Privacy Policy

1. PURPOSE AND SCOPE

The purpose of this policy is to protect all digital assets of Figopara by determining information security principles aligned with its strategic direction and to define fundamental information security principles. It aims to define Figopara's information security approach and objectives regarding all information security management system requirements of internal and external stakeholders for the establishment, operation, maintenance and continuous improvement of the ISMS, and to clearly communicate these requirements and objectives to all employees and relevant stakeholders.

The requirements of this policy cover all information assets (all documents including policies, procedures, forms, records related to the ISMS in electronic or printed forms), employees and all documents related to information security.

All employees, managers, business partners and relevant parties are obliged to comply with this policy.

2. DEFINITIONS AND ABBREVIATIONS

ISMS: Information Security Management System

Information Security Standards: Information security standards are rules, guidelines and application criteria established to protect companies' information assets, ensure their security and prevent unauthorized access to information. These standards define the scope and requirements of information security management systems (ISMS) and determine how these systems should be established and operated in accordance with the principles of reliability, confidentiality, integrity and accessibility.

IMS Team (Integrated Management System Team): The IMS team represents management and is the team that assumes responsibility and provides oversight for the successful sustainability of the ISMS within the scope of the Integrated Management System.

Internal Auditor: A person or team that independently audits the IMS. Independent of the implementation and operation of the IMS, this person has the experience, training and certifications to audit the Management Systems within the scope of the IMS and conducts the internal audit. The internal auditor can be company personnel or sourced externally.

3. ROLES AND RESPONSIBILITIES

Senior Management: Responsible for ensuring that the Information Security Policy meets the institution's needs, providing the necessary support and oversight for its implementation, and reviewing the policy at least once a year or when changes to company policy may require it. The Management Representative performs this duty on behalf of senior management and obtains approval from the General Manager.

Management Representative: The person who assumes responsibility towards senior management at every stage from the establishment to the operation and management of the Information Security Management System.

IMS Team: The IMS team appointed by the company's senior management is responsible for ensuring that the Information Security Policy meets the company's needs, providing the necessary support and oversight for its implementation, and reviewing the policy at least once a year or when changes may require it.

All Personnel: Responsible for fulfilling the requirements of the Information Security Policy as required by their areas of duty.

4. SENIOR MANAGEMENT COMMITMENT

Figopara Senior Management commits to establishing and operating the ISMS process in a way that fulfills all requirements contained in ISO/IEC 27001, 27701 and similar information security standards to realize the institution's goals and policies.

Figopara Senior Management commits to complying with the published and implemented Information Security Management System and to allocating the resources and necessary infrastructure investments required for the efficient operation of the system, continuously improving the effectiveness of the process, and ensuring that this is understood by all employees.

5. POLICY

Figopara has legal and commercial responsibilities for adequately protecting its data and systems and managing all security risks associated with the operation of information technologies. Figopara aims to implement an Information Security Management System (ISMS) compliant with ISO/IEC 27001, 27701 and similar information security standards to guarantee the confidentiality, integrity and accessibility of information and communication systems, manage security risks, and protect operational and financial data.

In accordance with ISO 27001, 27701 and similar information security standards ISMS requirements, through our processes that we carry out and continuously improve with a risk-based thinking approach, we commit to and guarantee that the products and services we offer meet the needs and expectations of our customers, and that the information of our employees, customers, suppliers and business partners is properly protected.

The purpose of this Information Security Policy approved by Figopara:

• To protect the organization's information assets against all threats that may occur internally or externally, knowingly or unknowingly,
• To protect against unauthorized access of persons who may try to compromise the confidentiality and integrity of information,
• To ensure accessibility to information as required by business processes,
• To meet legal regulatory requirements,
• To prepare, maintain and test plans for business continuity and Crisis Management,
• To ensure the participation of all employees in information security training and ISMS awareness,
• To conduct risk analysis studies to ensure effective management of the Information Security Management System,
• To perform risk assessment, risk analysis and risk treatment activities to manage information security risks, develop necessary measures and prevent possible risks,
• To report all actual or suspected vulnerabilities in information security to the Information Security Manager and ensure investigation by the Information Security Manager,
• To meet business requirements for information accessibility and information systems,
• To bring processes within scope into compliance with the Information Security Management System,
• To periodically review the success of our information security management system in achieving intended results and to guarantee that necessary improvements are implemented in a timely manner.

All documents published within the scope of the ISMS within the company support the Information Security Policy. The Management Representative is directly responsible and the authorized authority for maintaining this policy and providing advice and guidance on the implementation of the policy.

6. RELATED DOCUMENTS

6.1 Internal Documents

1. Scope Analysis Document

6.2 External Documents

1. ISO/IEC 27001:2022 Information Technology - Security Techniques - Information Security Management Systems - Requirements
2. ISO 27701:2019 PIMS Personal Information Management System - Requirements
3. ISO 22301:2019 Business Continuity Management System - Requirements
4. Personal Data Protection Authority Data Security Guide (Administrative and Technical Measures)

7. DISTRIBUTION

This document is shared electronically with all employees.

8. SANCTIONS

In case of violation of this document, action will be taken considering the Disciplinary Procedure.

8.1 COMPLIANCE: Violation of this policy may result in data breaches under data protection legislation, damage to the company's reputation and violation of the rights of employees or other relevant third parties.

8.2 EXCEPTIONS: Any exception to the policy will be notified in advance to the General Manager and/or the Data Controller.

8.3 NON-COMPLIANCE: Failure to comply with these policies may result in disciplinary action in accordance with the Company's disciplinary procedures. Failure of a third-party contractor (or subcontractors) to comply with this policy may result in termination of the contract and/or legal proceedings. Non-compliance will be notified to the General Manager and/or the Data Controller.