1. Purpose

The purpose of the Business Continuity Policy is to define how interventions will be managed in the event of an operational disruption and how activities will be restored within the defined Recovery Time Objective (RTO) periods.

2. Scope

It covers the development and maintenance of Business Continuity Planning, including identification and prioritization of critical business processes and understanding of risks the organization is exposed to.

The following standards are applied in the Company (“Integrated Management System” and/or “IMS”):

• ISO 27001 Information Security Management System

• ISO 27017 Security Techniques for Cloud Services

• ISO 27701 Personal Data Management System

• ISO 22301 Business Continuity Management System

• ISO 20000-1 IT Service Management System

Abbreviations and Definitions:

• RTO: Recovery Time Objective

• RPO: Recovery Point Objective

• BCP: Business Continuity Planning

3. Implementation Method

• A Business Continuity Committee is established to plan, develop, implement, and assess issues during the implementation of Architecht’s business continuity policy.

• BCPs must ensure recovery of all critical processes within the RTO and RPO identified through Business Impact Analysis.

• Relevant plans must be in place to determine backups for all critical staff.

• All new projects and updates related to the organization’s infrastructure and processes must reflect on BCPs considering their impacts.

• The organization must have a Business Continuity Plan that is tested and updated at least once a year. This plan should include manual temporary solutions in case systems are completely unavailable.

• Sufficient financial, organizational, technical, and environmental resources must be defined to meet business continuity requirements.

• Conditions for activating each plan must be explicitly stated (e.g., situation assessment, involved personnel, etc.).

• Effective liaison with public authorities such as police, fire department, and local administrations must be ensured; press relations must be managed.

• In case of a disruptive event, when the Business Continuity Plan is initiated by the General Manager, all expense authorization powers must be exercised in accordance with the Delegation of Authority.

• The organization must adopt necessary strategies to support recovery, continuation, and sustainability of critical business functions.

• Business continuity requirements must be considered at the planning and development stages before new projects, main activities, procurement, and strategies are undertaken.

• Employees must be continuously trained about ongoing business continuity arrangements in the organization.