This document was developed to minimize the risks associated with Information Technology, indicating expected care and conduct in the use of equipment and software, including the purpose of using equipment and technological structure.

This document, called External Information Security Policy or simply PZTI_POLSI_EXT, aims to establish rules and standards to be used to protect the data and information of ZALLPY and its employees. It presents guidelines that will help identify, evaluate, monitor, combat and treat or mitigate the main factors that generate cyber and information security risks. It must, therefore, be respected and applied in all areas of the organization.

Anyone who needs to access ZALLPY's assets and information must respect the classification of data and information assigned by ZALLPY and must treat the data and information of ZALLPY and its customers as confidential, except when classified by ZALLPY as PUBLIC.

All data and information owned by ZALLPY must be protected from the moment of its creation, modification, subtraction, destruction or disclosure and, therefore, we recommend the use of procedures that guarantee Integrity, Confidentiality, Availability, Authentication and Traceability.

The Information Security area is responsible for:

• Define and maintain updated and available guidelines.

• Carry out the survey and support risk treatment;

• Conduct and support audits where applicable.

It is the responsibility of all Customers and Suppliers to:

• Follow all guidelines defined in this policy and other applicable policies, which will be updated and available for consultation at any time.

The Legal Department is responsible for:

• Establish clauses for the preservation of confidentiality, intellectual property, information secrecy and personal data protection (LGPD) that must be respected and complied with before, during and after the provision of services by suppliers through agreements between the parties involved.

ZALLPY, through Information Technology Management, may record all use of systems and services, aiming to guarantee the availability and security of the information used.

All information generated or received by the agents involved, because of the professional activity contracted by ZALLPY, belongs to the organization. Exceptions must be explicit and formalized.

It is the obligation of each agent to remain up to date with this policy and related procedures and standards, seeking guidance from their contract manager or the Information Technology Management whenever they are not sure about the handling of information.

This policy must be reviewed and updated periodically, within a period of 01 year, or whenever any relevant fact or event motivates its early review, as per analysis and decision of the Governance Committee.

All ZALLPY contracts must include a Confidentiality Agreement or Non-Disclosure Clause (NDA) as an essential condition for granting access to the information assets made available by the institution.

Responsibility for information security must be communicated at the stage of hiring employees, suppliers and signing contracts. All agents involved must be instructed on security procedures, as well as the correct use of assets, to reduce possible risks. They must sign a liability agreement.

Any incident that affects information security must be initially reported to the Information Technology Management and, if deemed necessary, it must subsequently be forwarded to the Governance Committee for analysis.

Appropriate controls, audit trails or activity records must be created and established at all points and systems where the institution deems necessary to reduce the risks to its information assets, such as workstations, notebook access, internet access, electronic mail, commercial and financial systems developed by ZALLPY or by third parties.

ZALLPY reserves the right to analyze data and evidence to obtain evidence to be used in investigative processes, as well as to adopt appropriate legal measures.

The guidelines, programs, codes of conduct, internal rules and policies established by ZALLPY must be fully complied with.

Service providers must ensure, at a minimum, that all their employees associated with the service provided are aware of and undertake to comply with the provisions of this policy. ZALLPY may request, at any time, evidence of the process of disclosure of this information.

The contract manager must be notified when any risks or incidents are identified that may impact on the security and privacy of information.

Documents and records that demonstrate evidence compliance with the requirements defined in the contract and the guidelines established in ZALLPY's internal policies must be presented whenever necessary.

When using ZALLPY's assets and facilities, the necessary precautions must be taken to preserve the property. It is everyone's duty to ensure the protection of assets and to adopt habits that avoid waste in general.

Service providers, when applicable, must have a Contingency Plan and Disaster Recovery Plan to ensure the continuity of the contracted services, with the same quality and within the deadlines agreed with ZALLPY, reviewed and tested annually.

When and where applicable, service providers must have a Backup Policy as well as monitoring and restoration procedures, including periodic tests to assess integrity, which must be presented whenever requested by ZALLPY for audit purposes.

Any questions about this Policy, as well as data processing, can be addressed to our Personal Data Protection Officer, Luis Ladereche, through the 'Contact the DPO' button available in the footer, or by email dpo@zallpy.com. He is available on business days from 9 am to 6 pm andyou will receive a response within a maximum period of 10 business days.

Failure to comply with the requirements set forth in this PSI and the Information Security Standards will subject the user to the applicable administrative and legal measures in compliance with the provisions of the General Data Protection Law (LGPD) – Law 13,709/2018 – which regulates the protection of personal data with the aim of protecting the rights of freedom/privacy and the provisions of the Labor Laws in force in the country.