INFORMATION SECURITY POLICY

IDOM's executive management maintains a policy aimed at meeting the requirements and expectations of clients, promoting a culture of Information Security based on leadership, the development of its people and security in its operations, and has decided to pioneer the implementation of an Information Security Management System (ISMS).

IDOM's objectives are aligned with the following principles:

• Guarantee the continuity of the services provided by IDOM.
• Ensure an adequate and proportional level of security for the information handled and the assets of the organization based on a risk analysis of the ISMS.
• Minimize the impact caused by risks detected on the assets, processes and services provided included in the scope of the ISMS.
• Ensure compliance with security requirements and obligations in accordance with legal, regulatory and contractual requirements, established in relations with third parties and interested parties.
• Promote security through training and awareness programs among IDOM personnel.

IDOM considers information security as a basic principle in its organization, which must be established from the beginning and design in the organization of its projects, and is understood as the guarantee of confidentiality, integrity and availability of the information, regardless of the support in which it is found.

IDOM's information security will be understood as a fundamental element for the maintenance of trust with its clients, its corporate image and its business processes, as well as the fulfillment of the security requirements established within the strategic objectives.

This policy enables the achievement of the required level of security based on the business needs, the context of the organization and the risks present in its processes, the principles of which are as follows:

• Regulatory Compliance Principle: IDOM will participate in and comply with legal, regulatory and industry standards that affect the organization, especially those related to data protection and privacy, systems and cybersecurity.
• Principle of Risk Management: IDOM is committed to perform risk analysis at planned intervals in order to minimize risks to an acceptable level and in accordance with the objectives defined by the management, seeking a balance between security controls and the nature of the information processed.
• Awareness and Training Principle: IDOM will have adequate and necessary resources to implement security, such as training programs, awareness and education campaigns for all users regarding information security.
• Principle of Security: IDOM will guarantee the security of information in its three aspects, confidentiality, integrity and availability, in such a way that access to information is the minimum necessary for authorized personnel, that such information is truthful, reliable and accurate, and that it is supported by systems that have adequate continuity plans.
• Principle of Segregation of Responsibilities: IDOM seeks to segregate functions in security matters. In this way, multiple opinions and thoughts are sought when making decisions in the organization. For this reason, an organization chart has been designed with differentiated functions in different people.
• Principle of Proportionality: IDOM will seek a balance between the implementation of controls that mitigate the security risks of the assets, the cost or effort involved, and their impact on operations, always taking into account the importance and criticality of the information contained.
• Principle of Responsibility: IDOM employees are fully aware of and responsible for their actions regarding information security, the importance of complying with established rules and controls.
• Principle of constant vigilance: IDOM is aware of the need for continuous security and therefore promotes activities such as incident management or logging of activities and detection of malicious code.
• Continuous improvement principle: IDOM will periodically verify the degree of effectiveness of the security controls implemented, as well as compliance with objectives, risk mitigation and continuous improvement through planned reviews and audits for this purpose, in order to ensure the appropriate level of security.

All specifics related to the protection of personal data and privacy in IDOM will be treated by the Privacy Policy PDP-01, in compliance with the laws and regulations applicable to the services provided by IDOM..

When IDOM provides services to other organizations or handles information from other organizations, they will be made aware of this policy. Channels will be established for reporting and coordination of the respective Information Security Committees and procedures will be established for responding to security incidents.

When IDOM uses third party services or transfers information to third parties, they will be made aware of this policy and the regulations that apply to such services or information. Said third party will be subject to the obligations set forth in said regulations and may develop its own operating procedures to comply with them. Specific incident reporting and resolution procedures will be established. It will be ensured that the members of the third party have an appropriate level of security awareness, at least equivalent to that set out in this policy.

If any aspect of this policy cannot be fulfilled by a third party as required in the preceding paragraphs, a report from the CISO will be required detailing the risks incurred and how they will be addressed. Approval of this report by the affected IOs and SOs is required before proceeding.

For any relationship with third parties, a communication channel with the third party will be established through a person belonging to the external entity with whom they will communicate from IDOM. This communication channel will be called Operational Communication Point (OCP).