This document was developed to minimize the risks associated with Information Technology, indicating care and expected behavior in the use of equipment and software, including the purpose of using equipment and technological structure.

This document, called Information Security Policy or simply PZTI_POLSI, aims to establish rules and standards to be used for the protection of data and information of ZALLPY and its employees. It presents guidelines that will help to identify, assess, monitor, combat and address or mitigate the main factors that generate cyber and information security risks. It must therefore be respected and applied in all areas of the organization.

All employees must respect the classification of data and information assigned by ZALLPY, and must treat ZALLPY's data and information and its customers as confidential.

All data and information owned by ZALLPY must be protected from the moment of its creation, modification, removal, destruction or unauthorized disclosure and, therefore, we guide the use of procedures that guarantee: Integrity, Confidentiality, Availability, Authentication and Traceability .

The instructions set out in this document must be followed by all employees, service providers, suppliers, partners and subcontractors, and apply to information in any format.

This security policy informs each employee that the company's environments, systems, computers and networks may be monitored and recorded, with prior information, as provided for by law.

ZALLPY, through the Information Technology Management, may record all use of systems and services, in order to guarantee the availability and security of the information used.

All information generated or received by employees as a result of the professional activity contracted by ZALLPY belongs to that organization. Exceptions must be explicit and formalized.

It is the obligation of each employee to keep up to date with this policy and related procedures and standards, seeking guidance from their manager or the Information Technology Management whenever they are not absolutely sure about the acquisition, use and/or disposal of information.

This policy must be reviewed and updated periodically, within a period of 01 year, or whenever any relevant fact or event motivates its early review, according to the analysis and decision of the Governance Committee.

The Confidentiality Agreement or Confidentiality Clause annex must be included in all ZALLPY contracts, as an essential condition for granting access to information assets made available by the institution.

Responsibility for information security must be communicated at the stage of hiring employees. All employees must be instructed on safety procedures, as well as the correct use of assets, in order to reduce possible risks. They must sign a disclaimer.

Any incident that affects information security must be initially communicated to the Information Technology Management and, if deemed necessary, it must subsequently forward it to the Governance Committee for analysis.

Appropriate controls, audit trails or activity records must be created and implemented at all points and systems where the institution deems necessary to reduce the risks of its information assets, such as workstations, notebooks, Internet access, electronic mail, commercial and financial systems developed by ZALLPY or by third parties.

ZALLPY reserves the right to analyze data and evidence to obtain evidence to be used in investigative processes, as well as to adopt the appropriate legal measures.

Failure to comply with the requirements set out in this PSI and the Information Security Standards will subject the user to the appropriate administrative and legal measures in compliance with the provisions of the General Data Protection Law ( LGPD ) - Law 13,709/2018 - which regulates the protection of personal data in order to protect freedom/privacy rights and the provisions of the Labor Laws in force in the country.

Any doubts about this Policy, as well as the processing of data, can be dealt with by Personal Data Protection, Luis Ladereche, through the 'Contact the DPO' button available in the footer, or by e-mail at dpo@zallpy.com. It is available on business days between 9 am and 6 pm. You will receive a response within a maximum period of 10 business days.