BPO LABS S.A.S, in order to ensure compliance with Statutory Law 1581 of 2012 on Data Protection (LEPD) and Decree 1377 of 2013, adopts this Internal Security Manual, which includes the necessary technical, human, and administrative measures to provide security to records in order to prevent their alteration, loss, consultation, unauthorized or fraudulent use or access, in accordance with the security principle stated in Article 4, letter g of the LEPD.

This manual belongs to: BPO LABS S.A.S.

• Address:Carrera 58 # 75-137, Barranquilla - Atlántico
• Email:dataprivacy@bpolabsolutions.com
• Phone:(1) 744 7076

The provisions of this document apply to the databases under the responsibility of BPO LABS S.A.S, as well as to the information systems, media, and equipment used in the processing of data, which must be protected in accordance with the current regulations, to the individuals involved in the processing, and to the premises where such databases are located.

The Internal Security Manual is an internal document of the company that is mandatory for all personnel of BPO LABS S.A.S. who have access to information systems containing personal data.

This manual must undergo continuous review and updating whenever there are changes in the information systems, the processing system, the organization, or the content of the database information that may affect the implemented security measures. Additionally, the manual must always be in compliance with the legal regulations regarding the security of personal data.

The databases are only accessible by individuals designated by BPO LABS S.A.S, as referred to in section 6 of this document.

The security officers of BPO LABS S.A.S, mentioned in section 6 of this manual, are responsible for managing user access permissions, the procedure for assigning and distributing passwords to ensure confidentiality, integrity, and storage during their validity period, as well as the frequency at which passwords are changed.

The following are the security measures implemented by BPO LABS S.A.S:

All individuals involved in the storage, processing, retrieval, or any other activity related to personal data and information systems of BPOLABS S.A.S are required to act in accordance with the functions and responsibilities outlined in this section.

BPOLABS S.A.S must inform its service personnel of the security measures and standards relevant to their duties, as well as the consequences of non-compliance, through any means of communication that ensures receipt or dissemination (email, notice boards, etc.). Likewise, the company must provide its personnel with this manual to familiarize themselves with the company's security regulations and their obligations based on their respective roles.

BPOLABS S.A.S fulfills its duty of information by including confidentiality agreements and the obligation of secrecy, where applicable, signed by the users of identification systems mentioned in item 6 regarding databases and information systems. The company also provides an informative circular to the same individuals.

The functions and obligations of the personnel at BPOLABS S.A.S are generally defined based on the type of activity they perform within the company and specifically outlined in this manual. The list of users and profiles with access to protected resources is documented in item 6 regarding databases and information systems. In general, when a user handles documents or media containing personal data, they have the responsibility to safeguard them and ensure that unauthorized individuals cannot access them.

Failure to comply with the obligations and security measures established in this manual by the personnel of BPOLABS S.A.S is subject to sanctions in accordance with the applicable regulations governing the legal relationship between the user and the company.

The functions and responsibilities of users of personal databases under the responsibility of BPOLABS S.A.S are as follows:

• Duty of secrecy:Applies to all individuals who, in the course of their profession or work, access personal databases, including both users and contracted service providers. In compliance with this duty, users within the company or organization cannot disclose or release data they handle or have knowledge of in the performance of their duties and must ensure the confidentiality and integrity of such data.
• Control functions and delegated authorizations:The data controller may delegate data processing to third parties, who act as data processors, through a data transmission contract. When data transmission contracts are signed, they should be appended to this manual (Annex IV).
• Obligations related to implemented security measures:
  • Access databases only with proper authorization and when necessary for the performance of their duties.
  • Do not disclose information to third parties or unauthorized users.
  • Observe security regulations and work to improve them.
  • Do not take actions that pose a risk to information security.
  • Do not remove information from the organization's premises without proper authorization.
• Use of resources and work materials:Must be oriented towards the performance of assigned duties. The use of these resources and materials for personal or non-work-related purposes is not authorized. When the removal of peripheral or removable devices is necessary for justified work reasons, it should be communicated to the security officers who can authorize and, if applicable, register it.
• Use of printers, scanners, and other copying devices:When using such devices, copies should be immediately collected, avoiding leaving them in the device trays.
• Obligation to report incidents:Users have an obligation to report any incidents they become aware of to the security officers, who will handle and resolve them. Some examples of incidents include: the failure of the computer security system allowing unauthorized access to personal data, unauthorized attempt to remove a document or media, data loss or total or partial destruction of media, relocation of databases, knowledge of passwords by third parties, unauthorized modification of data, etc.
• Duty of custody of used media:Authorized users are obliged to monitor and control access to the information contained in the media by unauthorized individuals. Media containing databases should be labeled to identify the type of information they contain and should be inventoried. When information is classified as sensitive security level, the labeling system should only be understandable to users authorized to access such information.
• Responsibility for workstations and laptops:Each user is responsible for their own workstation; when absent from their workstation, they must lock the terminal (e.g., screen protector with a password) to prevent the viewing or access of the information it contains, and they must turn off the terminal at the end of the workday. Additionally, laptops must be under constant control to prevent loss or theft.
• Limited use of the Internet and email:The sending of information electronically and the use of the Internet by personnel is limited to the performance of their activities within the company.
• Safeguarding and protection of passwords:Passwords provided to users are personal and non-transferable, so their disclosure or communication to unauthorized individuals is prohibited. When a user logs in for the first time with the assigned password, it is necessary to change it. If it is necessary to restore the password, the user must notify the system administrator.
• Backup copies and data recovery:Backup copies of all personal database information of the company must be performed.
• Duty of archiving and management of documents and media:Documents and media must be properly archived with the security measures established in section 4 of this manual.

The databases stored and processed by BPOLABS S.A.S are listed in the following table (Table I), which indicates the security level and treatment system for each of them.

Table I. Data bases and Security level

The Following table (Table II) outlines the structure of the databases of BPOLABS S.A.S

Table II. Database Structure

BPOLABS S.A.S appoints security officers and develops specific security measures for each database. All of this is outlined in the following table (Table III).

The appointment of security officers does not exempt the data controller or data processor from their obligations.

Table III. Security officers and database security measures

BPOLABS S.A.S identifies in this manual the data processors and specifies the conditions of the processing. When there is a data transmission contract, the data processors are identified in the data transmission annex of this document. The data processors must comply with the functions and obligations related to the security measures outlined in this manual.

BPO LABS S.A.S establishes an incident notification, management, and response procedure in order to ensure the confidentiality, availability, and integrity of the information contained in the databases under its responsibility. All users, procedure managers, and any person related to the storage, processing, or querying of the databases outlined in this document must be familiar with the procedure to follow in the event of an incident.

The procedure for incident notification, management, and response is as follows:

• When a person becomes aware of an incident that affects or may affect the confidentiality, availability, or integrity of the protected information of the company, they must immediately report it to the security officers, providing a detailed description of the type of incident, identifying individuals who may be involved, specifying the date and time of occurrence, the person reporting the incident, the person notified, and the effects produced.
• Once the incident has been reported, the person should request an acknowledgment of receipt from the corresponding security officer, which confirms the incident notification along with all the previously mentioned requirements.

BPO LABS S.A.S maintains an incident register that includes the type of incident, date and time of occurrence, person reporting it, person notified, effects of the incident, and corrective measures when applicable. This register is managed by the database security officer and should be included as an annex to this manual (Annex III). Additionally, procedures should be implemented for data recovery, specifying the responsible party for executing the process, the restored data, and, if applicable, any data that needed to be manually entered during the recovery process.

When necessary, any document (original, copy, or reproduction) or media containing personal data should be destroyed or erased, implementing measures to prevent unauthorized access or recovery of the information contained in the document or media. Before initiating the destruction, an acknowledgment or record will be made in a book or agenda, describing the document to be destroyed, the date, time, and signatures of the two individuals witnessing the destruction.

When physically transferring documents or media, necessary measures should be taken to prevent unauthorized access, manipulation, theft, or loss of information. The transfer of media containing personal data should be done by encrypting the information or using any other mechanism that ensures it is not tampered with or accessed.

Data contained in portable devices should be encrypted when outside the premises under the control of BPO LABS S.A.S If encryption is not possible, the processing of personal data through such devices should be avoided. However, processing may be allowed when strictly necessary, taking into account the risks and including security measures in this manual.

This manual has been approved by BPO LABS S.A.S, as the data controller, on 01/01/2023. The company accepts its content, orders its execution and compliance, for all personnel of the company in general, and particularly for those mentioned in this document.