Item 16K. Cybersecurity

We have security measures in place to mitigate the risk of cybersecurity threats affecting our technology platforms and our business. We have taken into consideration relevant aspects of different frameworks and standards such as National Institute of Standards and Technology (“NIST”) and Payments Card Industry Data Security Standard (“PCI-DSS”) to assist us in formulating such security measures. Our security measures include, but are not limited to access and privilege management, segregation of test and production environments, vulnerability management, network security analysis, cyber incident management, baseline configuration of hardware and software, activity log correlation, malware prevention and remediation, and others. We employ a range of security processes, solutions and dissemination of these measures, including regular compliance checks and security observability. We also perform periodic reviews of cybersecurity threats and related controls, including periodic penetration tests performed by independent third parties.

Our board of directors has overall oversight responsibility for our risk management and is charged with oversight of our cybersecurity risk management program. The Audit Committee is responsible for ensuring that management has processes in place designed to identify and evaluate cybersecurity risks to which we are exposed and implement processes and programs to manage cybersecurity risks and mitigate cybersecurity incidents. The Audit Committee also reports material cybersecurity risks to our full board of directors. Management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures and maintaining cybersecurity programs. Our cybersecurity programs are under the direction of our Chief Information Security Officer, or CISO, who receives reports from our cybersecurity team and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents. Our CISO and dedicated personnel are trained and experienced information systems security professionals and information security managers with many years of experience. Management, including the CISO and our cybersecurity team, update the Audit Committee as needed on cybersecurity programs, material cybersecurity risks and mitigation strategies. Our Security and Compliance team is responsible for implementing our cybersecurity risk management program, in coordination with our Corporate Risk Management team, under our VP of Risk.

We also invest in security and technology solutions to improve training and awareness initiatives for our employees and customers. Moreover, we provide mandatory security training to all employees, in addition to our leadership, to promote cyber awareness throughout our organization. Higher risk business areas, such as Engineering (including software development) or Treasury, receive enhanced training.

Our business continuity management model takes into consideration both local and international guidelines for cybersecurity risks and includes plans to deal with severe events. We review the impact these events may have on day-to-day operations and endeavor to mitigate such threats. We also have mechanisms to trigger disaster recovery plans in case of crises which involve departments necessary to act and support our operations should a crisis materialize.

Cybersecurity topics are deliberated in executive committees that have the role of informing and providing supporting materials to our executives and advisors in the best decision-making for the business. Currently, the subjects covered by the committees pervades themes like operational risks, IT and cybersecurity incidents, electronic crimes, fraud, audit and regulatory, third party, affiliates, risks and compliance among others.

In 2024, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident.