ECAPTURE RESEARCH AND DEVELOPMENT S.L (hereinafter ecaptureDtech) is an innovative tech company specialized in analyzing and processing images or videos taken with any kind of camera. To do so, it uses technologies such as artificial intelligence, machine learning, deep learning, or photogrammetry/videogrammetry, which allow it to develop new products and services through web platforms that are available to users. These web platforms are an easy-to-use solution for both professional and non-professional users who want to use these technologies.

In order to achieve its objectives, ecaptureDtech is committed to ensuring the security of information and undertakes to manage it correctly with the objective of offering all its stakeholders the greatest guarantees in this regard.

These systems must be managed diligently, and appropriate measures should be put in place to protect them from any accidental or deliberate damage that may affect the availability, integrity, or confidentiality of the information processed or the services provided.

The objective of information security is to guarantee the quality of information and service continuity by taking preventive action, monitoring daily activity, and reacting diligently in the event of any incidents.

ICT systems must be protected against rapidly evolving threats that could impact the confidentiality, integrity, availability, intended use, and value of information and services. To defend systems against these threats, a strategy is required that adapts to changes in environmental conditions, thereby guaranteeing service continuity. Consequently, departments must implement the minimum security measures required by the Spanish National Security Scheme (ENS), as well as continuously monitor service delivery levels, monitor and analyze any vulnerabilities that have been reported, and prepare an effective response to incidents to ensure service continuity.

All departments must ensure that ICT security is an integral part of every stage of the system's life cycle, from conception to decommissioning, including development or procurement decisions and activities related to operations.Security requirements and financing needs should be identified and included in the planning, request for proposals, and tender documents of ICT projects.

Departments must be prepared to prevent, detect, react, and recover from incidents, in accordance with Article 8 of the ENS (Article 8. Prevention, detection, response, and conservation).

This policy is applicable to the following services:

- Development, implementation, and deployment of web-based image processing platforms.

- Internal Technical Support for Infrastructures and Services.

- Marketing of the web platforms that have been generated and made available online as services for clients.

- Technical support for clients who use the platforms.

In view of the above, Senior Management has established the following objectives in terms of information security:

➔ Provide a framework that increases resistance and resilience in order to respond effectively.

➔ Ensure that services are recovered efficiently and rapidly in the event of any potential physical disaster or contingency that would put operational continuity at risk.

➔ Prevent information security incidents insofar as this is technically and financially feasible and mitigate any information security risks generated by our activities.

➔ Guarantee the confidentiality, integrity, availability, authenticity, and traceability of information.

One of the objectives of this policy is to fulfill applicable requirements of a legal or any other nature, in addition to the commitments made to our clients, and constantly update them. To do this, the organization monitors legislation internally.

In order to achieve the aforementioned objectives, we must:

➔ Continuously improve our information security system.

➔ Identify potential threats, as well as the impact that these threats may have on business operations in the event that they occur.

➔ Protect the interests of its main stakeholders (clients, shareholders, employees, and suppliers), reputation, brand, and value creation activities.

➔ Work together with our suppliers and subcontractors to improve the provision of IT services, service continuity, and information security, all of which make our activity more efficient.

➔ Evaluate and guarantee the technical competence of personnel, as well as ensure that they are sufficiently motivated to continually improve our processes, providing them with the appropriate training and internal communication means necessary to follow the good practices established in the system.

➔ Guarantee that facilities are in a good condition and have the appropriate equipment, in line with the company's activity, objectives, and goals.

➔ Continually analyze all relevant processes and establish the appropriate improvements in each case based on the results obtained and the objectives established.

➔ Give our management system an easily understandable structure. Our management system has the following structure:

Our system is managed by the Computer Systems Officer. The system will be available in a repository on our information system, which can be accessed by persons who have been granted the appropriate access profile, in line with our current access management procedure.

Documentation related to system security is organized in the organization's folders, divided into sub- folders named by standard points and operating frameworks, which contain the various procedures, logs, and evidence.These documents are of restricted access for company personnel and cannot be accessed by unauthorized external personnel.

Security documentation is organized as follows:

• Security Policy.

• Security Regulations: documents describing the use of computer equipment, services, and facilities. They describe what is considered misuse, the responsibility of personnel as regards fulfillment or breaches of regulations, rights, duties, and disciplinary measures in accordance with current legislation.

• Specific documents: security documentation developed in accordance with the applicable information and communication technology security guidelines from the Spanish National Cryptology Center (CCN-STIC).

• Security procedures: documents detailing how to operate the different elements of the system.

This policy develops our management system alongside other complementary policies, procedures, and documents that are in effect.

The primary responsibility lies with the organization's Senior Management, which is responsible for organizing roles and responsibilities and for providing adequate resources to achieve the objectives of the ENS.The managers of the various departments and areas are also responsible for setting a good example by following the established security standards.

These principles are the responsibility of Senior Management, which has the necessary means and provides the organization's staff with sufficient resources to fulfill them, by including them in this Integrated Management Systems Policy and making them public knowledge.

The defined security roles or functions are as follows:

- Chief Information Officer (CIO): Make decisions related to the information being processed. This figure has the authority to determine the security level of information.

- Chief Service Officer (CSO): Establish the security requirements of the service. This figure has the authority to determine the security level of information. Coordinate and improve implementation of the system.

- Chief Information Security Officer (CISO): Supervise and maintain the security information handled by the organization, as well as the services that it provides.

- Chief System Administrator (CSA): Develop, operate, and maintain the information system.

- Senior Management: Lead and provide the necessary resources for the system.

- Security Administrator (SA): implement, manage, and maintain security measures.

Additional details regarding duties and responsibilities can be found in job profiles and the specific documentation detailing managers' roles and responsibilities.

Any differences in criteria that could lead to conflicts will be dealt with by the Information Security Committee, and in any case the criteria of Senior Management will prevail.

Appointments and reappointments will be ratified by the Information Security Committee.

The Information Security Committee has the highest level of responsibility within the information security management system. Therefore, all the most important decisions related to security are agreed by this committee.

The members of the Information Security Committee are as follows:

● CHIEF INFORMATION SECURITY OFFICER

● CHIEF SYSTEM ADMINISTRATOR

● CHIEF SERVICE OFFICER

● CHIEF INFORMATION OFFICER

Only the Committee can appoint, reappoint, and dismiss these members. The Information Security Committee is an autonomous, executive, and decision-making body whose activity is not subordinate to any other element in our company.

This policy develops our management system alongside other complementary policies, procedures, and documents that are in effect.

All systems subject to this Policy shall perform a risk analysis to evaluate the threats and risks to which they are exposed. This analysis is reviewed on a regular basis:

● at least once per year;

● when there are any changes to the information handled;

● when there are any changes to the services provided;

● when a serious security incident occurs;

● when serious vulnerabilities are reported.

In order to standardize these risk analyses, the Information Security Committee will establish a benchmark assessment for the various types of information handled and services provided. The Information Security Committee will provide the resources required to meet the security needs of the various systems, promoting horizontal investments.

The risk analysis methodology established in the Risk Analysis procedure will be taken into account to carry out this risk analysis.

All ecaptureDtech personnel must be aware of and fulfill this Information Security Policy and Security Regulations. Likewise, the Information Security Committee is responsible for providing the necessary means to ensure that the information reaches those concerned.

All ecaptureDtech staff will attend an ICT security awareness session at least once a year. A continuous awareness-raising program will be put in place for all members of ecaptureDtech, especially for new hires.

Persons who are responsible for using, operating, or performing administration tasks on ICT systems will receive training on how to securely manage these systems, insofar as this is necessary for their work. Training will be mandatory before an individual takes on a responsibility, whether it be their first assignment or due to a change of position or job responsibilities.

This Policy applies to all ecaptureDtech personnel and any external personnel performing tasks within the company.

The Human Resources Department will include information security functions in employee job descriptions, inform all hired personnel of their obligation to fulfill the Information Security Policy, manage non-disclosure agreements with personnel, and coordinate user training tasks related to this Policy.

● The Chief Information Security Officer (CISO) is responsible for monitoring, documenting, and analyzing any security incidents that are reported, as well as for informing the Information Security Committee and information owners.

● The Information Security Committee will be responsible for implementing the necessary means and channels required by the Chief Information Security Officer to handle reports of incidents and problems in the system. The Information Security Committee will also be aware of and oversee the investigation, as well as monitor the evolution of information and promote the resolution of information security incidents.

● The Chief Information Security Officer (CISO) will participate in the preparation of the non-disclosure agreements signed by employees and third parties who perform functions at ecaptureDtech, in providing advice on sanctions in the event of a breach of this Policy, and in handling information security incidents.

● All ecaptureDtech personnel are responsible for reporting any information security weaknesses and incidents that they detect in a timely manner.

● Professionalism of human resources:

● Determine the skills that personnel need to carry out tasks that affect information security.

● Ensure that people have the necessary capabilities based on education, training, or experience.

● Provide documented information to demonstrate that personnel have the necessary skills in terms of information security.

● Security is controlled in terms of personnel with the following objectives:

● Reduce the risks of human error, implementation irregularities, misuse of facilities and resources, and unauthorized handling of information.

● Explain personnel's security responsibilities at the recruitment stage.Include these duties in the agreements to be signed and verify that the employee fulfills them during their work.

● Ensure that users are aware of information security threats and concerns and are trained to support the organization's Information Security Policy in the course of their normal duties.

● Establish non-disclosure agreements with all personnel and users outside the information processing facilities.

● Establish the necessary tools and mechanisms to encourage personnel to report existing security weaknesses and incidents in order to minimize their effects and prevent their recurrence.

Access to information systems is controlled with the following objectives:

- Prevent unauthorized access to information systems, databases, and information services.

- Implement secure user access through authentication and authorization techniques.

- Control the security of the connection between the ecaptureDtech network and other public or private networks.

- Review critical events and activities carried out by users in the systems.

- Raise awareness of employees' responsibility regarding the use of passwords and computer equipment.

- Ensure that information is secure when using laptops and personal computers for remote work.

Any conflicts between the roles established in this Security Policy regarding the fulfillment and development of functions and the related tasks will be resolved by a common immediate superior, taking into consideration the decision that presents a higher level of demand with respect to personal data protection. If it does not exist, the Information Security Committee must resolve the issue.

PERSONAL DATA PROTECTION

With regard to the personal data processed by ecaptureDtech's information and communication systems, the principles and obligations of current data protection regulations will be fulfilled, including Regulation (EU) 679/2016 (General Data Protection Regulation -GDPR) and Spanish Organic Law 3/2018, of 5 December. The fundamental right to personal data protection, privacy, and all other fundamental rights recognized in both international legislation and treaties and in the Spanish Constitution will be respected. Likewise, once the risk analysis required under the GDPR has been carried out, the relevant technical and organizational measures will be adopted in accordance with the risks of processing, without prejudice to situations in which a Data Protection Impact Assessment (DPIA) is required beforehand.

This policy has the following objectives in terms of protection of facilities:

Prevent unauthorized access and damage to or interference with ecaptureDtech's headquarters, facilities, and information.

● Protect ecaptureDtech's critical information processing equipment by placing it in protected areas inside a defined security perimeter, with appropriate security measures and access controls. Likewise, the protection of this information when it is transported and remains outside the protected areas, for maintenance or other reasons, should be considered.

● Control any environmental factors that could impair the proper functioning of the computer equipment where ecaptureDtech's information is stored.

● Implement measures to protect information handled by personnel in offices as part of their usual tasks.

● Provide protection that is proportional to the identified risks.

This Policy applies to all physical resources related to ecaptureDtech's information systems: facilities, computer equipment, wiring, records, storage media, etc.

Based on a risk analysis, the Chief Information Security Officer (CISO), alongside information owners, as appropriate, will define and supervise the application of the physical and environmental security measures required to protect critical assets. They will also check that physical and environmental security provisions are fulfilled.

The department managers will define the levels of physical access granted to ecaptureDtech personnel to enter the restricted areas under their responsibility. The information owners will formally authorize ecaptureDtech employees to perform off-site work involving information about their business, when they deem appropriate.

All ecaptureDtech staff are responsible for respecting the clear screen and desk policy to protect information related to their daily work in the office.

The various departments must make sure that ICT security is an integral part of every stage of the system's life cycle, from conception to decommissioning, including development or procurement decisions, and activities related to operations. Security requirements and financing needs should be identified and included in the planning, request for proposals, and tender documents of ICT projects.

Furthermore, information security will be taken into account in the procurement and maintenance of information systems, limiting and managing change.

The Procurement, Development and Maintenance procedure specifies the checks that ecaptureDtech carries out to make our systems more secure.

ecaptureDtech believes that information security should be integrated into the life cycle of the entity's processes to give the company a strategic advantage. Information systems and services must be secure by default from creation to decommissioning, and security should be included in any development and/or procurement decisions and all operational activities, establishing security as a comprehensive and transversal process.

ecaptureDtech undertakes to guarantee the integrity of the system by means of a change management process that makes it possible to monitor updates to physical or logical elements, as they must be authorized prior to installation. This evaluation will mainly be carried out by systems management, who will analyze the impact on system security before making the changes and document any changes considered to be important or that have implications for system security.

Periodic security reviews will be used to evaluate the systems' security status in relation to the manufacturers' specifications, vulnerabilities, and updates that affect them, reacting diligently to manage the risk in view of the systems' security status.

ecaptureDtech establishes protection measures to ensure the security of information when stored or in transit through insecure environments. Portable devices, peripheral devices, information carriers and communications over open or weakly encrypted networks are considered insecure environments.

ecaptureDtech establishes measures to protect information security, in particular the perimeter, especially when connected to public networks, and even more so if they are used entirely or partially to provide public electronic communications services.

In any case, the risks derived from connecting the system to other systems via networks will be analyzed, and their point of union will be controlled. Public electronic connections.

ecaptureDtech will record user activities and retain the information required to monitor, analyze, investigate, and document any undue or unauthorized actions. Furthermore, it will be possible to identify the person performing these actions at all times.

The main objectives of incident management are as follows:

● Establish a system for detecting and reacting to harmful code.

● Have procedures for managing security incidents and weaknesses detected in the elements of the information system.

● These procedures will cover the detection mechanisms, the classification criteria, and the analysis and resolution procedures, as well as the channels that will be used to communicate with the parties concerned and record the actions taken.

● This log is used to continually improve system security.

● Ensure that IT services return to optimal performance.

● Minimize any possible risks and impacts related to the incident.

● Ensure system integrity in the event of a security incident.

● Communicate the impact of an incident as soon as it is detected to activate the alarm and implement an appropriate business communication plan.

● Promote business efficiency.

In order to guarantee the continuity of its activities, ecaptureDtech establishes measures to ensure that there are backup copies of all its systems, as well as provide the necessary mechanisms to guarantee operational continuity in the event that the usual means of work are lost.

In Badajoz on 1 February 2025

Signed: Senior Management