The Management of the Kairós Group (“Kairós”) within the framework of its general and non-delegable competence to determine the general policies and strategies of the company, and after review and proposal by the competent Committee, has decided to establish and implement an Information Security Management System, based on the requirements of the UNE-EN ISO 27001:2023 standard, for:

The Information Systems that support the processes and CONSULTING AND DEVELOPMENT SERVICES RELATED TO THE DIGITAL TRANSFORMATION OF OUR CUSTOMERS, according to the statement of applicability in force.

At Kairós, we have established the policy of our Information Security System as a basic pillar to establish and review the objectives of information security, and thus achieve the full satisfaction of our customers.

For this reason, and in order to achieve the objectives set, the Management is committed to devote all its economic, technological and human potential to this task. In such a way that the organization of the company, its investment policy, the development of new methods and human resources, are oriented primarily to guarantee the fulfillment of the requirements demanded by the client and by the applicable legislation in force in the matter of information security.

Kairós's principles of action are:

• Create and maintain a culture of quality and information security that is assumed by all our employees, extending it to our supply chain, and that also ensures business continuity and information security in all its dimensions according to the risk level of our assets, needs and resources.
• Adopt a behavior of continuous improvement of quality and information security management in all aspects of the organization.
• Provide a framework for establishing and reviewing the organization's quality and information security objectives.
• At all times, the management policy will be implemented, maintained and communicated to all staff of the organization, being available to our stakeholders.
• Protect the information processed and accessed by our employees, to prevent its loss, alteration, destruction or misuse. Guaranteeing the confidentiality, integrity and availability of the information. It is their responsibility to report security incidents, suspicious events and misuse of the resources they use.
• Ensuring that Kairós services are available as needed for the business and ensuring minimal business impact in the event of a temporary interruption.
• Embody our ethical and social philosophy and commitment in the Kairós Code of Conduct.
• All Kairós personnel shall attend security awareness sessions, which will be set out in the annual training and awareness plan.
• Third parties who are involved in the management, maintenance or operation of Kairós services and systems shall be bound by this Information Security Policy. Third parties will be obliged to comply with this policy and the regulations that may derive from it.
• Third parties may develop their own operating procedures to satisfy this Policy and may report them.

All of us at Kairós assume these principles and it is our responsibility to put them into practice by carrying out the functions assigned within the framework of this Information Security Management System and complying with the corresponding internal regulations and to transmit them for their application also to suppliers, subcontractors, partners and collaborators who participate in our operations.

This policy, which is communicated within the organization and available to interested parties, is kept permanently updated, reviewed at least annually, taking into account the purpose and context of the company, and serves as a basis for the establishment of security and strategic objectives.

Complete Information Security Policy