1. Purpose

The purpose of the Information Security Policy is to establish the necessary information security rules to protect the information assets and corporate brand of Architecht Information Systems and Marketing Trade Inc. (“Company”) against internal, external, intentional, and accidental threats.

2. Scope

All work carried out by company employees, consultants/contractors, temporary staff, and interns must comply with the Information Security Policy. The policy covers information assets including employee devices, servers, communication devices, physical security devices, and portable computers.

This policy covers the following standards (“Integrated Management System” and/or “IMS”):

• ISO 27001 Information Security Management System

• ISO 27017 Security Techniques for Cloud Services

• ISO 27701 Personal Data Management System

• ISO 22301 Business Continuity Management System

• ISO 20000-1 IT Service Management System

3. Implementation Method

To manage risks regarding information assets:

• Security measures are reviewed in case of legal, regulatory, contractual changes or new threats/vulnerabilities.

• Information security training is provided to all employees once a year, followed by a survey to measure effectiveness.

• Confidential information is protected against unauthorized access and disclosure.

• Access to information assets is granted only to authorized individuals, at the minimum level required, in line with the principle of segregation of duties.

• Information is protected against unauthorized alterations.

• Accessibility of information is ensured when needed.

• Users of information assets must be identifiable, accountable, and traceable.

• In case of security breaches, “Information Security Incident Management Policy” procedures are followed.

• Data stored on company computers belongs to the company. Employees cannot claim personal rights over this data nor use it without company approval.

• The company may monitor the actions of employees accessing information assets.

• Supporting policies, procedures, and standards are established and communicated to ensure compliance.

• Information and cybersecurity services are provided by Kuveyt Türk Participation Bank’s Information Security Group.

• In case of policy violations, the provisions of the Company’s Disciplinary Regulation shall apply.