INFORMATION SECURITY AND PRIVACY POLICY

1. OBJECTIVE 

Protect Simetrik's information assets against internal and external risks and threats, ensuring confidentiality, integrity, availability, and privacy of the information.

At Simetrik, information security is essential for protecting our assets, maintaining our customers' trust, and complying with international standards.

2. SCOPE

This policy applies to all employees, contractors, suppliers, and any person or entity with access to Simetrik’s systems, information, and information assets.

3. SECURITY PRINCIPLES

We take a risk-based approach to protect our information assets and customer information from high-impact and likely threats.

We also integrate information security principles into our company culture, making information security a shared responsibility among senior management, employees, contractors, and third parties. This ensures a strong information security framework.

Simetrik is strongly committed to these fundamental principles of security and privacy:

• Confidentiality: We ensure that only authorized people have access to information, preventing unauthorized access or improper disclosure.
• Integrity: We make sure that information is protected against unauthorized changes, keeping it accurate, reliable, and complete.
• Availability: We ensure that information is available when needed, without interruptions that could affect our operations.
• Privacy: We protect personal data, respecting the privacy of customers, employees, and third parties, always complying with relevant laws and regulations.

Main Guidelines:

• Confidentiality, Integrity, Availability, and Privacy of Simetrik’s information assets must always be guaranteed.
• All information systems and information assets used in operations and service delivery must comply with the security controls defined by Infosec.
• All employees, contractors, and third parties must receive annual training and awareness in information security to have the knowledge, skills, and tools needed to help protect information and the information assets they have access to.
• Measures must be applied to prevent, detect, respond, analyze, recover, and investigate threats and vulnerabilities proactively.
• Methodologies and tools must be implemented to adapt quickly to changes in the technological environment and new threats.
• Information security must be integrated into all strategic and operational processes, ensuring it adds value and supports Simetrik's growth.
• Simetrik must ensure compliance with all applicable security laws, regulations, and standards:
  
  • International and local data privacy and security regulations.
  • PCI DSS Data Security Standard.
  • Best information security practices, including ISO 27001, ISO 27701, and ISO 27018
  • Contractual agreements and commitments with customers
  • All applicable laws and regulations in the jurisdictions where we operate.

4. INFORMATION SECURITY RESPONSIBILITIES

Information security is a shared responsibility within Simetrik.

All employees, suppliers, and third parties with access to our systems must:

• Follow the established security policies and guidelines
• Apply appropriate measures to protect information.
• Report any security incident or anomaly immediately.
• Participate in information security training programs.

The Chief Information Security Officer (CISO) is responsible for protecting information assets and minimizing risks related to these assets.

For more details on specific roles, please check the Roles and Responsibilities document

5. CONTROLS AND MEASURES

5.1 INFORMATION SECURITY

We implement controls to ensure information protection in the following areas:

• Access control: Management of credentials, multi-factor authentication (MFA), and least privilege principle.
• Data protection: Encryption in transit and at rest, anonymization, and access control for sensitive data.
• Cloud security: Application of security controls in cloud services.
• Secure software development: Implementation of secure development practices and vulnerability testing.
• Security incident management: Response plan, event analysis, and risk mitigation.
• Risk management: Continuous evaluation and mitigation of threats.
• Monitoring and auditing: Continuous analysis of activities and anomaly detection.
• Supplier and third-party security: Risk assessment, compliance with security requirements, and contractual agreements.
• Business continuity and disaster recovery: Contingency plans to ensure operations in case of incidents.
• Security awareness and training: Ongoing training for employees and third parties on security best practices, including cybersecurity, social engineering, and phishing.

5.2 CYBERSECURITY

Simetrik adopts a cybersecurity approach to protect its infrastructure, data, and operations from evolving digital threats. The following principles and controls are established:

• Threat and vulnerability management: Continuous threat monitoring, vulnerability analysis, and cyber risk management.
• Protection against cyber attacks: Implementation of advanced security solutions such as WAF, antivirus, and attack response tools.
• Network security: Application of controls to protect internal and external networks through segmentation, secure protocols, and traffic monitoring.
• Identity and access security: Implementation of strong authentication policies and identity management to minimize unauthorized access risks.
• Device cybersecurity: Application of security controls on endpoints and corporate devices to prevent targeted attacks.

6. INCIDENT REPORTING AND COMMUNICATION

The Information Security team at Simetrik is available to address any concerns or incident reports via email at  incidents@simetrik.com. 

Failing to report incidents or security breaches may result in disciplinary and/or corrective actions as applicable.

7. EXCEPTIONS

Any exception to this policy must be approved by the Chief Information Security Officer (CISO).

8. COMPLIANCE 

Information security is part of our identity and commitment to trust and excellence.

Failure to comply with this policy will be considered a serious violation and may lead to disciplinary actions, including administrative sanctions or termination of the employment contract, in accordance with applicable laws and Simetrik’s internal policies.

All employees, contractors, and third parties are responsible for complying with this policy.

‍

Emiliano Murúa Cuesta

Chief Information Security Officer (CISO)

‍

‍Last update: March 20, 2025