Purpose

Information that is collected, analyzed, stored, communicated, and reported by Ecomagent is subject to potential risks such as theft, misuse, loss, or corruption. These risks may arise due to insufficient education and training, failure to adhere to security controls, and deliberate or accidental breaches. Such incidents could result in reputational damage, financial loss, non-compliance with legal standards, and possible judgments against Ecomagent.

This high-level Information Security Policy works alongside the ‘Information Risk Management Policy’ and ‘Data Protection Policy’ to provide a risk-based approach for protecting Ecomagent's information assets. The policy aligns with Ecomagent’s legal obligations, including the Terms of Service, Privacy Policy, Cookie Policy, and Data Processing Agreement.

Objectives

• Risk Management: Information risks are identified, managed, and mitigated according to an agreed risk tolerance level.
• Secure Access: Authorized users can securely access and share information to perform their roles.
• Balancing Security and Usability: Ecomagent’s physical, procedural, and technical controls balance user experience and security.
• Legal and Contractual Compliance: All legal and contractual obligations related to information security are met, including those stipulated in the Data Processing Agreement.
• Awareness: Individuals with access to Ecomagent's information are aware of their responsibilities in maintaining information security.
• Incident Resolution: Incidents affecting information assets are managed, and lessons learned are used to improve controls.

Scope

The Information Security Policy and its supporting controls, processes, and procedures apply to:

• All information processed, stored, or communicated by Ecomagent, including information managed by third-party service providers in their dealings with Ecomagent.
• All individuals accessing Ecomagent’s information, including employees, contractors, and external vendors providing information processing services.

Compliance Monitoring

Compliance with the controls outlined in this policy will be monitored by the Information Security Team and reported to the Information Governance Board. Internal audits and external evaluations will be conducted periodically to assess the effectiveness of the controls.

Review

This policy will be reviewed annually by the Executives & Cyber Security personnel, or sooner if needed due to changes in legislation, security standards, or significant incidents. The next review date is scheduled for December 2025.

Policy Statement

Ecomagent is committed to safeguarding its information assets through effective controls that ensure:

• Confidentiality: Information is accessible only to authorized individuals.
• Integrity: Information remains accurate, complete, and reliable.
• Availability: Information is accessible to authorized users and processes when needed.

Ecomagent will maintain an Information Security Management System (ISMS) based on recognized standards such as ISO/IEC 27001 and comply with legal frameworks like GDPR and CCPA. Ecomagent will adopt a risk-based approach to implement the following controls:

Information Security Policies

A comprehensive set of lower-level controls, processes, and procedures will be developed to support the high-level Information Security Policy. These will be approved by the Executives, published, and communicated to all relevant parties within Ecomagent and third-party vendors as needed.

Organisation of Information Security

Governance for the management of information security will be clearly defined and implemented, including:

• An Executive to chair the Information Governance Board and take accountability for information risk.
• An Information Security Manager responsible for day-to-day security operations.
• Information Asset Owners (IAOs) assigned local accountability for safeguarding specific information.
• Information Asset Managers (IAMs) handling daily management and protection of information assets.

Human Resources Security

All personnel will be educated on Ecomagent’s security policies and their responsibilities. Training will be mandatory to ensure staff are informed about best practices and legal requirements. Role descriptions will include security responsibilities where appropriate.

Asset Management

All information assets, including data, software, hardware, and service utilities, will be documented and assigned an owner responsible for its security. Each asset will be classified based on legal requirements, business value, and sensitivity, with appropriate handling and retention schedules defined for each.

Access Control

Access to information will be based on business needs, with users granted access only to the extent necessary for their role. Access control mechanisms will include:

• A formal registration and deregistration process.
• Multi-factor authentication for sensitive data access.
• Enhanced controls for users with elevated privileges, including segregation of duties where feasible.

Cryptography

Ecomagent will use encryption and cryptographic methods to protect the confidentiality, authenticity, and integrity of information. These methods will adhere to industry best practices, ensuring secure data storage and transfer, especially for personal and sensitive information.

Physical and Environmental Security

Information processing facilities will be located in secure areas with multiple layers of protection against unauthorized access, damage, or interference. Security perimeters will be defined, and both internal and external controls will be implemented to protect critical assets.

Operations Security

Ecomagent will ensure the secure operation of its information processing systems through:

• Documented operating procedures.
• Formal change and capacity management processes.
• Controls to prevent and mitigate malware.
• Logging and vulnerability management practices to detect and respond to security threats.

Communications Security

Network security controls will ensure that information exchanged within Ecomagent’s networks, as well as between Ecomagent and external entities, is secure. Tools and guidance will be provided for secure information transfer in line with classification and handling requirements.

System Acquisition, Development, and Maintenance

Security requirements will be integrated into the development of new information systems and changes to existing systems. Systems will be subject to change control processes, and separate environments will be used for development, testing, and production.

Supplier Relationships

Ecomagent’s security requirements will be incorporated into contracts with third-party suppliers. Supplier activity will be monitored, and audits will be conducted to ensure compliance with Ecomagent’s security standards.

Information Security Incident Management

Clear guidance will be available for identifying, reporting, and managing information security incidents. All incidents must be reported, and investigations will be conducted to rectify breaches and strengthen future security measures.

Information Security Aspects of Business Continuity Management

Business continuity plans will be developed and tested to ensure that critical processes are protected from system failures or disasters. This includes:

• Regular backups.
• Built-in system resilience.
• Business impact analysis to address potential consequences of security failures or lack of service availability.

Compliance

All information systems and their operations must comply with applicable laws, regulations, and contractual requirements. This includes:

• Data protection laws such as GDPR and CCPA.
• Payment Card Industry Data Security Standard (PCI-DSS).
• Ecomagent’s legal and contractual commitments as outlined in the Data Processing Agreement and other documents.

Regular internal and external audits, IT health checks, and gap analyses will be conducted to ensure compliance with these requirements and best practices.

Review of this Document

This document will be reviewed annually by Floris, Executive. The next review date is scheduled for December 2025.