Information Security Policy

The Management of Betrusted S.r.l., through the preparation of this document, intends to define the Information Security Policy, specifying its objectives and the commitments deriving from it.

The general objectives for the Information Security Management System are as follows:

• to create and implement an Information Security Management System in compliance with all mandatory regulations, applicable laws and decrees, and the maturity standards to which the company has chosen to adhere or which are required by its Clients;
• to build a continuously improving market image and ensure “business continuity” for Clients without interruption risks caused by potential information security incidents;
• to reduce the impact of potential incidents.

These objectives are aligned with the company’s goals, strategy, and business plans.

The purpose is to enhance procedures that enable the organization to operate more efficiently, improve control and security of activities, and achieve increasingly ambitious objectives.

Betrusted S.r.l. provides services based on resources, including information. The use of information resources must comply with best practices and operational procedures, as well as legal, regulatory, and contractual requirements, and must ensure the confidentiality, integrity, and availability of all Betrusted S.r.l. and Client information assets.

Information is a critical asset for Betrusted S.r.l. and enables the company to fulfill its functions and contractual obligations towards its stakeholders.

Betrusted S.r.l.’s Information Security Management System ensures compliance with legal, regulatory, and contractual requirements related to information security, including those set out in data protection legislation (EU Regulation 2016/679, Legislative Decree 101/18, and Legislative Decree 196/03) and by the Data Protection Authority.

With specific reference to Information Security:

• ISO 27001 – updated to the 2024 version;
• procedures will define risk assessment criteria aligned with the current corporate strategic risk management policies approved by Betrusted S.r.l.. It is the clear intention and responsibility of Management to strengthen internal awareness towards increasingly ambitious information security objectives, enhance the company’s reputation and reliability, and promote transparency towards Clients, professionalism, and a distinctive, tailored approach.

It is therefore Betrusted S.r.l.’s firm intention to implement and follow this Information Security Policy, ensuring it is adopted and applied at all organizational levels. The Company is committed to providing appropriate training to its personnel in this regard.

This Policy represents the commitment upon which the Information Security Management System is based.

All company processes (both core and supporting) are subject to the guidelines and directions defined in this document.

All interested parties are required to adopt appropriate security measures in line with the principles set out in this Policy.

Failure to comply with or violation of the principles contained in this Policy may result in disciplinary actions for employees, as provided by the applicable national collective labor agreement (CCNL), as well as the application of all permitted civil and criminal actions. For external parties, this may lead to a review of contractual relationships up to termination of the contract.

In particular, Management assigns to the Information Security Management System Manager (ISMS Manager) the responsibility to ensure the implementation of the provisions established by the Information Security Management System and to keep Management informed of the results arising from periodic audits.

Management will periodically review, during Management Review meetings, the company’s practices, policies, and current guidelines in order to recommend any necessary changes or improvements to ensure the implementation of appropriate security measures.

This Policy is a controlled document and is made available to employees on the company server in read-only mode, as well as to all interested parties upon request. The Information Security Management System Manager (ISMS Manager) must ensure that all updates are communicated and that obsolete copies are removed and/or archived.

Alongside this Policy, Betrusted S.r.l. has developed specific policies governing the following areas: incident management, business continuity management, password management, change management, policy on the proper use of company tools, and backup and information recovery management.

Monza, July 17, 2025