Information Security Policy

Last updated 20.November 2024

1. Purpose

The purpose of this information security policy is to establish the framework for

information security work in Woba. Furthermore, the policy aims to create a common

understanding of what information security entails, including defining objectives and

responsibilities for information security work in Woba.

2. Definitions

Information security is understood as the protection of all assets involved in or contributing

to the processing of data, both electronically and physically. Protection encompasses all

relevant measures; including measures related to organizational processes, individual

behavior, physical environments, and technology. Data refers to all information related to

Woba's business operations; including the development, delivery, and servicing of

solutions/products to customers and potential customers, as well as information related to

employees, etc. in Woba.

3. Scope

The policy applies to all of Woba's business operations; including all employees, etc., and all

use of systems, etc. used by Woba.

4. Objectives

Woba considers information security work a quality element that supports the credibility of

the product offered by Woba. This is reflected in Woba's efforts to ensure a high level of

security that continuously reflects its contextual development. Woba strives to achieve the

following certifications/declarations:

ISAE-3000

Woba strives to promote a good information security culture based on a mindset that a

high level of information security is a crucial competitive parameter in a digitalized world.

Woba wishes to communicate this message to both employees and customers, which

should be expressed through a strong awareness campaign and through general

communication. Information security work in Woba must be based on applicable legislation

and recognized standards in information security. This must be reflected in the level of

information security in Woba, which must comply with the requirements that can be

derived therefrom. The level of security in Woba must at all times reflect the fact that Woba

complies with the agreements that Woba has entered into with its customers regarding the

security of the processing of their data. The level of security in Woba must be determined

on the basis of risk assessments that take into account the current threat landscape. The

level of security in Woba must also ensure a high degree of confidentiality, integrity, and

availability:

● Confidentiality: Data may only be accessible in relevant systems and to those

persons who, based on a necessity assessment, have been granted access. The data

must be handled confidentially within these frameworks.

● Integrity: Systems, including IT systems used as part of business operations, must

be reliable and function correctly. It must also be ensured that the data basis is both

reliable and trustworthy.

● Availability: Woba systems must be available 24/7 to the extent that this is possible,

taking into account the maintenance of the systems in question, etc. The systems

must be subject to the necessary security measures to ensure availability (as well as

confidentiality and integrity). An IT contingency plan must also be maintained to

ensure that normal operation of business systems can be re-established within 24

hours if availability is temporarily lost.

5. Responsibility

Management in Woba has overall responsibility for ensuring that Woba complies with the

objectives of this policy. The day-to-day management of information security work is

carried out by the internal compliance team For each system used in Woba, one or

more system administrators have been designated who are responsible for information

security in relation to the individual system. Each employee is responsible for performing

their work in accordance with this policy and for following the guidelines, etc., that arise

from this policy. Each employee is also obliged to notify management of any breaches of

information security or suspicion thereof.

6. Follow-up

This policy, as well as the guidelines, policies, and procedures that arise from it, is reviewed

and approved once a year by the management of Woba in cooperation with the company's

internal compliance team.

Any changes to this policy or the guidelines, policies, and procedures that arise from it

must be made in compliance with the obligations that Woba has based on concluded

contracts, data processor agreements, etc.

The level of security is continuously assessed by the company's internal compliance team in

cooperation with the company's IT department to the extent necessary to comply with the

objectives of this policy.

7. Violation

Violation of this information security policy or supporting guidelines, policies, or

procedures may have employment law consequences.

8. Exceptions

This policy may be deviated from if management deems it necessary for business

operations. Deviations from this policy must be specifically justified and documented.

Management must strive to avoid deviations as much as possible.

9. Supporting Guidelines, Policies, and Procedures

Woba maintains a register of current guidelines, policies, and procedures that arise from

this policy.

10. Documentation

Woba documents its work on information security and compliance with data protection

regulations on the Woba site in Wired Relations.

11. Contact

Questions regarding Woba's work on information security and data protection can be

directed to the company's internal compliance team.

Contact: Peter Engel Møller mail: pm@woba.io Phone +45 28408820