimum.
5. Manage appropriately any system or process that supports business functions for information risk and undergo information risk assessments, at a minimum annually, as part of a system life cycle.

6. Require Information security risk assessments for any new projects, implementations of new technologies, significant changes to the operating environment, or in response to the discovery of a significant vulnerability.
7. Select the risk assessment approach it will use based on its needs, applicable laws and regulations as well as applicable policies.
8. Document all risk assessment results, and the decisions made based on these results to support further reviews and other related actions.

In order to identify, assess and mitigate Vendor Risks, i.e. the risks that may arise from the use of external third parties, such as suppliers, contractors and service providers, the Company must protect its assets, reputation and compliance posture, ensuring that third parties comply with the organization's policies and standards, as well as relevant laws and regulations. To do so, it must:

1. Identify third parties that pose a potential risk to the organization.
2. Evaluate the risks associated with each third party, taking into account factors such as the sensitivity of the data processed, the nature of the services provided and the geographic location of the third party.
3. Perform due diligence on third parties and suppliers before entering into a relationship with them, in order to identify potential risks, including assessing information security maturity and allowing the organization to mitigate them.
4. Specific provisions related to information security, privacy of personal data and other protection mechanisms must be included in contracts with third parties and suppliers, in order to manage the risks associated with the relationship with the Company. Where applicable, service contracts shall require the third party or vendor to maintain insurance coverage.
5. Monitor the performance of third parties to ensure they are in compliance with the organization's policies and standards and identify potential risks and allow the Company to take timely measures to mitigate them.
6. Establish clear lines of communication and procedures to escalate issues to stakeholders to ensure risks are identified and addressed in a timely manner.
7. Contract clauses must be included that allow the Company to immediately terminate the relationship with a third party or supplier in the event of a breach or other event related to information security.

6. Technology Asset Management

The Company must ensure that Technology Assets are inventoried and configured in compliance with this information security policies and other standards and procedures. In this case it shall:

1. Develop, document, and maintain under configuration control, a current baseline configuration of information systems.
2. Review and update the baseline configuration of the information system when required and as an integral part of information system component installations and upgrades. Periodic review must occur annually, at a minimum.
3. Develop, document, and maintain a configuration change control process to determine the types of changes to the information system that are configuration-controlled.
4. Develop, document, and maintain a security impact analysis process to analyze changes to the information system to determine potential security impacts prior to change implementation.
5. Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system.
6. Establish and document configuration settings for information technology products employed within the information system that reflect the most restrictive mode consistent with operational requirements.
7. Monitor and control changes to the configuration settings in accordance with policies and procedures.
8. Configure the information system to provide only essential capabilities.
9. Review the information system periodically to identify unnecessary and/or unsecure functions, ports, protocols and services.
10. Review and update the list of unauthorized software programs annually.
11. Develop and document an inventory of information system components that:

1. Reflects the current information system accurately.
2. Includes all components within the authorization boundary of the information system.
3. Is at the level of granularity deemed necessary for tracking and reporting.
4. Includes information deemed necessary to achieve effective information system component accountability.

12. Review and update the information system component inventory when necessary and/or periodically. Periodic review must occur every 2 years, at a minimum.
13. Update the inventory of information system components as an integral part of component installations, removals, and information system updates.
14. Employ automated mechanisms, including regular scanning, to detect the presence of unauthorized hardware, software, and firmware components within the information system.
15. Disposal of IT assets must be carried out properly when they are no longer needed or when they have reached the end of their useful life, in order not to discard information belonging to Company together with said assets.

7. Acceptable Use of Information Technology

The Company notes that the appropriate organizational use of information and its Technology Assets and the effective security of these assets requires the participation and support of all Company’s employees, contractors, consultants and third-party vendors. Improper use exposes the organization to potential risks, including virus attacks, compromised systems and network services, and legal issues.

All uses of information and Technology Assets must comply with Company’s policies, standards, procedures, and guidelines, as well as any applicable laws and regulations.

Consistent with the foregoing, the acceptable use of information and Technology Assets encompasses the following duties:

1. Understanding the baseline information security controls necessary to protect the confidentiality, integrity, and availability of information;
2. Protecting organizational information and resources from unauthorized use or disclosure;
3. Protecting personal, private, sensitive, or confidential information from unauthorized use or disclosure;
4. Observing authorized levels of access and utilizing only approved Technology Assets; and
5. Immediately reporting suspected information security incidents or weaknesses to the appropriate manager and the Chief Information Security Officer (ISO).

Reinforcing the commitment to the proper use of Company’s Technology Assets, the following is considered unacceptable use:

1. Unauthorized use or disclosure of personal, private, sensitive, and/or confidential information;
2. Unauthorized use or disclosure of Company’s information and resources;
3. Distributing, transmitting, posting, or storing any electronic communications, material or correspondence that is threatening, obscene, harassing, pornographic, offensive, defamatory, discriminatory, inflammatory, illegal, or intentionally false or inaccurate;
4. Attempting to represent the organization in matters unrelated to official authorized job duties or responsibilities;
5. Connecting and using personal owned or unapproved devices to the organization’s network or any Technology Asset;
6. Connecting organizational Technology Assets to unauthorized networks;
7. In case of using remote access:

1. Connecting to any wireless network while physically connected to the organization’s wired network;
2. Installing, downloading, or running software that has not been approved following appropriate security, legal, and/or IT review in accordance with organizational policies;

8. Using an organization’s Technology Assets to circulate unauthorized solicitations or advertisements for non-organizational purposes including religious, political, or not-for-profit entities;
9. Providing unauthorized third parties, including family and friends, access to the Company’s Technology Assets, information, resources or facilities;
10. Using organization Technology Assets for commercial or personal purposes, linked with "for-profit" activities or supporting alien business activity (e.g., consulting for pay, business transactions);
11. Propagating chain letters, fraudulent mass mailings, spam, or other types of undesirable and unwanted email content using organizational Technology Assets; and
12. Tampering, disengaging, or otherwise circumventing any Company’s or third-part’s information technology security controls.

Other actions should be considered to ensure security and compliance regarding the use of Company’s resources, such as:

1. Individual accountability.

Everyone is responsible for protecting against unauthorized activities performed under their user ID. This includes locking your computer screen when you walk away from your system, and protecting your credentials (e.g., passwords, tokens or similar technology) from unauthorized disclosure. Credentials must be treated as confidential information and must not be disclosed or shared.

2. Limitation of the use of third-party and personal technology assets.

Users must not transmit restricted organization, non-public, personal, private, sensitive, or confidential information to or from personal email accounts (e.g., Gmail, Hotmail, Yahoo) or use a personal email account to conduct the organization’s business unless explicitly authorized. Users must only store restricted organizational, non-public, personal, private, sensitive, or confidential information on an organizational issued device, or with a third-party file storage service that has been approved for such storage by the organization.

3. Physical security.

Devices that contain Company’s information must be always attended or physically secured and must not be left without physical security or surveillance, for example: provision to third parties, storage with third parties, checked in with transportation carrier luggage systems.

4. Immediate return of equipment upon termination.

Users are routinely assigned or given access to IT equipment in connection with their official duties. This equipment belongs to the organization and must be immediately returned upon request or at the time an employee is separated from the organization. Users may be financially responsible for the value of equipment assigned to their care if it is not returned to the organization. Should IT equipment be lost, stolen or destroyed, users are required to provide a written report of the circumstances surrounding the incident. Users may be subject to disciplinary action which may include repayment of the replacement value of the equipment. The organization has the discretion to not issue or re-issue IT devices and equipment to users who repeatedly lose or damage IT equipment.

5. Responsible use of social media.

In instances where users access social media sites on their own time utilizing personal technology assets, they must remain sensitive to expectations that they will conduct themselves in a responsible, professional, and secure manner regarding references to the Company and its staff.

6. Privacy.

Users should respect the privacy of the all Company’s employees and not post any identifying information of any staff without permission (including, but not limited to, names, addresses, photos, videos, email addresses, and phone numbers). Users may be held liable for comments posted on social media sites.

7. Password security.

Users are strongly discouraged from using the same passwords in their personal use of social media sites as those used on the Company’s devices and Technology Assets, to prevent unauthorized access to resources if the password is compromised.

8. Security of the Company’s social media accounts.

For cases where there is use of social media within the scope of official duties, the accounts used to manage the Company’s presence on social media are privileged accounts and must be treated as such. These accounts are for official use only and should not be used for personal use. Privileged account passwords must follow information security standards, be unique on each site, and must not be the same as passwords used to access other Technology Assets.

8. Information Classification & Handling

To ensure the proper protection of Company’s information, it is necessary that the information be immediately classified according to the importance and potential impact it represents for the Company’s business. The Company uses the following categories:

Public - It will be considered as public information that defined by force of law, or duly authorized for external disclosure. In general, this is information available to the public or that is accessible through public consultation, such as press releases, disclosure of events and lectures, advertising materials, among others. The disclosure of this type of information does not cause harm to the Company, to the holders of personal data or to customers, suppliers or other third parties involved with the Company. Public information can only be changed by Collaborators when authorized by the relevant Information Manager.

Internal - Information for internal use are those that keep matters exclusively relevant to the internal sphere of the Company, being exclusively used by internal Employees or duly authorized third parties and partners. The misuse of this information may cause damage or medium-level institutional impacts to the Company, including documents produced in the Company's daily operations, such as lists of suppliers, sales information, invoices, among others. Information for internal use may only be disclosed to third parties in strictly necessary and previously authorized situations, such as to comply with legal or contractual obligations.

Restricted – Restricted information is information that, due to its nature, must be limited to specific and previously authorized Employees. Such information, if disclosed internally or externally, has the potential to cause serious harm to the holders of personal data or to customers, suppliers or other third parties involved with the Company. In general, this is information related to Company’s business secrets (including budget, new products, strategic projects, customer lists), sensitive personal data of Employees, internal sanctions applied to Employees or judicial or administrative proceedings. Such information must be kept internally and disclosed to other Collaborators or third parties in strictly necessary situations and provided that these individuals are part of the previously authorized group of people.

Highly confidential – Use of highly confidential information is restricted to a certain number of previously authorized Employees and only to senior management positions at the Company, in order to carry out their relevant duties in the Company, including long-term business strategies, ongoing critical business negotiations, results of internal audits, among others. The disclosure of this type of information can cause the most serious damage and harm to the holders of personal data or to customers, suppliers or other third parties involved with the Company, such as loss of competitive advantages, image depreciation, loss of business and customers, sanctions administrative and judicial proceedings. Such information must be maintained internally and restricted only to authorized employees.

Based on three principles of security: 1) confidentiality, 2) integrity, and 3) availability each principle, information can be classified as low, moderate, or high impact. Impact levels are defined as limited, serious, and severe or catastrophic.

‍

By unifying three principles of security, categories and potential impacts, we obtain Information Asset Classification Matrix:

The information classification process must include the following:

1. Identification of information assets;
2. Classification of information assets; by categories and considering confidentiality, integrity, and availability (“CIA”); and
3. Determining controls based upon the classification.

All information assets must be identified and, when possible, appropriately grouped for a more efficient application of controls of security.

An information owner must be determined by a higher level of management. The information owner is responsible for determining the information’s classification, how and by whom the information will be used.

‍

9. Access Control

1. All employee account creation requests are to be submitted via a Help Desk ticket. The request must contain the employee’s full name, company/division, department, job title, manager, and any special authorizations, such as access to certain applications. If the request requires any application or special group access, the Help Desk will forward the ticket to the appropriate Business Administrator. The Business Administrator will approve the request.
2. All third-party account creation requests are to be submitted via a Help Desk ticket from the manager of the department that owns this third-party relationship. This request must have (i) the request type, (ii) third party’s name, (iii) the reason for the requested access, (iv) specific resources needed, and (v) contact information.
3. If the new account is related to a new Company’s employee, the IT department will designate a computer system that must fit the work-related processes.
4. Any user changes and/or termination requests must be submitted via a Help Desk ticket.
5. A member of the Help Desk department will modify, remove or disable access as appropriate.
6. All accounts must have an individual employee or group assigned to be responsible for account management. This may be a combination of the business unit and information technology (IT).
7. Access to The Company ́ systems and network resources must be done through the use of individually assigned unique identifiers, known as user-IDs.
8. An authentication token (e.g., password, key fob, biometric) is associated with each user ID, which must be used to authenticate the identity of the person or system requesting access.
9. Automated techniques and controls must be implemented to lock a session and require authentication or re-authentication after a period of inactivity for any system where authentication is required. Information on the screen must be replaced with publicly viewable information (e.g., screen saver, blank screen, clock) during the session lock.
10. Automated techniques and controls must be implemented to terminate a session after specific conditions are met.
11. Passwords used to authenticate a person or process must be treated as confidential and protected appropriately.
12. Multi-factor authentication (MFA) is required for all admin and cloud accounts.
13. Passwords must not be stored on paper, or in an electronic file, hand-held device or browser, unless they can be stored securely and the method of storing (e.g., password vault) has been approved by the CISO.
14. Information owners are responsible for determining who should have access to protectedresources within their jurisdiction, and what those access privileges should be (read, update, etc.).
15. Access privileges will be granted in accordance with the user’s job responsibilities and will be limited only to those necessary to accomplish assigned tasks in accordance with the Company’s missions and business functions (least privilege).
16. Users of privileged accounts must use a separate, non-privileged account when performing normal business transactions.
17. Advance approval for any remote access connection must be granted by the Company. An assessment must be performed and documented to determine the scope and method of access, the technical and business risks involved and the contractual, process and technical controls required for such connection to take place.
18. All remote connections must be made through managed points-of-entry reviewed by the CISO.
19. Upon termination of any user, all accesses shall be revoked within 24 hours.

10. Security

10.1. Security in general

1. Information processing and storage facilities must have a defined security perimeter and appropriate security barriers and access controls.
2. All employees and consultants are required to present their identification badge when entering the Company’s buildings and offices. Once inside the building, their ID badge must be visibly worn.
3. A periodic risk assessment must be performed for information processing and storage facilities to determine whether existing controls are operating correctly and if additional physical security measures are necessary. These measures must be implemented to mitigate the risks.
4. Information technology equipment must be physically protected from security threats and environmental hazards. Special controls may also be necessary to protect supporting infrastructure and facilities such as electrical supply and cabling infrastructure.
5. All information technology equipment and information media must be secured to prevent compromise of confidentiality, integrity, or availability in accordance with the classification of information contained therein.
6. Visitors to information processing and storage facilities, including maintenance personnel, must be escorted at all times.

10.2. Employees’ Security

1. The employees must receive general security awareness training, to include recognizing and reporting insider threats, within 30 days of hire.
2. Additional training on specific security procedures, if required, must be completed before access is provided to specific Company sensitive information not covered in the general security training.
3. All security training must be reinforced at least annually and must be tracked by The Company.
4. Company must require its employees to abide by the acceptable use of information technology resources rules, described in this Policy, and establish an auditable process for tracking their acknowledge to the requirements herein.
5. All job positions must be evaluated by Cybersecurity Team to determine whether they require access to sensitive information and/or sensitive information technology assets.
6. Company must conduct employees suitability evaluations prior hiring, following the Personnel Screening Policy in place. The suitability determination must provide reasonable grounds for the Company to conclude that an individual will likely be able to perform the required duties and responsibilities of the subject position without undue risk to the The Company.

10.3. Systems Security

Systems include but are not limited to servers, platforms, networks, communications, databases and software applications.

The following measures shall be implemented for the purposes of the maintaining security of all Systems of the Company:

1. An individual or group must be assigned responsibility for maintenance and administration of any system deployed on behalf of The Company. A list of assigned individuals or groups must be centrally maintained.
2. Security must be considered at system inception and documented as part of the decision to create or modify a system.
3. All systems must be developed, maintained and decommissioned in accordance with a secure system development lifecycle (SSDLC).
4. Each system must have a set of controls commensurate with the classification of any data that is stored on or passes through the system.
5. All system clocks must synchronize to a centralized reference time source set to UTC (Coordinated Universal Time) which is itself synchronized to at least three synchronized time sources.
6. Environments and test plans must be established to validate the system works as intended prior to deployment in production.
7. Separation of environments (e.g., development, test, quality assurance, production) is required, either logically or physically, including separate environmental identifications (e.g., desktop background, labels).
8. Formal change control procedures for all systems must be developed, implemented and enforced. At a minimum, any change that may affect the production environment and/or production data must be included.

1. Databases and Software (including in-house or third party developed and commercial off the shelf (COTS):

1. All software written for or deployed on systems must incorporate secure coding practices, to avoid the occurrence of common coding vulnerabilities and to be resilient to high-risk threats, before being deployed in production.
2. Once test data is developed, it must be protected and controlled for the life of the testing in accordance with the classification of the data.
3. Production data may be used for testing only if a business case is documented and approved in writing by the information owner and the following controls are applied:

• All security measures, including but not limited to access controls, system configurations and logging requirements for the production data are applied to the test environment and the data is deleted as soon as the testing is completed; or
• Sensitive data are masked or overwritten with fictional information.

4. Where technically feasible, development software and tools must not be maintained on production systems.
5. Where technically feasible, source code used to generate an application or software must not be stored on the production system running that application or software.
6. Scripts must be removed from production systems, except those required for the operation and maintenance of the system.
7. Privileged access to production systems by development staff must be restricted.
8. Migration processes must be documented and implemented to govern the transfer of software from the development environment up through the production environment.

1. Network Systems:

1. Connections between systems must be authorized by the executive management of Company and protected by the implementation of appropriate controls.
2. All connections and their configurations must be documented and the documentation must be reviewed by the information owner and the CISO annually, at a minimum, to assure:

• the business case for the connection is still valid and the connection is still required; and
• the security controls in place (filters, rules, access control lists, etc.) are appropriate and functioning correctly.

3. A network architecture must be maintained that includes, at a minimum, tiered network segmentation between:

• Internet accessible systems and internal systems;
• systems with high security categorizations (e.g., mission critical, systems containing PII) and other systems; and
• user and server segments.

4. Network management must be performed from a secure, dedicated network.
5. Authentication is required for all users connecting to internal systems.
6. Network authentication is required for all devices connecting to internal networks.
7. Firewalls must be implemented to all network segment, especially on critical segments.
8. Only authorized individuals or business units may capture or monitor network traffic.
9. A risk assessment must be performed in consultation with the CISO before the initiation of, or significant change to, any network technology or project, including but not limited to wireless technology.

10.4. Encryption

1. The need for encryption of information is based on its classification, risk assessment results, and use case.
2. Use of outdated, cryptographically broken, proprietary encryption algorithms/hashing functions is prohibited.
3. Electronic information used to authenticate the identity of an individual or process (i.e., PIN, password, passphrase) must be encrypted when stored, transported or transmitted. This does not include the distribution of a one-time use PIN, password, passphrase, token code, etc., provided it is not distributed along with any other authentication information (e.g., user-ID).
4. A system’s security plan must include documentation to show appropriate review of encryption methodologies and products. This will demonstrate due diligence in choosing a method or product that has received substantial positive review by reputable third-party analysts.
5. Encryption is required for data in the following situations:

1. When electronic personally identifying information (PII) is transmitted (including, but not limited to, e-mail, File Transfer Protocol (FTP), instant messaging, e-fax, Voice Over Internet Protocol (VoIP), etc.).
2. When encryption of data in transit is prescribed by law or regulation.
3. When connecting to the internal network(s) over a wireless network.
4. When remotely accessing a The Company’s internal network(s) or devices over a shared (e.g., Internet) or personal (e.g., Bluetooth, infrared) network. This does not apply to remote access over a The Company’s managed point to point dedicated connection.
5. When data is being transmitted with a The Company ́s public facing website and/or web services, they are required to utilize Hypertext Transfer Protocol Secure (HTTPS) in lieu of Hypertext Transfer Protocol (HTTP) where technically feasible. Public facing websites must utilize HTTP Strict Transport Security (HSTS), automatically redirecting HTTP requests to HTTPS websites where technically feasible.

10.5. AI Training Security

1. All training data and AI/ML models must be reviewed for security, privacy, and legal compliance prior to use. Reviews must ensure that no personal or sensitive data is used in a way that violates data protection laws or client agreements.
2. Sensitive or personally identifiable information (PII) must be anonymized or pseudonymized prior to model training, except where explicit consent or lawful basis exists under GDPR or other applicable laws.
3. AI/ML models must undergo regular audits to detect and mitigate algorithmic bias, and to verify compliance with applicable data protection laws, ethical AI standards, and emerging regulations (such as the EU AI Act).
4. AI/ML systems must implement output filtering and monitoring controls to prevent leakage of sensitive or proprietary data through model outputs, including prompt injection and model extraction safeguards.
5. AI/ML pipelines must be integrated into the Company’s risk management and security monitoring programs, ensuring that new datasets, models, or deployments are continuously assessed for security, ethical, and privacy risks.

10.6. Operations Security

1. All systems and the physical facilities in which they are stored must have documented operating instructions, management processes and formal incident management procedures related to information security matters which define roles and responsibilities of affected individuals who operate or use them.
2. System configurations must follow approved configuration standards.
3. Advance planning and preparation must be performed to ensure the availability of adequate capacity and resources. System capacity must be monitored on an ongoing basis.
4. Where a third party provides a server, application or network service to Company (or vice- versa), operational and management responsibilities must be coordinated by all affected parties.
5. Host based firewalls must be installed and enabled on all workstations to protect from threats and to restrict access to only that which is needed.
6. Controls must be implemented (e.g., anti-virus, software integrity checkers, web filtering) across systems where technically feasible to prevent and detect the introduction of malicious code or other threats.
7. Controls must be implemented to disable automatic execution of content from removable media.
8. Controls must be implemented to limit storage of information to authorized locations.
9. Controls must be in place to allow only approved software to run on a system and prevent execution of all other software.
10. All systems must be maintained at a vendor-supported level to ensure accuracy and integrity.
11. All security patches must be reviewed, evaluated and appropriately applied in a timely manner. This process must be automated, where technically possible.
12. Systems which can no longer be supported or patched to current versions must be removed. In the case of obsolete but essential systems, which cannot be removed or replaced, security compensating controls must be established.
13. Systems and applications must be monitored and analyzed to detect deviation from the access control requirements outlined in this policy and the Security Logging Standard, and record events to provide evidence and to reconstruct lost or damaged data.
14. Audit logs recording and other security-relevant events must be produced, protected and kept Because of the nature of the data contained in this security logs (e.g., passwords, e-mail content) they can be considered personally identifying information (PII) and must be protected with the controls for a confidentiality and integrity of high.
15. Within the consolidated log infrastructure, logs must be maintained and readily available (online) for a minimum of 90 days. Data stored and maintained through backups and/or other (cold) storage mechanisms must be maintained for a minimum of 1 year. Based on entity requirements, including auditing or legal needs, logs may need to be retained for a longer period of time.
16. Log data must be securely disposed of (at both the system and the infrastructure level) in compliance with the Sanitization/Secure Disposal Standard.
17. Systems that collect logs, whether local or consolidated, must maintain sufficient storage space to meet the minimum requirements for both readily available and retained logs. Storage planning must account for log bursts or increases in storage requirements that could reasonably be expected to result from system issues, including security.
18. A process must be put in place to provide for log preservation requests, such as a legal requirement to prevent the alteration and destruction of particular log records (e.g., how the impacted logs must be marked, stored, and protected).
19. Log integrity for consolidated log infrastructure needs to be preserved, such as storing logs on write-once media or generating message digests for each log file.
20. Access to log management systems must be recorded and must be limited to individuals with a specific need for access to the records. Access to log data must be limited to the specific sets of data appropriate for the business need.
21. Procedures must exist for managing unusual events. Response must be commensurate with system criticality, data sensitivity and regulatory requirements.
22. Monitoring systems must be deployed (e.g., intrusion detection/prevention systems) at strategic locations to monitor inbound, outbound and internal network traffic.
23. Monitoring systems must be configured to alert incident response personnel to indications of compromise or potential compromise.
24. Contingency plans (e.g., business continuity plans, disaster recovery plans, continuity of operations plans) must be established and tested regularly. To know:

1. An evaluation of the criticality of systems used in information processing (including but not limited to software and operating systems, firewalls, switches, routers and other communication equipment).
2. Recovery Time Objectives (RTO)/Recovery Point Objectives (RPO) for all critical systems.

25. Backup copies of information, software, and system images must be taken regularly in accordance with the The Company’s defined requirements.
26. Backups and restoration must be tested regularly. Separation of duties must be applied to these functions.
27. Procedures must be established to maintain information security during an adverse event. For those controls that cannot be maintained, compensatory controls must be in place.

10.7. Vulnerability Management

1. All systems must be scanned for vulnerabilities before being installed in production and periodically thereafter.
2. All systems are subject to periodic penetration testing.
3. Penetration tests are required periodically for all critical environments/systems.
4. Where the Company has outsourced a system to another organization or a third party, vulnerability scanning/penetration testing must be coordinated.
5. Scanning/testing and mitigation must be included in third party agreements, where applicable.
6. The output of the scans/penetration tests will be reviewed in a timely manner by the system owner. Copies of the scan report/penetration test must be shared with the CISO for evaluation of risk.
7. Appropriate action, such as patching or updating the system, must be taken to address discovered vulnerabilities. For any discovered vulnerability, a plan of action and milestones must be created, and updated accordingly, to document the planned remedial actions to mitigate vulnerabilities.
8. Any vulnerability scanning/penetration testing must be conducted by individuals who are authorized by the CISO. The CISO must be notified in advance of any such tests. Any other attempts to perform such vulnerability scanning/penetration testing will be deemed an unauthorized access attempt.
9. Anyone authorized to perform vulnerability scanning/penetration testing must have a formal process defined, tested and followed at all times to minimize the possibility of disruption.

11. Incident Response and Disaster Recovery

The Company maintains a documented Incident Response Plan (IRP) and Disaster Recovery Plan (DRP) to ensure that security incidents are handled efficiently, business impact is minimized, and regulatory obligations are met. These plans include:

1. Formalized Incident Response Plan

The Company must maintain an Incident Response Plan that defines roles, responsibilities, communication protocols, escalation paths, and consistent standards for identifying, containing, investigating, and resolving security incidents.

2. Regular Testing and Training

The Incident Response Plan must be tested at least annually (through tabletop exercises or live simulations) to ensure its effectiveness.

All employees, contractors, and CISO team members involved in incident response must receive regular training on their roles and responsibilities.

3. Reporting and Escalation

All observed or suspected information security incidents, system weaknesses, or unusual activity must be reported immediately to management and the CISO.

If an employee believes a cybersecurity concern is not being adequately addressed, they may confidentially escalate it directly to the CISO.

4. CISO Oversight for Significant Incidents

The SOC must be notified of any incident with significant or severe operational or security impact, including those involving potential digital forensics, to ensure proper execution of incident response procedures and centralized coordination.

5. Regulatory and Legal Notifications

Where required, the Company will notify regulatory agencies, supervisory bodies, and other legal institutions, adhering to obligations outlined in relevant laws such as GDPR (72-hour notification rule), CCPA, CPRA, and applicable cybersecurity regulations.

6. Disaster Recovery and Backup Planning

All critical systems must have documented backup and recovery plans, tested at least annually to ensure systems can be restored effectively in the event of a disruption.

7. The Company's recovery objectives are defined as:

Recovery Point Objective (RPO): 24 hours for core systems.

Recovery Time Objective (RTO): 48 hours for core services.

8. Post-Incident Review and Improvement

Following every major incident, a postmortem analysis will be conducted to identify root causes, assess response effectiveness, and implement corrective actions to improve the Incident Response and Disaster Recovery programs.

12. Compliance & Audits

The Company maintains a proactive approach to compliance and continuous improvement of its information security program. To uphold industry and regulatory standards, the Company will:

1. Conduct Annual Assessments and Testing

Perform annual security risk assessments, vulnerability scans, and independent penetration testing to evaluate the effectiveness of the Company’s controls and identify potential risks or weaknesses.

2. Review and Update Policies Regularly

Review all information security policies, procedures, and controls at least annually, and update them as necessary to remain aligned with evolving business operations, emerging threats, and current standards.

3. Adhere to Industry Standards and Regulations

Ensure ongoing compliance with ISO 27001 (and relevant ISO extensions), SOC 2, GDPR, CCPA/CPRA, and any additional contractual or regulatory obligations applicable to the Company’s operations and clients.

4. Engage Independent Auditors

Where required, engage qualified external auditors to conduct formal reviews and certifications, providing assurance to stakeholders and clients of the Company’s commitment to robust information security practices.

5. Report Findings and Drive Remediation

Present audit and assessment results to executive leadership and the Information Security Steering Committee, ensuring timely remediation of identified issues and continuous improvement of security measures.

13. Enforcement

The Company enforces this Information Security Policy to ensure that all employees, contractors, and third parties adhere to its requirements. Violations of this policy, whether intentional or due to negligence, may result in:

• Disciplinary Action – Corrective measures may include verbal or written warnings, mandatory retraining, suspension, or termination of employment or contracts, in accordance with Company policies and local labor laws.
• Legal Consequences – Where violations result in breaches of law or regulatory requirements, the Company may pursue civil or criminal remedies and cooperate with law enforcement or regulatory authorities as necessary.
• Liability for Damages – Individuals or third parties responsible for violations that cause harm, including financial or reputational damage, may be held liable for losses incurred by the Company or its clients.
• Remediation Requirements – Employees or vendors involved in a violation may be required to participate in additional security awareness training and corrective programs before resuming normal duties.

The Company reserves the right to audit and monitor systems and user activity to detect violations, and to take appropriate actions to protect its assets, customers, and compliance obligations.

This Policy shall be reviewed and edited from time to time, subject to the CISO’s approval.

For questions or reports regarding this Policy, contact:
security@advntg.ai

* * *

‍