Information Security Policy

1 Introduction

Article 1

We adopt this Policy for the purpose of:

• determining acceptable behaviors regarding the use of Verbosari's computer information system
• allocation of tasks and responsibilities to competent persons
• protection of Verbosari's investments in the computer information system
• protection of information and data generated, transmitted, stored, and processed in the system, as well as
• imposing sanctions for non-compliance with the provisions of this Policy.

An integral part of this Policy are the following procedures:

• the password management procedure
• the procedure for managing malware protection and
• the dual authentication management procedure for accessing the EasyLoc™ portal.

‍

2 Scope of Policy application

‍Article 2

This Policy applies to employees and external associates (hereinafter the term User refers to persons using Verbosari's information system) who are allowed to use Verbosari's computer information system (software and hardware).The Policy covers Verbosari's computer information system and all content transmitted, stored, and processed in that system, content stored on all Verbosari’s personal computers and all servers in the administration domain (i.e. directly managed by Verbosari and not by a third-party service provider) or owned by Verbosari.

3 Liability

‍Article 3

For the application of this Policy and the use of computer equipment owned by Verbosari, the sole liability lies with the person appointed by a special decision of the CEO of Verbosari (hereinafter referred to as the Computer Security Officer) who may be an employee of Verbosari or an external service provider.The responsibilities of the Computer Security Officer are:

• managing and maintaining the security of the computer information system and the subject matter of this Policy and all related procedures
• developing and maintaining written standards and procedures that guarantee the application and compliance with the provisions of this Policy and procedures, as well as
• providing adequate support to users in fulfilling their obligations under this Policy and related procedures.

It is the obligation of all users to study and apply this Policy and its associated procedures.

Article 4

Verbosari protects its computer equipment, hardware, software, data and documentation from misuse, theft, unauthorized use, and environmental influences.Users and the IT Security Officer (employee or external service provider) are responsible for the security of Verbosari's computer information system according to the relevant part on responsibility of this Policy.The confidentiality and integrity of the data stored in Verbosari's computer information system shall be protected by an access control system to guarantee that only authorized users have access to the necessary information. That access should be limited to only those information systems and opportunities necessary for the user to carry out his or her business activity.

Article 5

The IT Security Officer is responsible for all installations, connections, disconnections, alterations, and relocation of computer equipment. Users are not allowed to take such actions on their own (this does not apply to laptops).

Article 6

Users are obliged to follow the following instructions when it comes to information security:

• data and software media (CDs, DVDs, discs, USB memory drives, flash drives and other media) when not in use may not be exposed to places easily accessible to unauthorized persons
• media containing confidential and important information should be kept in appropriately locked cabinets/drawers or metal cabinets
• data media should be kept away from adverse environmental influences such as heat, direct sunlight, moisture and electromagnetic fields and similar
• environmental influences such as smoke, food, liquids, high or low humidity, high or low temperatures must be avoided
• users should carefully handle the computer equipment that has been provided to them for use and
• the user is held liable for damages caused to computer equipment if damages occur due to negligence or improper use.

4 User administration

‍Article 7

User administration refers to the following activities:

• creating a new user - assigning a username and password - and granting appropriate rights within the individual software or application that the user has the right to use, and

• the abolition of relevant rights within the individual software or application that the user has the right to use.

Article 8

The IT Security Officer oversees administering users at the computer network level.The Application Administrator oversees administering users at the application level.If the Application Administrator is an external associate (an employee of the company whose software solution is used), the request for user administration is submitted by the IT Security Officer.After the termination of the right of access to the computer system or application (termination of service, cessation of the need to use the application), the IT Security Officer or the Application Administrator take away the previously assigned rights from the user.

5 Computer equipment administration

‍Article 9

Computers and network equipment must be administered in accordance with the rules of the profession, considering their functionality and security.Each computer must have a designated administrator who is responsible for installing and configuring the software.

Article 10

Computers need to be configured to protect them from attacks from the outside and inside, and that is achieved by installing software patches according to the manufacturer's recommendations, access lists, traffic filtering and other means.

Article 11

Administrator rights on computers that are used by more than one person can only be had by the IT Security Officer.Special attention should be paid to equipment that performs key functions or contains valuable and confidential information that should be protected from unauthorized access (e.g. servers, network equipment, etc.).

6 Passwords and access accounts

‍Article 12

The use of group and universal access accounts to access computers and computer systems is prohibited.Each person must access Verbosari's computer system, computers, and IT solutions (applications) exclusively through their own access account or access data.

Article 13

In exceptional cases, the IT Security Officer may, at the written request of the CEO of Verbosari, grant the user the use of another person's access account to find and eliminate irregularities in the system, and that action needs to be logged.After performing the actions referred to in the previous paragraph, it is mandatory to change the password of that access account.

Article 14

The user:

• is responsible for all computer transactions carried out using the assigned username and password
• must not disclose assigned passwords to other persons
• should change their password immediately if they suspect that someone else has found out about it
• must not store passwords in an easily accessible place
• must use passwords that are not easy to guess, and
• should log out from the computer information system when leaving the workplace.

Article 15

The IT Security Officer has the obligation of storing all administrator passwords in a suitable metal cabinet (drawer) that should always be kept locked. Administrator passwords are held only by the IT Security Officer and the CEO of Verbosari. Those passwords may also be stored in an electronic format in an application for storing passwords that can only be accessed by the IT Security Officer and the CEO of Verbosari.

Stored passwords should be stored each in a separate sealed envelope marked with the name of the computer system or computer equipment it is intended for and the date of its last update.The IT Security Officer is obliged to regularly update stored passwords after every change.

6.1 Password management

Article 16

All Verbosari employees who use computers in their work are obliged to comply with the rules of password use, while administrators are obliged to technically install them in all systems that allow them.

Article 17

When creating a new user, an initial password is set and printed with the username on the document submitted to the user.The user is provided with a document with an initial password and an accompanying text stating their rights and obligations. The content and layout of the document are an integral part of the password management process.The user confirms by signing that the document has been received.The access data (username and password) can also be provided to the user electronically if no other way is possible.When logging in for the first time, the user must change the initial password and enter a new password, known only to them, that they use in everyday work.

Article 18

When creating passwords, it is the duty of all users to adhere to the following rules:

• the smallest password length is six characters
• the password must be a combination of uppercase and lowercase letters, as well as digits
• part of the password can also be made up of punctuation marks
• the password must not contain words from publicly available dictionaries, and names of close persons, pets, characteristic dates (such as dates of birth) and combinations thereof.

7 Malware protection

‍Article 19

Protection against malware (computer viruses, computer worms, Trojan horses, logic bombs, collection of malwares (rootkit), spyware, adware, spam, pop-ups) must be implemented by:

• IT service providers on e-mail servers, and
• Verbosari's IT Security Officer on servers and personal computers owned by Verbosari and used by Verbosari’s employees.

Article 20

People who enforce malware protection are not required to keep users' emails infected with malware.The persons implementing malware protection need to install antivirus programs on all user computers and set them to automatically propagate protection changes from a central installation or from an external server, without the user having to actively participate.

Article 21

Users must not arbitrarily turn off malware protection on their computer. If for some reason they must temporarily stop a malware protection program, users must ask permission from the IT Security Officer.

Article 22

If users connect to Verbosari IT systems in countries with reduced IT security or through a publicly available network, then they must connect to these systems via the VPN network by selecting one of the servers within the EU.

8 Accessing the EasyLoc portal using two-factor authentication

‍Article 23

Users who have access to the EasyLoc portal need to install a double authentication application (Google Authenticator) on their mobile device to access the portal.When accessing for the first time, the user's username is connected to the barcode displayed in the Google Authenticator app to associate the username with the specified code.With each subsequent access, the user, in addition to entering the username and password, should enter a one-time code that is created in the application for accessing the EasyLoc portal.

9 Physical protection and equipment safety

‍Article 24

Verbosari's premises house the IT equipment (servers, communication equipment, personal computers) owned by Verbosari.

The IT Security Officer (or another person at the discretion of the CEO of the company) is responsible for maintaining an updated list of the entire computer equipment with a list of embedded components and inventory numbers.

10 Business continuity

‍Article 25

In order to preserve data when accidents, hardware failures, fires or human errors occur, it is necessary to regularly create a backup of all data important for the maintenance of key functions of the information and computer system and hardware.

Article 26

The Processor with whom there is an appropriate agreement on business and technical cooperation is in charge of creating a backup of the data.Verbosari guarantees that the contract clearly specifies the Processor's obligations to make, store and verify backup copies.

Article 27

In order to ensure the continuity, Verbosari guarantees that the business-technical cooperation agreement, or the annex to the contract, clearly sets out the rules and obligations of the Processor for the recovery of critical systems.

11 License rights

‍Article 28

It is the obligation of Verbosari and all its employees to comply with intellectual property protection laws and regulations.

Verbosari is obliged to use software based on valid license rights.

Article 29

Verbosari has no right to copy and distribute without obtaining the permission of the manufacturer or author, software and related documentation not owned by Verbosari, except for the purpose of creating a backup.

Article 30

On computers owned by Verbosari may not, without obtaining prior approval from the CEO of Verbosari, used software purchased privately or for personal purposes.

Article 31

Users of computers owned by Verbosari should return the computer equipment with all the data after their termination of employment with Verbosari, i.e., they must not delete any data from the computer without first obtaining the written approval of the CEO of Verbosari based on a written request from the computer user.

12 Violations and sanctions

‍Article 32

Any use of a computer and/or computer program in a manner that violates valid laws, regulations, or ethical norms and which could result in tangible or intangible damage to Verbosari is not allowed.

Article 33

Minor forms of illicit use of computers and equipment are the following:

• limited use of unlicensed software
• downloading copyrighted files without paying a fee, if they are publicly available
• sending mass messages, commercial or not, that unnecessarily consume network resources
• arbitrarily installing software without first obtaining the approval from the IT Security Officer or the CEO of Verbosari, and
• using unacceptable applications and services that impair the security of information systems, unnecessarily consume network resources or inflict any tangible and/or intangible damage to Verbosari.

‍

Article 34

More severe forms of illicit use of computers and equipment are the following:

• transferring personal identity data (username, password) to other persons in Verbosari and/or outside of Verbosari
• taking over someone else's identity (using equipment through someone else's user account, sending e-mails under someone else's name, making online purchases using someone else's credit card, etc.)
• other computers intrusion
• searching for vulnerabilities and security defects. The user must not scan computers on their own initiative, break passwords or in any way investigate security vulnerabilities on computers, whether they belong to Verbosari or not
• deprivation attack on other computers
• insulting and humiliating persons in network communication on religious, racial, national or other basis
• downloading and/or distributing content inappropriate for business communication (pornography, etc.), and
• using Verbosari’s network resources by connecting their own private computers to Verbosari's computer network.

‍

Article 35

All users of the Verbosari computer system are obliged to comply with the provisions of this Policy, as well as all other internal documents / decisions governing the use of the computer system and IT equipment.

Due to violations of the provisions of this Policy and related procedures, the user’s rights of use of the Verbosari computer system may be revoked and disciplinary proceedings may be initiated until the decision on termination of service is issued for reasons conditional on inappropriate behavior of employees or termination of other applicable contracts.

Article 36

The sanction for the infringement committed or the use of Verbosari's computer and information system contrary to the provisions of this Policy depends on the type and size of the offence, whether the offence caused legal, material or any other damage and whether it is the first or repeated offense.The sanctions are imposed by the CEO of Verbosari.

13 Transitional and final provisions

‍Article 37

This Policy with the corresponding procedures shall enter into force on the day of its adoption and shall be published on the Verbosari website.The adjustment period for the full application of this Policy shall be six (6) months from the date of adoption.This Policy may be amended at any time. Users are responsible for regularly reviewing the Policy to know in entirety its content that is subject to change, without prior notice.