This document was developed to minimize the risks associated with Information Technology, indicating expected precautions and conduct when using equipment and software, including the purpose of using equipment and technological structure.

ZALLPY's Information Security Policy consists of a document that establishes and guides corporate guidelines aimed at protecting physical and logical information assets in a secure and transparent manner, ensuring availability, integrity and confidentiality, committing to meeting the operational, contractual and confidentiality requirements of the information contained therein, in a manner aligned with the legal requirements and demands of the Regulatory Agencies applicable to ZALLPY's business, promoting continuous improvement in its Information Security Management System.

This policy provides guidelines that will help identify, assess, monitor, combat, and treat or mitigate the main factors that generate cyber and information security risks. Therefore, it must be respected and applied across all areas of the organization.

ZALLPY's Information Security principles basically cover the following aspects:

• Integrity: Ensure the preservation, consistency, and reliability of the company's information and systems, ensuring that no external interference can corrupt, compromise, or damage them;

• Confidentiality: Ensure the safeguarding of confidential information and protection against unauthorized disclosure;

• Availability: Ensuring that information will be accessible when needed is a characteristic of the system's effectiveness.

Anyone who needs to access ZALLPY's assets and information must respect the classification of data and information assigned by ZALLPY, and must treat the data and information of ZALLPY and its customers as confidential, except when classified by ZALLPY as PUBLIC.

All data and information owned by ZALLPY must be protected from the moment of its creation, modification, subtraction, destruction or disclosure and, therefore, we recommend the use of procedures that guarantee: Integrity, Confidentiality, Availability, Authentication and Traceability.

The Information Security area is responsible for:

• Define and maintain updated and available guidelines;

• Carry out the survey and support for risk treatment;

• Conduct and support audits, where applicable.

It is the responsibility of all Customers and Suppliers to:

• Follow all guidelines defined in this policy and other applicable policies, which will be updated and available for consultation at any time.

The Legal Department is responsible for:

• Establish clauses for the preservation of confidentiality, intellectual property, information secrecy and personal data protection (LGPD) that must be respected and complied with before, during and after the provision of services by suppliers through agreements between the parties involved.

ZALLPY, through the Information Technology Management, may record all use of systems and services, in order to guarantee the availability and security of the information used.

All information generated or received by the agents involved as a result of the professional activity contracted by ZALLPY belongs to that organization. Exceptions must be explicit and formalized.

It is the obligation of each agent to remain up to date with this policy and related procedures and standards, seeking guidance from their contract manager or the Information Technology Management whenever they are not absolutely sure about the handling of information.

This policy must be reviewed and updated periodically, within a period of 01 year, or whenever any relevant fact or event motivates its early review, as per analysis and decision of the Governance Committee.

All ZALLPY contracts must include a Confidentiality Agreement or Non-Disclosure Clause (NDA) as an essential condition for granting access to the information assets made available by the institution.

Responsibility for information security must be communicated during the hiring process for employees and suppliers, and during the signing of contracts. All involved parties must be instructed on security procedures and the proper use of assets to reduce potential risks. They must sign a liability agreement.

Any incident affecting information security must be initially reported to the Information Technology Management and, if deemed necessary, it must subsequently be forwarded to the Governance Committee for analysis.

Appropriate controls, audit trails or activity records must be created and established at all points and systems where the institution deems necessary to reduce the risks to its information assets, such as workstations, notebooks, internet access, electronic mail, commercial and financial systems developed by ZALLPY or third parties.

ZALLPY reserves the right to analyze data and evidence to obtain evidence to be used in investigative processes, as well as to adopt appropriate legal measures.

The guidelines, programs, codes of conduct, internal rules and policies established by ZALLPY must be fully complied with.

Service providers must ensure, at a minimum, that all employees associated with the service provided are aware of and agree to comply with the provisions of this policy. ZALLPY may request, at any time, evidence of the disclosure process of this information.

The contract manager must be notified when any risks or incidents are identified that may impact the security and privacy of information.

Documents and records that demonstrate and evidence compliance with the requirements defined in the contract and the guidelines established in ZALLPY's internal policies must be presented whenever necessary.

When using ZALLPY's assets and facilities, the necessary precautions must be taken to preserve the property. It is everyone's responsibility to protect assets and adopt habits that generally avoid waste.

Service providers, when applicable, must have a Contingency Plan and Disaster Recovery Plan to ensure the continuity of the contracted services, with the same quality and within the deadlines agreed with ZALLPY, reviewed and tested annually.

When and where applicable, service providers must have a Backup Policy as well as monitoring and restoration procedures, including periodic tests to assess integrity, which must be presented whenever requested by ZALLPY for audit purposes.

Any questions about this Policy or data processing can be addressed to our Personal Data Protection Officer, Luis Ladereche, by clicking the 'Contact the DPO' button in the footer, or by email at dpo@zallpy.com. He is available on business days from 9:00 AM to 6:00 PM, and you will receive a response within 10 business days.

Failure to comply with the requirements set forth in this PSI and the Information Security Standards will subject the user to the applicable administrative and legal measures in compliance with the provisions of the General Data Protection Law (LGPD) - Law 13,709/2018 - which regulates the protection of personal data aiming to protect the rights of freedom/privacy and the provisions of the Labor Laws in force in the country.

Effective date: August 18, 2025, rev.: 03.