Integrated Management System Policy

1. Scope and Mission

This policy applies to the activities, services, assets, resources and other parties involved in the provision of Facephi Biometrics S.A. products and services.

Facephi adheres to the highest international standards on Security and Information and Business Continuity, and incorporates best practices by implementing controls based on ISO 27001, ISO 27017, ISO 22301, and National Security Scheme (NSS) among others. All this is what makes up the Integrated Management System (henceforth IMS).

Facephi has managed to gain the trust of numerous entities involved in the handling of highly confidential information at a global level, and this has been possible thanks to the conviction and effort to ensure the integrity, confidentiality, authenticity, traceability and availability of the information and systems that support it. The objectives of the Facephi IMS are based on the preservation of:

a) Availability, ensuring that authorised users have access to the information and its associated assets when required.

b) Confidentiality, ensuring that only those who are authorised can access the information.

c) Integrity, ensuring that the information remains invariable.

d) Traceability, ensuring the tracking of those who have accessed and/or modified certain information associated with the service.

e) Authenticity, ensuring that whoever accesses the service is really who they should be, and that it is possible to know who obtained access.

From the beginning, Information Security and Resilience was established as a value proposal, guaranteeing, in addition to availability, the correct functioning of systems and services, and compliance with any legal, regulatory or contractual requirement.

Facephi’s primary mission has always been to develop biometric technologies seeking improvement and excellence, in order to have state-of-the-art algorithms, with a strong investment in R&D in order to contribute to the evolution of the concept of increasingly secure and resilient digital identity in all its processes.

Some key matters are:

a) Preserving and ensuring the integrity of the algorithms by analysing the threats that may affect biometrics and therefore pose a risk to privacy.

b) Managing and preserving the identity and privacy of the data.

c) Ensuring the integrity and quality of the method, as well as the integrity of the code.

The main value of the company is human value, since there is a committed, proactive team, dedicated to the project and with high motivation.

2. Development

Facephi Management wishes to make the IMS Policy public, since its knowledge and understanding are essential for its employees, customers, suppliers and other interested parties, as Information Security and Business Continuity are key factors for the correct running of the organisation.

This Policy shows the commitment of the Management, and has the following high-level objectives:

a) Ensure customer satisfaction by meeting their needs and expectations and preserving the availability, integrity, confidentiality, authenticity and traceability of information.

b) Demonstrate leadership by ensuring that the Policy and objectives are established and are compatible with the strategic direction of the organisation.

c) Establish objectives and goals focused on the evaluation of performance in matters of Information Security and Business Continuity, as well as for the continuous improvement of the activities carried out.

d) Ensure compliance with the legislation and regulations applicable to our activity, the commitments made to customers and all internal and external standards to which the organisation adheres, in order to achieve continuous improvement.

e) Assign the necessary functions and responsibilities in the field of Information Security and Business Continuity and provide the necessary support.

f) Implement effective and efficient preventive measures in all activities carried out.

g) Establish and periodically review the company’s risk appetite, as well as the risks identified, their resolution and/or treatment.

h) Develop, implement and periodically verify the continuity and contingency plans and the tests associated with them.

i) Train, educate and motivate staff on the importance of meeting the requirements established in the IMS, both in the field of Information Security and Business Continuity.

j) Maintain fluid communication both internally between the different levels of the company, and with customers or interested parties.

k) Establish the correct structuring of the documentation in addition to the adequate management and updating of regulations.

l) Take into account the Information Security and Business Continuity established by suppliers to guard against possible risks arising from them.

3. Creation, updates, approval and communication

This document has been written by the Information Security department, with the support and approval of Senior Management.

The Information Manager is responsible for ensuring the suitability and updating of this document. In addition, it is the responsibility of all internal and external personnel related to Facephi to comply with this Policy.

This Policy will be notified to all employees, third parties and interested parties who are present in the execution of activities related to the provision of products and services of Facephi Biometrics S.A. When applicable, it will be included in the training plans for staff and related third parties..

Alicante, August the 2nd, 2022,

Javier Mira Miró

CEO Facephi Biometrics S.A

Version 5 8/2/2022