1. OBJECTIVES

To establish the concepts and guidelines for information security, aiming at protecting Valid’s information and that of its clients. To serve as a strategic document, to promote the secure use of Valid’s information-related assets. This document should be interpreted as a formal statement from Upper Management regarding its commitment to the protection of the information it handles, and the guidelines herein should be followed by all of Valid’s contractors and service providers.

2. APPLICABILITY

This document applies to all providers to whom the Information Security Management System is relevant.

3. GUIDELINES

The contractor’s practices must adhere to the Information Security Policy, as described herein.

4. GENERAL ASPECTS

• Information, whether in hard-copy or soft-copy format, and the technological environments used by contractors and service providers are the exclusive property of Valid and are not for personal use.

• Contractors and service providers must have a unique identification (both physical and digital), which is personal and non-transferable, and which can be used to identify the party by their actions.

• Access rights must always observe the principle of least privilege, wherein users must only have the permissions necessary for the execution of their tasks.

• Confidential information, such as passwords and any other information possessed by a party over the course of their work, must always be held as secret; sharing of this information is strictly prohibited.

• The contractor/service provider undertakes, and is responsible for its employees, agents, consultants, and/or representatives who have a need to access confidential information, to hold the same under confidentiality, and not to copy, sell, assign, license, commercialize, transfer, or in any other way convey, divulge, or provide such information to any third party that is not involved in the contract, nor to use the information for any purpose, except upon prior written express authorization.

• Client information must be treated ethically and confidentially, in accordance with the guidelines set out in the laws in force. It must only be used for the purpose for which it was authorized.

• All contractors and service providers should be aware that the use of information and information systems may be monitored without notice, and that records obtains through this means may serve as evidence for legal purposes.

• This policy is underpinned by a set of information security procedures and regulations established by Valid.

• Information must be used in a transparent manner and only for the purpose for which it was gathered and/or for statistical purposes, without identifying clients or revealing client-specific system characteristics.

• The contractor/service provider declares (on its on behalf and on that of its employees, agents, and consultants) that it has received and that it is in agreement with this Information Security Policy for Providers, and undertakes to comply with it, as well as to any updates that may be made to it by Valid.

• These guidelines must be observed as of the start of the activities covered under the contract executed between Valid and the Contractor/Service Provider.