The Top Management of OSeven has adopted the Information Security Policy and hereby declares its full commitment to the effective implementation of the policy hereunder, to the provision of sufficient resources and to the continuous improvement of the Information Security Management System (ISMS).

1. Scope

The scope of the OSeven Information Security Policy is to ensure the Business Continuity, to minimize the risk related to security incidents and to decrease the potential impact to OSeven and its clients. Additionally, the OSeven Information Security Policy aims to protect all information and personal data against internal, external, intended or unintended threats.

The OSeven Information Security Policy applies to all OSeven information systems, people and processes, including board members, directors, employees, suppliers and other third parties who have access to the OSeven information systems.

2. General Information Security Policy

A. Specifically, the General Information Security Policy aims to ensure:

• Continuous protection of the information and personal data of OSeven clients, employees, partners and suppliers against unauthorized access
• Confidentiality of the information and personal data of OSeven clients, employees, partners and suppliers.
• Integrity of the information and personal data of OSeven clients, employees, partners and suppliers.
• Availability of the information and personal data of OSeven clients, employees, partners and suppliers as well as availability of the OSeven business procedures.
• Continuous monitoring and compliance with the applicable Legislation and Regulations related with the OSeven activities and services.
• The Business Continuity Plan is maintained and evaluated regularly for its effectiveness.
• Continuous training to all OSeven employees related with Information Security and Personal Data protection.
• The (confirmed or suspected) breaches related to information or personal data are reported to the Information Security Officer and the Data Protection Officer, they are thoroughly investigated and effectively managed.

B. OSeven has applied and continuously implements appropriate Information Security and Data Protection Policies & Procedures to support the Information Security Policy, including all technical and organizational protection measures.

C. OSeven ensures the continuous compliance with the applicable legislation, the GDPR and the requirements of the standard ISO 27001:2013, through the continuous monitoring of the Information Security Management System.

D. The Information Security Officer is responsible for the implementation of the Information Security Policy, as well as for the provision of the required support and consulting.

E. The OSeven Top Management is responsible for the implementation of the Information Security Policy as well as for ensuring compliance by all employees in their respective business areas.

F. All OSeven employees and suppliers are formally required to comply with the Information Security Policy.

G. Any violations of the Information Security Policy are subject to disciplinary action. The degree of disciplinary action depends upon the nature of the violation and its impact on OSeven.