Information Security Policy

Summary

1. Objective

2. Definitions

3. Scope

4. General Conditions

5. Management's Commitment to Information Security

6. Roles and Responsibilities

7. Risk Management

8. Personal Data Processing

9. Data Subject Rights

10. Human Resources Security

11. Asset Ownership

12. GUIDELINES

12.1 Information Classification

13. Information Labeling

14. Access Control

15. Confidentiality Clauses

15.1 Information Transfer

16. Intellectual Property Rights

17. Third-party services

18. Equipment Configuration and Use

19. E-mail Usage

20. Corporate Applications

21. Network Storage

22. Use of Cryptographic Controls

23. Use of removable media

24. Information Disposal

25. Clean Desk

26. Social Networks

27. Communication of Security and Personal Data Protection Incidents

28. Business Continuity Management

28.1. Continuity strategies

29. Contact with Authorities

30. Contact for Special Groups

31. Monitoring and Audit

32. Continuous Improvement

33. Policy Validity

1. Objective

Establish guidelines and principles to ensure that the Information Security Policy of ORAEX meets the confidentiality, integrity, and availability requirements of all physical and logical assets, ensuring that the organization complies with the requirements of ISO/IEC 27001:2022. As well as meeting the information security objectives established in MAN-SGSI-01 – Information Management System Manual.

2. Definitions

  • Information Security - preservation of confidentiality, integrity, and availability of information; additionally, other properties such as authenticity, accountability, non-repudiation, and reliability may also be involved.
  • Confidentiality - Information can only be accessed and viewed by authorized individuals, preventing its deliberate or accidental disclosure.
  • Integrity - Information is protected from modification, deliberate or accidental destruction by authorized and unauthorized users, ensuring the accuracy of the organization's information.
  • Availability - Assets and information are available and accessible to authorized users when needed.
  • Transparency – Informing stakeholders about how personal data is collected, processed, and protected.
  • Data Minimization – Collecting and processing only the personal data necessary for specific and legitimate purposes.
  • Personal Data: Any information that identifies or can identify a person.
  • Sensitive Data: Personal information that reveals racial or ethnic origin, political opinions, religious beliefs, genetic, biometric data, among others.

3. Scope

This policy applies to all employees, service providers, third parties, and partners who process information of the organization, including personal data of customers, suppliers, and employees.

4. General Conditions

Information security directives are guidelines that govern conduct and behavior regarding security topics, detailing the Information Security Policy and supporting the creation of other policies and procedures.

These guidelines are, and must be continuously integrated into project management methods of ORAEX to ensure that Information Security risks are identified and considered as part of a project. This applies to any project, regardless of its purpose, for example, whether it is for a critical business process, or an Information Technology (IT) process, resource management, or other support process.

5. Management's Commitment to Information Security

ORAEX's Management actively supports Information Security by providing resources for the information security management system (ISMS), critically analyzing the management system, supporting internal awareness initiatives and campaigns, reinforcing its support, and highlighting the strategic importance of the ISMS as a competitive differentiator for the company.

6. Roles and Responsibilities

The roles and responsibilities in information security are designated to ensure the effective protection and management of information assets.

All employees, service providers, and involved third parties must follow the established security guidelines, while the Information Security team is responsible for defining, implementing, and monitoring security policies and controls.

The organization's leadership supports and promotes the security culture, ensuring the allocation of resources and strategic alignment for continuous protection against threats and vulnerabilities.

  • Executive Board: Provides resources and strategic support to information security, promoting an organizational culture of compliance.
  • Information Security Manager (CISO): Responsible for implementing, monitoring, and updating security controls.
  • Data Protection Officer (DPO): Ensures compliance with legislation and regulations and acts as a point of contact for data protection issues.
  • Employees and Third Parties: Follow the security guidelines established in this and other policies and are responsible for protecting information under their custody.

7. Risk Management

ORAEX continuously manages the risks associated with information security to identify, assess, and mitigate threats that may impact the confidentiality, integrity, and availability of information assets. The detailed processes and criteria for risk assessment and treatment are defined in POL-SGSI-02 - Risk Management Policy, which serves as a guide to ensure a proactive and effective approach to managing information security risks.

8. Personal Data Processing

All personal data is processed in accordance with applicable laws and with respect for the rights of data subjects. Data is collected, processed, and retained only for the time necessary for the defined purposes.

9. Data Subject Rights

The organization ensures compliance with the rights of data subjects, including:

  • Access to information about their personal data.
  • Rectification of inaccurate or incomplete data.
  • Deletion of data, when applicable.
  • Data portability.

Restriction to processing, as provided for in legislation.

10. Human Resources Security

The admission and/or hiring of employees, approval of consultants and service providers must be preceded by formal adherence to the terms of the company's onboarding process and, if applicable, additional mechanisms of legal or contractual protection, also referencing the documents POL-SGSI-07- Human Resources and Awareness and PRO-SGSI-02 – Recruitment and Selection Procedure.

All employees, consultants, and service providers must receive training and awareness regarding Information Security upon hiring and periodically during their service period. 11. Disciplinary Sanctions

Failure to comply with the guidelines established in this policy may compromise the integrity, confidentiality, and availability of the organization's data, generating significant risks for the business. Therefore, any intentional or negligent violation of security standards will be evaluated and may result in disciplinary sanctions, according to the severity of the infraction and as provided for in the current PRO-SGSI-03 - CODE OF CONDUCT. Corrective measures may include formal warnings up to, in severe cases, termination of the employment contract, in addition to possible legal implications provided for in current legislation.

11. Asset Ownership

"Assets" characterize equipment and/or devices that process and store corporate information, whether from ORAEX or its customers.

The process for managing asset inventory is done and administered by the administrative and personnel department of ORAEX. Some assets that are contracted for the execution of work activities, the inventory is also structured by the supplier, automatically through a platform provided by the same, where we have all the necessary information to ensure the management of the environment.

12. GUIDELINES

12.1. Information Classification

Information must be classified to indicate the importance and level of protection required according to its use in ORAEX's business, relationship with Customers, External Providers, and governmental requirements.

Any information required by law or court, governmental or regulatory authority, or by virtue of a contract entered into and recognized between ORAEX and third parties, may only be disclosed after analysis and consent from senior management or ORAEX's legal department.

It is essential that information is treated appropriately throughout its lifecycle, ensuring an adequate level of protection. The following criteria should be considered for defining data classification:

  • Legal requirements to ensure the management and protection of data;
  • The commitment to protect personal and sensitive data of Customers, Employees, and External Providers;
  • The protection of ORAEX's business in the market to avoid losses;
  • The value that information may have for other companies external to ORAEX;
  • Intrinsic interest in the data;
  • The cost of recovering data in case of alteration or deletion.

ORAEX adopts four categories for classifying information, highlighted below:

A) RESTRICTED

Information that requires secrecy and special treatment in ORAEX must be protected from unauthorized alterations, disclosures, transfers, and access. It must be available only to relevant and authorized individuals to work with it, whenever necessary. It requires all necessary security efforts to protect it.

Examples of critical information include:

  • Sensitive Personal Data such as health information, biometrics, information of adolescents and/or children under 14 years of age, photograph, union or political affiliation.

B) CONFIDENTIAL

Information that requires absolute secrecy in ORAEX must be protected from unauthorized alterations and be available only to relevant and authorized individuals to work with it, whenever necessary. It requires all necessary security efforts to protect it.

Examples of confidential information include:

• Any information about ORAEX's Customers.

• Personal Data of Employees and External Providers that must be protected by legal obligation, including registration data (CPF, RG etc.), financial situation, and bank transactions.

  • Information about products and services that reveal ORAEX's competitive advantages in the market.
  • All material considered strategic by Senior Management, such as printed material, stored in systems, in electronic messages, or even in the form of business knowledge of the person.
  • Salary statements, fee payments, and projections, as well as any ORAEX information that should not be disclosed to the external environment before publication by the competent areas.
  • All types of access credentials (users, passwords, phrases, etc.) to systems, networks, workstations, mobile devices, and other information used in the verification and authentication of identities. This information is personal and non-transferable and must not be shared, under penalty of administrative sanctions.

C) INTERNAL USE

Information for use and restricted access to employees must not be disclosed outside of ORAEX. It requires security efforts to prevent losses, with special attention to the integrity and availability of information.

Examples of internal use information include:

  • Reports, bulletins, opinions, worksheets, spreadsheets, and internal correspondence of a non-confidential nature.
  • Information contained in systems, electronic messages, and work processes that are used by employees when performing their functions at ORAEX.
  • Information used outside of ORAEX's premises, related to work activity and of a non-confidential nature.
  • Procedures and forms.

D) PUBLIC

Information disclosed to the public media, without distinction. It requires minimal security efforts, with special attention to the availability of information.

Examples of public use information include:

  • Commercial brochures and financial results made available to the market.
  • Quality Policy.
  • Data Policy

More information in the Information Classification Summary Table document.

NOTE 1: the applicability of use in information classification must also be known and used by service providers and business partners, when applicable.

13. Information Labeling

Controlled documents must be labeled according to their classification. This activity must be carried out in the most appropriate way for each type of information. Examples of ways to label information:

  1. Using resources such as “Header and Footer” present in text editors;
  2. Using watermark resources;
  3. Visual indications on system screens.

It is important that the method chosen to label certain information is adequate and ensures that anyone who gains access can identify its classification.

14. Access Control

All systems and logical assets have authorization profiles according to the RACI Table of information assets document and the Physical and Logical Access Management document.

Employees are responsible for the use and any inappropriate uses of the access rights and credentials that are assigned to them, being non-transferable.

Employees must:

  1. Maintain confidentiality, memorize, and not record passwords anywhere. That is, do not disclose it to anyone and do not write it down on paper.
  2. Change passwords whenever there is any suspicion of its compromise.
  3. Select quality passwords that are difficult to guess.
  4. Prevent the use of your equipment by other people, while it has information from ORAEX and its customers.
  5. Always lock the equipment when leaving (Ctrl + Alt + Del).

15. Confidentiality Clauses

The clauses of awareness, responsibility, and confidentiality regarding the information security policy and guidelines aim to alert and hold employees and service providers responsible for the fact that access to and handling of information must be restricted to the exercise of the function or process that requires this information, being prohibited its use for any other purpose other than the designated one.

Employees and Service Providers: the confidentiality term will be sent together with the Service Provision Contract, which must be signed between both parties and required in relation to its existence.

15.1 Information Transfer

According to ORAEX's remote work style, with predominant use of SaaS tools, the transfer of information between employees, service providers, partners, and customers occurs, mostly, by digital means. To ensure the security of these transfers, ORAEX adopts practices and tools that aim to protect data against unauthorized access, interceptions, or alterations.

All exchanged information must occur exclusively through authorized channels, such as corporate emails, protected communication platforms (Slack, Microsoft Teams), and SaaS systems duly approved by the company.

Whenever necessary, protection mechanisms such as these are used:

  • Storage locations that are only accessed via SSL and TLS communication;
  • Permission control and access based on user profile;
  • Multi-factor authentication (MFA);
  • Logging and access audits;

The transfer of information to third parties must occur securely, preferably supported by confidentiality agreements or formal contracts. Even in routine interactions, such as sending data by corporate email or through tools with access control, it is essential to ensure that the means used are previously authorized and aligned between the parties involved.

16. Intellectual Property Rights

Any product or material resulting from the work and/or related to ORAEX's client projects, produced by Collaborators, Associate Consultants, Interns or Business Partners (system, documentation, methodology, among others) is the property of ORAEX and may not be shared with third parties. In the event of termination of the service provision or employment contract, all information must be passed on to ORAEX and destroyed from personal equipment or those not on the asset inventory.

It is the responsibility of the Collaborator, service provider and Business Partner not to share, disclose or destroy any product resulting from the work performed at ORAEX without the company's due authorization.

In the approval and/or contracting of Consultants' services, a contractual clause must be included ensuring ORAEX regarding the ownership of the information developed or handled during the service provision. For the other products resulting from the service provision, such as system, methodology and documentation, there must be an equivalent clause, however, a differentiated situation is only allowed in the case where these products are the object of the negotiated conditions.

17. Third-party services

Outsourced services must include:

  • Minimum information security requirements, including confidentiality, integrity and availability;
  • A description of the agreed security level;
  • A description of ORAEX's right to carry out assessment and/or audit on its Suppliers and Service Providers at any time.

18. Equipment Configuration and Use

The equipment made available by ORAEX must be classified with the same level of information security that they store. The use of equipment is restricted to the business and activities of ORAEX, and only authorized and licensed software may be installed according to the document "List of Software and Applications", stored in the official repository for access to all internal staff.

Notebooks and emails are kept encrypted.

Private/personal equipment, such as computers or any portable device or removable media that can store and/or process data, such as Pen Drives, HDs, cell phones in the function of external HDs, and the like, used to store or process information related to ORAEX's business, may be permitted and treated as an exception to the business model and must comply with the guidelines of the documents POL-SGSI-08 - ACCEPTABLE USE OF IT RESOURCES and POL-SGSI-20 - USE OF MOBILE DEVICES. In addition to all the limits described in this policy.

Consultants who use notebooks and/or portable devices, as well as Collaborators, with information from ORAEX and its clients, must follow the following guidelines:

  • Take all necessary measures to mitigate the risk of theft or robbery of the notebook. Do not leave it unattended in the office or in any public place. If you need to leave it alone, make sure it is attached to the table with a security cable. If the period is extensive, lock it with a key in a cabinet, out of sight of other people.
  • If you have to travel by car, make sure the notebook is not in sight. Put it in the trunk when you start the trip.
  • When traveling by plane, carry them as hand luggage. Never check with your luggage.
  • Do not use them in public places where other people can view the screen.
  • If the notebook is stolen or lost, immediately notify your hierarchical superior and formalize a police report;
  • The same principles apply to other portable computers, such as: mobile devices, corporate Smartphones and tablets, Pen drives, external HDs and other removable media.

In cases of equipment maintenance, such as notebooks, these must remain under the custody of ORAEX or the supplier contracted to supply the asset. Before any technical intervention, the equipment must undergo a cleaning process, with the secure exclusion of all information contained therein. When necessary, the replacement of the computer must be provided to ensure the continuity of the service provision.

19. Use of Email

For the exchange of messages (emails) related to work functions at ORAEX, only the standard corporate email system should be used.

The email resources available for message exchange must be used by employees for business purposes, in assisting the performance of organizational functions

The limitation of access and the monitoring of email is a prerogative of ORAEX, when it considers that these resources are being used inappropriately, or negatively affecting the availability and productivity of the other services that use the network.

Employees must observe that the data files and other information to be included in emails must comply with the security criteria established for the information classification level, including the authorization of the information manager and the application of encryption for confidential information, when determined by the information owner.

The transmission of internal use, critical or confidential information to private/personal boxes is not allowed. This rule applies to all types of purposes and recipients, except in the case of clients who authorize this type of sending to certain areas of the Organization.

20. Corporate Applications

ORAEX has corporate applications for exchanging information about knowledge base, market information, random internal matters without being strategic, training, among others. As instructed in the Onboarding procedure for the employee or service provider.

The exchange of information related to ORAEX matters must be done obligatorily through Microsoft Teams, Outlook (belonging to the Office 365 package), Autotask, ItGlue, Slack.

In this group, only participants who are classified as employees, service providers, business partners and clients are authorized.

The Administrator of these tools is the Cloud technical area.

21. Network Storage

The storage of information, personal data and assets of clients, employees, consultants and external providers must be only on the corporate network of ORAEX, which has adequate security controls to ensure the confidentiality, integrity and availability of data. The security rules must be adherent to the requirements of ISO/IEC 27001:2022 and the General Data Protection Law (LGPD).

Only authorized employees will be able to have administrative and privileged access, according to the procedure PRO-SGSI-04 - GRANTING AND REVOKING ACCESS.

22. Use of Cryptographic Controls

As mentioned in this document, whenever possible, the effective and adequate use of cryptography should be ensured to protect the confidentiality, authenticity and/or integrity of the information.

23. Use of removable media

The use of removable media such as PenDrives, external HDs, cell phones in the function of external HDs, and the like is prohibited. The use will only be allowed in the situation of exception and must be formally authorized by the leader of the technical area with the consent of the Board.

24. Disposal of Information

The organization adopts safe disposal practices to ensure that confidential, sensitive or personal information is not accessed after the end of its usefulness, avoiding risks of leakage or misuse.

In the remote context and with predominant use of SaaS tools, the safe disposal of information applies mainly to:

  • Digital files: must be permanently deleted from systems and tools when they have already been used for the designated activity and there is no need to store them, and when necessary, with the use of secure overwriting tools, respecting the guidelines of the LGPD and the information lifecycle, ensuring that: the data will only be stored while they are necessary, that there will be safe and definitive disposal, as well as respecting the will of the holders when eliminating the data.
  • IT Equipment: that are used and provided by ORAEX for the provision of service, must undergo a safe cleaning process before being discarded, reused or returned to third parties. Users should avoid keeping local data on the equipment and prioritize the use of storage in tools authorized by the company.
  • Physical Documents: in an orientative way, impressions containing sensitive data should be avoided. If they exist, the disposal must be done by fragmentation.

25. Clean Desk

ORAEX determines that:

  • Sensitive or critical business information, for example, in paper or electronic formats, be stored in a safe place (safe, cabinet with key, among others).
  • Equipment (e.g. notebooks) must be kept turned off or protected with screen locking mechanisms and password when not in use.

26. Social Networks

ORAEX is present in several public and private social networks, with the aim of interacting digitally with its clients and non-clients, offering informative content.

ORAEX promotes the use, with good sense, in the work environment, of social networks in which ORAEX has an official presence, as a way to stimulate interaction and collaboration. The adhesion, on behalf of ORAEX, to any public, private or internal social network, as well as the use of the brand image of ORAEX is not allowed, and requires a prior evaluation and approval of senior management for the activation of any public and private social network, as well as the use of the brand images of ORAEX.

It is the duty of all Collaborators and service providers to know and apply the Information Classification instructions. It should be noted that the recommendations apply to both the physical and virtual environments.

Any and all information considered confidential, such as information from clients, products and offers from ORAEX, etc. that has not been previously disclosed in any of the official profiles of ORAEX, must not be reproduced by Collaborators, except with prior and express authorization from senior management.

ORAEX reserves the right to take appropriate measures in case of violation of its name, brand, image or any confidential information.

The creation of a profile on public social networks, using the name and/or brand of ORAEX is a strategic decision, which must be approved exclusively by senior management, who is responsible for this type of initiative.

ORAEX is not responsible for the information, texts, documents, comments and/or individual opinions of its Collaborators and service providers disclosed on social networks, nor for the conduct or communication between its users; and, in case of violation of the right of any member of ORAEX or third parties, the responsibility will fall exclusively on those who adopted the conduct incompatible with this policy or with the laws in force, and ORAEX cannot be linked to any act.

The document PRO-SGSI-03 - Code of Conduct, provides guidelines and sanctions on the conduct and posture of collaborators, providers and suppliers of ORAEX.

If you have knowledge or doubt about a case of violation of the name, brand and/or image of ORAEX, a written complaint must be made and addressed to the email compliance@oraex.com, which the responsible party will identify the need to contact the Board and the Legal Department for knowledge and monitoring of the case.

27. Communication of Security Incidents and Personal Data Protection

It is the responsibility of everyone to promptly report any suspicious behavior or circumstance that threatens the integrity of the company's assets or information processing resources. If you notice any abnormality, fraudulent activity or event that constitutes a security incident, follow the guidelines provided in POL-SGSI-22 - INFORMATION SECURITY INCIDENT MANAGEMENT and the ESCALATION MATRIX. In this way:

  • Avoid taking arbitrary actions such as removing unknown files or restarting the system. No attempt to correct the problem should be made by the user, unless under direct guidance from senior management.
  • Take note of the events that led you to believe that an incident is occurring, such as: date, time, systems, computer or people affected/involved.
  • Immediately notify Information Security Data incidents via email incidentes.seguranca@oraex.com
  • The email compliance@oraex.com is a means of communication for matters pertaining to Personal Data Protection such as complaints, petitions from holders, risk mitigation and other aspects related to the processing of personal or sensitive data.

Failure to comply with any point of this policy, intentional or not, may lead the employee to be subjected to disciplinary or legal sanctions, depending on the case. Examples that may cause sanctions:

  • Illegal use of software.
  • Introduction (intentional or not) of computer viruses.
  • Attempts of unauthorized access to data and systems.
  • Sharing of sensitive business information.
  • Collection, processing and improper storage of personal data.
  • Incorrect use of the Internet, email, among other logical assets.

28. Business Continuity Management

Business Continuity management strategies must be aligned with business objectives and the management systems adopted in the organization.

Business Continuity management must correctly focus on the needs inherent to the recovery capacity, be considered and adequately used in all stages of ORAEX's business operations and practices.

28.1. Continuity strategies

In order to ensure continuous improvement, possible changes in the Corporate Strategy will be carried out through tests, maintenance and evaluations of results.

ORAEX's operational strategy must include in its scope crisis management and operational continuity actions for critical activities in the short term.

The other activities will have their performance paralyzed and/or with their service level reduced to the minimum necessary until the return to the new normality, according to the scenario of unavailability, currently unknown. The documents that reference this chapter are Communication Plan and POL-SGSI-04 - BUSINESS CONTINUITY.

29. Contact with the Authorities

  • Fire Department à 193
  • Samu (Mobile Emergency Care Service) à 192
  • Military Police à 190
  • ANPD – National Data Protection Authority Civil House of the Presidency of the Republic
    • Telephones: (61) 3411-1345 - (61) 3411-1345
    • E-mail: imprensaccivil@presidencia.gov.br
    • ANPD Website

30. Contact of Special Groups

ORAEX establishes contact with special cybersecurity groups as a way to stay updated on trends, new threats and technologies.

We keep in touch with these special groups via email at incidentes.seguranca@oraex.com.

31. Monitoring and Auditing

Compliance with this policy and security controls is periodically monitored and audited. Regular audits ensure that controls are effective and aligned with recommended practices.

32. Continuous Improvement

ORAEX seeks to continuously improve its Management System through critical analysis, identification, and treatment of non-conformities, risks, vulnerabilities, and information security incidents.

Additionally, the Security Committee aims to seek out best market practices and keep up with innovations, such as the new phase of Artificial Intelligence technology and its applicability.

The processes and resources necessary for the Information Security Management System are ensured by the commitment of senior management.

33. Policy Validity

This policy has an indefinite validity until it is formally replaced, altered, or revoked by the organization. Any revision, update, or replacement will be communicated to all interested parties in a clear and timely manner, ensuring compliance and alignment with institutional objectives and applicable legal requirements. In addition to having the change actions duly recorded in the revision history at the end of this document.

Periodic review of this policy is recommended, at least once a year, or whenever there are significant changes in internal processes, applicable legislation, or other relevant conditions that may impact its effectiveness. During these reviews, those responsible should consider suggestions for improvement, results of internal and external audits, as well as feedback from interested parties.

The current version of this policy will always be available through means accessible to all employees and other interested parties, in order to ensure transparency and adherence to the established guidelines. Document attached in the official ORAEX company repository.

Version Reason Publication Date Approved by
0 Document Creation 2025-03-27 Board of Directors
1 Change of scope to ISMS 2025-06-23 Board of Directors