Privacy Policy

1. PURPOSE AND SCOPE

The purpose of this policy is to define Figopara’s information security principles in alignment with its strategic direction, to safeguard all digital assets, and to establish core information security standards.

It aims to outline Figopara’s approach and objectives regarding the establishment, operation, maintenance, and continuous improvement of the Information Security Management System (ISMS),and to clearly communicate these requirements and goals to all employees and relevant stakeholders.

The requirements of this policy apply to all information assets (electronic or printed documents related to the ISMS such as policies, procedures, forms, records, etc.),employees, and documents related to information security.

All employees, managers, business partners, and relevant parties are obligated to comply with this policy.

2. DEFINITIONS AND ABBREVIATIONS

ISMS: Information Security Management System

Information Security Standards: These are defined rules, guidelines, and implementation criteria aimed at protecting corporate information assets, ensuring their security, and preventing unauthorized access. They define the scope and requirements of ISMS in accordance with principles of confidentiality, integrity, and availability.

IMS Team (Integrated Management System Team): A team representing management, responsible for ensuring the successful implementation and oversight of the ISMS under the Integrated Management System framework.

Internal Auditor: A person or team conducting an independent audit of the IMS. This person must be independent from the implementation and operation of the IMS, and possess the necessary experience, training, and certifications. Internal auditors may be internal staff or sourced externally.

3. ROLES AND RESPONSIBILITIES

Top Management

Responsible for ensuring that the Information Security Policy meets corporate needs, providing necessary support and oversight for its implementation, and reviewing the policy at least once a year or when changes in company policy require it. The Management Representative fulfills this duty on behalf of senior management and submits the policy for approval by the CEO.

Management Representative

Responsible to top management at all stages from the establishment to the operation and management of the ISMS.

IMS Team

Assigned by the company’s top management, the IMS Team is responsible for ensuring the policy meets corporate needs, providing necessary support and oversight for its implementation, and reviewing it at least once a year or when changes in corporate policy require it.

All Personnel

Responsible for complying with the Information Security Policy as required by their respective roles.

4. COMMITMENT FROM TOP MANAGEMENT

Figopara’s Top Management commits to establishing and operating the ISMS in compliance with all applicable requirements outlined in ISO/IEC 27001, 27701, and similar standards to achieve corporate goals and policies.

Top Management also commits to adhering to the established ISMS, allocating the necessary resources and infrastructure investments for its effective operation, continuously improving the process, and ensuring all employees understand and support it.

5. POLICY

Figopara acknowledges its legal and commercial responsibilities to adequately protect its data and systems and to manage all security risks related to information technologies. To safeguard the confidentiality, integrity, and availability of its information and communication systems, and to protect operational and financial data, Figopara commits to implementing an Information Security Management System (ISMS) in line with standards such as ISO/IEC 27001 and 27701.

Through our risk-based thinking approach and continuously improved processes aligned with ISMS standards, we commit to meeting the expectations of our customers, employees, suppliers, and business partners, and to protecting their information appropriately.

The purpose of this Information Security Policy approved by Figopara is to:

  • Protect corporate information assets against any internal or external, intentional or unintentional threats,
  • Safeguard information from unauthorized access attempting to compromise confidentiality and integrity,
  • Ensure appropriate access to information in accordance with business processes,
  • Fulfill legal and regulatory requirements,
  • Establish, maintain, and test business continuity and crisis management plans,
  • Ensure all employees participate in information security training and maintain ISMS awareness,
  • Conduct risk analysis to manage ISMS effectively,
  • Perform risk assessments, analysis, and treatment actions to mitigate risks and implement necessary measures,
  • Report all actual or suspected security breaches to the Information Security Manager and ensure investigation,
  • Meet the business requirements for availability of information and information systems,
  • Align all related processes with the ISMS,
  • Periodically review ISMS performance and ensure timely implementation of improvements.

All documents published under the ISMS support this Information Security Policy. The Management Representative is directly responsible for maintaining this policy and providing guidance on its implementation.

6. RELATED DOCUMENTS

6.1 Internal Documents

  • Scope Analysis Document

6.2 External Documents

  • ISO / IEC 27001:2022 Information Technology – Security Techniques – Information Security Management Systems – Requirements
  • ISO 27701:2019 Privacy Information Management System – Requirements
  • ISO 22301:2019 Business Continuity Management Systems – Requirements
  • Turkish Data Protection Authority’s Guide on Administrative and Technical Measures

7. DISTRIBUTION

This document is shared electronically with all employees.

8. ENFORCEMENT

Violations of this document will be subject to action in accordance with the Disciplinary Procedure.

8.1 Compliance

Violating this policy may result in data protection breaches, damage to the company’s reputation, and infringement of the rights of employees or third parties.

8.2 Exceptions

Any exceptions to this policy must be reported in advance to the CEO and/or Data Controller.

8.3 Noncompliance

Failure to comply with this policy may result in disciplinary action according to company procedures. If a third-party contractor (or subcontractor) fails to comply, this may lead to termination of the agreement and/or legal action. Noncompliance must be reported to the CEO and/or Data Controller.