1. PURPOSE

The PSI is a formal statement about our commitment to protecting the information assets that we own and/or have under our care, and must be complied with and respected by all our members. OpenClick, which handles sensitive data of customers, suppliers and employees, aims to implement the PSI to ensure the security of the data for which it is responsible, and that information from external sources (suppliers and customers) that travels through the system developed and provided by OpenClick is protected, preventing any interception, fraud or loss. In addition to providing internal awareness, so that the standards are followed by all its members, ensuring the confidentiality, integrity and availability of information, not only of customers and suppliers, but also of the company’s own employees.

2. DEFINITIONS

2.1. Information Assets As defined by ABNT NBR ISO/IEC 27002:2013, “Information is an asset that, like any other important asset, is essential to an organization’s business and, consequently, needs to be adequately protected. […] Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by mail or electronic means, presented in films or spoken in conversations. Regardless of the form of presentation or the means through which the information is shared or stored, it is recommended that it always be adequately protected.”

Therefore, for the purposes of this Information Security Policy, the following Information Assets are considered:

Information Technology Resources;

Information belonging to, granted by or related to customers;

Information related to OpenClick employees;

Information belonging to or related to suppliers;

Strategies and decisions of senior management;

OpenClick accounting information;

and OpenClick internal processes.

2.2. Basic Principles of Information Security

Basic Principles Integrity: guarantee that information is maintained in its original state, aiming to protect it, during storage or transmission, against undue, intentional or accidental changes.

Confidentiality: guarantee that access to information will not be available or disclosed to unauthorized individuals, entities or applications.

Availability: guarantee that authorized users have access to information when necessary.

Resilience: guarantee that the system will be available for access to information for the necessary time, using redundancy and scalability whenever possible.

Complementary Principles Authenticity: Guarantee of the identity of the sender of the information. Authenticity ensures that the information comes from the announced source, without being altered during sending.

Legality: Ensure that the use and handling of information follows the laws in force in the country (Cybercrime Law – Law 12.737/2012, Internet Civil Rights Framework – Law 12.965/2014 and LGPD Law No. 13.709/2018).

Non-repudiation: Guarantee that the author does not deny having created and signed a certain file or document.

2.3. Information Security Incidents A security incident can be defined as any adverse event, confirmed or suspected, related to the security of Information Technology Resources (“RTIs”) leading to the loss of one of the principles of Information Security, mentioned above. Examples of security incidents are: * Attempts to gain unauthorized access to logical or physical systems or data; * Unavailability of information and data for the execution of routines and processes; * Denial of service attacks; * Exploitation of protocol vulnerabilities; * Modifications to a system without the knowledge, instructions or prior consent of a manager; and * Disregard for the security policy or acceptable use policy of a company or access provider.

a. Incident Reporting OpenClick must disclose and encourage its employees to immediately report information security incidents, which may be done formally or by using the anonymous reporting feature.

b. Attempted Fraud Any attempt to circumvent the guidelines and controls established by OpenClick, when detected, must be treated as a violation.

2.4. Information Security Management System The Information Security Management System (ISMS) must be part of OpenClick’s global management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve Information Security.

a. Structure The structure presented by ISO 27001 for an information security management system takes into account the context in which the organization is situated, as well as the expectations and requirements passed on by the Leadership and the support team that will participate in the execution of the system. The information security cycle begins with its planning, goes through its operation, evaluation of the system’s performance and finally its continuous improvement. In this way, leadership and support return to the security of the managed information. This cycle of planning, operation, performance evaluation and improvement, which repeats itself over time, together with leadership and support, is the guarantee of the effectiveness of OpenClick’s information security. The Information Security Management System covers the spheres of Technology (security controls on technological assets and the safe use of technology), Processes, Environments (physical access and protection of the work environment) and People (raising people’s awareness on the safe treatment and use of information).

b. Details ABNT NBR ISO/IEC 27.002 Code of Practice for Information Security Controls provides guidelines for information security practices for organizations, including the selection, implementation, and management of controls, taking into account the organization’s information security environments and risks.

2.5. Information classification OpenClick must ensure that its employees comply with controls according to the information classification, through the implementation of tools and formalization of processes according to the established classification. Finally, OpenClick must guide its employees on the insertion, classification, labeling, publication, sharing, and handling of assets, as stated in ISO 27.001 A.8.1 and A.8.2.

2.6. Access Control OpenClick must control physical and logical access to its facilities and RTIs. To this end, it must ensure that each employee has a personal, non-transferable, and exclusive-knowledge credential. Physical access to controlled environments and logical access to information and computing resources must be authorized by managers or board of directors.

2.7. Analysis of RTIs OpenClick must periodically analyze its processes and RTIs, ensuring that they are documented and that their managers are identified and aware, as well as their vulnerabilities and security threats identified. a. Logical Environments It must be ensured that the systems and processes environments that support the RTIs are reliable, integral and available to those who need them to perform their professional activities. b. Physical Environments OpenClick must have access control within the delimited security perimeters to ensure the protection of the areas, as well as appropriate controls and records to ensure access only to authorized employees and approved RTIs.

2.8. Monitoring OpenClick must inform its employees about the monitoring, including remotely, of all access and use of its information, its RTIs, and its physical and logical environments, to verify the controls implemented, protect its assets and reputation, track critical events and highlight possible incidents. E-mail and Internet access are corporate resources, installed and maintained to meet OpenClick’s business objectives. Access and histories are recorded and may be monitored, therefore, there are no expectations of privacy in their use.

2.9. Handling of Information Security Incidents The Information Security incidents mentioned in this policy must be monitored and analyzed for their vulnerability.

2.10. Business Continuity and RTI Contingency To mitigate the risks of interruption caused by security incidents and maintain adequate IT service levels at OpenClick, prevention and recovery actions are developed, always aligning the Information Security Policy with the Business Continuity Standards.

2.11. Compliance This document must undergo a periodic review and update program to ensure that all points mentioned herein are implemented and being complied with within the company. Internal Audit will include in its annual work plan the reviews of the internal controls described in the Information Security Policy.

3. GUIDELINES

3.1. Disclosure of the Policy OpenClick must ensure that this policy and its complementary standards are disclosed to company members, in addition to keeping it in a location that is easily accessible to all those who interact with the company. It must be clarified that it is the responsibility of each employee to consult it sporadically and voluntarily to identify possible updates to the documents.

3.2. Authorization of use This policy and its complementary rules must be interpreted restrictively, within the principle of application of the least possible privilege, in which users have access only to the information resources necessary for the full performance of their activities. Anything that is not expressly permitted may only be carried out after prior authorization, and the risk analysis and the need for the request must be taken into account.

3.3. Handling of information Information from OpenClick, customers, suppliers and the general public, generated, accessed, handled, stored or discarded by an employee, as well as the Information Technology Resources (ITR) made available, are the exclusive property and right of use of OpenClick. These must be used solely for professional purposes – limited to the duties of the position and/or function performed by the employee – who must comply with them within the established ethical conduct standard and in line with their legal obligation of professional secrecy.

3.4. Information management Information must be used transparently and only for the purpose for which it was collected. Information management must be ensured through measures that provide duly authorized access and disclosure in accordance with current legislation.

3.5. Access Control OpenClick must control physical and logical access to its facilities and its ITRs. In this way, the company must ensure that each employee has an individual, non-transferable, exclusive use credential that qualifies them as responsible for the actions performed. OpenClick must also guide its employees on the responsibility for use and confidentiality, in addition to preventing the sharing of credentials (Badges, Login and Password), under any circumstances.

3.6. Monitoring The RTIs provided by OpenClick can be used to update its employees, as well as to encourage cooperation between them. Therefore, any use of RTI that allows greater mobility, as well as participation in relationship environments, such as Social Networks, must be directly related to a business justification, with a strictly work-related reason, within the employee’s attributions. Any damage caused, by action or omission, resulting from their posture and/or behavior, may result in administrative disciplinary proceedings upon investigation of responsibility.

3.7. Terms/Contracts The contract with employees, workers, interns and service providers must comply with the terms and conditions of this Information Security Policy. Together with the contract, a Confidentiality, Responsibility and Confidentiality Agreement must be agreed upon, related to the scope of their hiring and also administrative or financial sanctions in case of violation. OpenClick must provide periodic audits to certify compliance with security requirements and previously established responsibilities.

3.8. Violation Occurrences that may be considered violations of this Information Security Policy must be assessed by OpenClick’s Information Security area. If an incident is found, it must be forwarded to a Decision Committee to assess the measures to be taken.

3.9. Contact Us If after reading this Privacy Policy, you still have any questions, or for any reason need to communicate with us regarding matters involving your personal data, you can contact us by email below:

Responsible Party (DPO): dpo@openclick.ai Or through this form.

We are always available to answer your questions and put you in control of your personal data.