Version 3.0, 26th November 2019

​​The confidentiality, integrity, and availability of information, in all its forms, are critical the ethical, legal and professional duty of Sicuro Group and its subsidiaries, including Sicuro Communications and Technology, Intelyse and Graal. This information security policy outlines Sicuro Group’s approach to information security management. It provides the guiding principles and responsibilities necessary to safeguard the security of the company’s information. Supporting policies provide further details. Sicuro Group is committed to a robust implementation of Information Security Management within the constraints of it’s available financial, technical and human resources. It aims to ensure the appropriate confidentiality, integrity, and availability of its data. The principles defined in this policy is applied to all the physical and electronic information assets for which Sicuro Group is responsible. Sicuro Group is specifically committed to preserving the confidentiality, integrity, and availability of documentation and data supplied by, generated by and held on behalf of third parties pursuant to the carrying out of work agreed by contract in accordance with the requirements of data security standard ISO 27001.

PURPOSE

The primary objectives of this policy are to:

• Ensure the protection of all Sicuro Group information (including but not limited to all computers, mobile devices, networking equipment, software, intellectual property, hard copy information, and data) and to mitigate the risks associated with the theft, loss, misuse, damage or abuse of this information.

• Provide a safe and secure information systems working environment for staff and any other authorised users.

• Ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the data that they handle.

• Respond to feedback and update as appropriate, initiating a cycle of continuous improvement.

• Support Sicuro Group’s efforts to maintain accredited certification to ISO 27001:2013.

SCOPE

This policy is applicable to and will be communicated to all staff, systems, and processes in the Sicuro Group companies. This includes Sicuro Group LLC, Intelyse LLC and Graal FZE. Other Sicuro Group affiliated companies (Sicuro USA, Sicuro Holdings Limited, and Sicuro Logistics Services Ltd) are specifically excluded from the scope.

DEFINITIONS

Sicuro Group data, for the purposes of this policy, is data owned, processed or held by Sicuro Group.

POLICY

Information security principles

The following information security principles provide overarching governance for the security and management of information at Sicuro Group.

• Information should be classified according to an appropriate level of confidentiality, integrity, and availability and in accordance with relevant legislative, regulatory and contractual requirements and Sicuro Group policy.

• Staff with particular responsibilities for information are responsible for ensuring the classification of that information; for handling that information in accordance with its classification level; and for any policies, procedures or systems for meeting those responsibilities.

• All users covered by the scope of this policy must handle information appropriately and in accordance with its classification level.

• Information should be both secure and available to those with a legitimate need for access in accordance with its classification level.

• Information will be protected against unauthorised access and processing in accordance with its classification level.

• Breaches of this policy must be reported (according to Sicuro’s Compliance and Incident Handling procedures).

Legal & Regulatory Obligations

Sicuro Group has a responsibility to abide by and adhere to all current UAE legislation as well as a variety of regulatory and contractual requirements. A non-exhaustive summary of the legislation and regulatory and contractual obligations that contribute to the form and content of this policy is provided in Appendix A.

Information Classification

The following provides a summary of the information classification levels that have been adopted by Sicuro Group.

• Public. Information available to the general public. E.g. information held on the Sicuro Group website and social media pages and information contained in marketing documents.

• Internal. Information available to all Sicuro Group employees and/or named clients (when appropriate). E.g. company policies, draft documents, quotations, proposals.

• Confidential. Information available to a restricted user group only. E.g. HR records, payroll, Sicuro Group Intellectual Property.

Compliance, Policy Awareness, and Disciplinary Procedures

Any security breach of Sicuro Groups information systems could lead to the possible loss of confidentiality, integrity, and availability of personal or other confidential data stored on these information systems. The loss or breach of confidentiality may result in criminal or civil action against Sicuro Group. The loss or breach of confidentiality of contractually assured information may result in the loss of business, financial penalties or criminal or civil action. All current staff and other authorised users will be informed of the existence of this policy and the availability of supporting policies.

​Incident Handling

If a member of Sicuro Group is aware of an information security incident, then they must report it to the Information Security Manager.

​Supporting Policies

Supporting policies have been developed to strengthen and reinforce this policy statement. These are published together and are available for viewing in the Sicuro Group office. All staff and any third parties authorised to access Sicuro Group’s network or computing facilities are required to familiarise themselves with these supporting documents and to adhere to them in the working environment.

REVIEW AND DEVELOPMENT

This policy and its subsidiaries shall be reviewed by senior management and updated regularly to ensure that they remain appropriate in the light of any relevant changes to the law, organisational policies or contractual obligations. The Information Security Manager will determine the appropriate levels of security measures applied to all additional information systems

Responsibilities

• Sicuro Group Staff: All staff working for Sicuro Group, its associated brands or companies and collaborators on Sicuro Group projects will be users of Sicuro Group information. This carries with it the responsibility to abide by this policy and its principles and relevant legislation and supporting policies. No individual should be able to access information to which they do not have a legitimate access right. Notwithstanding systems in place to prevent this, no individual should knowingly contravene this policy, nor allow others to do so. To report policy contraventions, please see Incident Handling.

• Data Owners: Many members of Sicuro Group will have specific or overarching responsibilities for preserving the confidentiality, integrity, and availability of information. Responsibilities include ensuring that data is appropriately stored, that the risks to data are appropriately understood and either mitigated or explicitly accepted, that the correct access rights have been put in place, with data only accessible to the right people, and ensuring there are appropriate backup, retention, disaster recovery and disposal mechanisms in place.

• Information Security Manager. Overall responsibility for the implementation and maintenance of an effective and fit for purpose ISMS.

• Risk Management Committee. Responsible for implementing and updating Sicuro Group’s information risk management process and advising senior management on appropriate risk appetites and risk acceptance.

• Executive Management. Responsible for the strategic approach to information security within Sicuro Group, agreeing on risk appetites and holding high-level risks beyond this.

APPENDIX A: Non-comprehensive summary of relevant legislation

Article 378 of the Penal Code (Federal Law 3 of 1987)

• The publication of any personal data which relates to an individual’s private or family life is an offense

Federal Decree Law No. 5 of 2012 on Combating Cybercrimes (Cybercrime Law)

• Prohibits unauthorized access to websites or electronic information systems or networks. Article 2 further imposes more severe penalties when such actions result in, among other things, the disclosure, alteration, copying, publication, and republication of data. The penalty’s severity may be increased if such data is of a personal nature.

• Article 21 of the Cybercrime Law also prohibits the invasion of privacy of an individual, by means of a computer network and/or electronic information system and/or information technology, without the individual’s consent and unless otherwise authorized by law. This includes eavesdropping and photographing. Article 21 further prohibits disclosing confidential information obtained in the course of, or because of, work, by means of any computer network, website or information technology.

Federal Law by Decree No. (3) of 2003 Regarding the Organisation of Telecommunications Sector (Telecommunications Law)

TRA Unsolicited Electronic Communications Policy

• The policy provides that licensees are under a general obligation to put in place all practical measures to minimise the transmission of spam (marketing electronic communications sent to a recipient without its consent) with a UAE connection across their telecommunications networks.

• The process by which consent is obtained must always include an opt-in procedure, unless otherwise specifically provided by the policy.

• In particular, the policy prohibits licensees selling, supplying, using, sharing, or knowingly allowing access or right of use to any tools, software, hardware or mechanisms that facilitate address harvesting and generation of electronic addresses.

EU General Data Protection Regulation (GDPR)

More information on the regulation is available at: www.eugdpr.org. Sicuro’s Privacy Policy outlines how the group collects, stores and secures personal data and the rights of data subjects.

Law No. (26) of 2015 Regulating Data Dissemination and Exchange in the Emirate of Dubai

​Federal Decree Law No. 3 of 2012 On the Establishment of the National Electronic Security Authority

​​Federal Decree Law No. 9 of 2014 amending certain provisions of Federal Law no. 4 of 2002 concerning combating money laundering crimes

​Article 31 of the Constitution provides for a general right of “freedom of corresponding through the post, telegraph or other means of communication and the secrecy thereof shall be guaranteed in accordance with the law”.

​Privacy of Consumer Information Policy (Issued on 31 May 2005)

This applies to all telecommunications licensees and to any entity that has access to personal information made available to it for purposes of providing telecommunications services.

The aim of the policy is to ensure that the information of telecommunications consumers in the UAE is protected. Consumer information includes:

• Personal data about the consumer such as information requested for ordering services.

• Voice/data and SMS content and transmissions.

• Call and usage patterns.

• Any other information derived from a consumer’s use of telecommunications services.

The policy provides that licensees must obtain a consumer’s prior consent before sharing any consumer information with its affiliates and other third parties not directly involved in the provision of the telecommunications services ordered by customers.

Dubai Law No. 23 of 2006 relating to the Formation of the Dubai Statistics Centre (Dubai Statistics Centre Law)​

The Dubai Statistics Centre Law restricts the disclosure of personal data obtained in the course of the collection of statistics. Personal data and information collected as an outcome of statistics is considered confidential and must not be disclosed or published for non-statistical purposes, except by the Dubai Statistics Centre or with its prior approval (Article 7, Dubai Statistics Centre Law). Similarly, it cannot be used as a basis for taxation or criminal law activity unless it is used as evidence against those who supply the Dubai Statistics Centre with false information. Article 8 excludes personal data from the types of data permitted for publication by the Dubai Statistics Centre.

Data Protection Law Amendment Law, DIFC Law No. 5 of 2012 (Data Protection Law, DIFC)

​Data Protection Regulations Consolidated Version No. 2 of 2012

The DIFC is a free zone and the financial hub of Dubai. It hosts the Dubai stock exchange, a number of local offices of international banks and financial institutions, and service providers such as law firms.

​The Office of the Data Protection Commissioner was established under the Data Protection Legislation, DIFC as a neutral and objective body to ensure the protection of all personal information in the DIFC. The legislation creates a legal and procedural framework which ensures that all personal data in the DIFC is treated fairly, lawfully, and securely when it is stored, processed, used, disseminated or disclosed.

DIFC Data Protection Legislation is generally consistent with data protection laws in other developed jurisdictions (specifically, EU Directive 95/46/EC on data protection (Data Protection Directive) and the UK Data Protection Act 1998).