Information Security Policy

This Policy defines the principles and commitments of RedCarbon S.r.l. regarding information security, personal data protection, and cloud service security, in compliance with international standards ISO/IEC 27001:2022, ISO/IEC 27017:2015, and ISO/IEC 27018:2019.

It applies to all business processes, information systems, cloud infrastructures (both as Cloud Service Provider – CSP and Cloud Service Customer – CSC), employees, collaborators, suppliers, and partners who access or process company or customer information.

Scope and Purpose

RedCarbon S.r.l. considers Information Security a primary aspect for the protection of its business and customers. The company's reputation is based on the proper management of physical, information, and personnel assets: to preserve it, a security model is essential that aims to protect processes and information from a wide range of threats and minimize their impact on operational continuity.

Information Security Management System Objectives

The objectives of RedCarbon S.r.l.'s Information Security Management System are to:

• Ensure compliance with contractual obligations
• Ensure proper processing of personal data
• Guarantee adequate information protection in terms of confidentiality, integrity, and availability
• Rationalize and regulate Blue and Red Team processes and procedures
• Monitor infrastructure performance supporting business activities
• Protect the interests of customers, employees, and third parties
• Ensure compliance with the Code of Ethics and Model 231
• Ensure compliance with applicable laws and regulations regarding information processing and protection
• Provide a structural model for information protection and related risk management
• Respond effectively to growing threats to information systems in cyberspace, paying attention to personnel recruitment and selection methods

These objectives form the foundation for creating, implementing, operating, monitoring, reviewing, maintaining, and continuously improving an effective information security management system, implemented in accordance with ISO/IEC 27001:2022, ISO/IEC 27017:2015, and ISO/IEC 27018:2019 standards.

Policy

The intent of this Policy is to ensure that:

• An information security management system (ISMS) is implemented in accordance with ISO/IEC 27001, integrated with the specific requirements of ISO/IEC 27017 (Cloud Security) and ISO/IEC 27018 (PII Protection), capable of ensuring the confidentiality, integrity, and availability of information to stakeholders
• Applicable legal and regulatory requirements are met
• Adequate business continuity plans are prepared, updated, and controlled
• All personnel receive adequate information security training
• Encryption techniques are applied for the protection of personal data, as required by Regulation (EU) 2016/679 for Data Protection
• Procedures and guidelines to support this policy are followed by all personnel and suppliers (or other stakeholders)
• The CTO has been assigned the role and responsibilities to oversee the management and operation of activities related to the implementation of this policy
• All actual or suspected information security breaches are reported to the CTO and analyzed
• All designated personnel are directly responsible for implementing this policy in relation to their areas of competence and role
• Information security risks are adequately assessed and regularly reviewed in accordance with risk management policies
• The ISMS is subject to periodic audits that ensure its effectiveness and compliance
• This policy is reviewed and updated when necessary, or at least annually
• Continuously improve information security while ensuring the effectiveness and compliance of the ISMS

Security Controls for Cloud Services (ISO/IEC 27017)

For Security Controls for Cloud Services (ISO/IEC 27017), RedCarbon, acting as both CSP and CSC, applies the following principles:

• Implements logical access controls and multi-factor authentication for cloud system access
• Ensures logical separation of customer data in multi-tenant environments
• Regularly performs backups, logging, and audit trails of provided services
• Applies shared responsibility model security measures between RedCarbon and customers
• Ensures contracts and SLAs that clearly define responsibilities, response times, service levels, and incident notification procedures

Personal Data Protection (ISO/IEC 27018)

For personal data processed as a Data Processor, RedCarbon commits to:

• Process data only on documented instructions from the Data Controller Client
• Guarantee purpose limitation and data minimization
• Allow transparent exercise of data subject rights
• Implement adequate technical and organizational measures to protect personal data from unauthorized access or loss
• Ensure data localization in geographic areas compliant with GDPR
• Manage any sub-processors in a traceable manner, ensuring equivalent security and privacy clauses
• Promptly notify any data breaches

Review and Continuous Improvement

The ISMS is reviewed at least once a year, or upon significant changes (new services, infrastructures, regulations).

The results of internal audits, risk analyses, incidents, and customer reports are used for continuous system improvement.

Availability

This policy is made available to all ISMS stakeholders according to procedures defined by the CEO and CTO.

Last updated: November 2025