We maintain a comprehensive information and cybersecurity and data privacy program to safeguard the security, confidentiality, integrity, availability and protection of the Company’s and our clients’ information. We aim to continually strengthen our cybersecurity posture and protocols. We have invested in people, processes and technology intended to protect information throughout the business life cycle and to manage cybersecurity risk. As information technology and hacking capabilities evolve rapidly, protecting the Company’s and our clients’ data has become increasingly challenging. We provide no assurance that the policies and procedures outlined below will be properly followed in every instance or that they will be effective in safeguarding against every possible cybersecurity threat.

We describe how cybersecurity threats are likely to materially affect our business, results of operations, and financial conditions in Item 3. “Key Information – 3.D. Risk Factors – If any of the systems of any third parties upon which we rely, our customers’ cloud or on-premises environments, or our internal systems, are breached or if unauthorized access to customer or third-party data is otherwise obtained, public perception of our platforms and operations and maintenance services may be harmed, and we may lose business and incur losses or liabilities” is hereby incorporated by reference. In addition, members of our board and management assist in the oversight of cybersecurity matters, drawing from including certain experience described in Item 6.A. “Directors and Senior Management”.

Cybersecurity Strategy and Risk Management

Our cybersecurity strategy is founded on policies, processes and practices that are integrated into our overall risk management system. These policies, processes and practices are aimed at building a cyber-resilient organization by implementing and operationalizing cybersecurity capabilities to identify, protect, detect, respond and recover from cybersecurity threats and incidents and are guided by relevant regulatory and governance bodies, including but not limited to the Cyber Security Framework of the National Institute of Standards and Technology. We have undertaken measures to comply with privacy laws and regulations relevant to our services. These security capabilities are designed to mitigate material vulnerabilities and the impact of cyber incidents. We regularly conduct cybersecurity and other risk assessments and compliance audits both internally and through third party auditors that we independently engage or that we engage in connection with our certification to certain international standards, such as the ISO 27001:2022 standard for information security management systems, ISO 27701:2019 standard for privacy information management, among others. We also regularly assess and deploy technical safeguards and conduct vulnerability assessment and penetration testing of our technology environment independently and through third parties. We use the outcome of these assessments to align our cybersecurity program and technical safeguards with the evolving cybersecurity threat landscape and adjust and augment our security controls environment as required. We have implemented a program to manage the information risks associated with the ICT products and services supply chain, particularly those emerging from our supplier and partner ecosystem. There are processes in place to restrict and provide need-based access to sensitive or confidential data for third parties. We conduct periodic evaluations of key suppliers and partners for ongoing monitoring of the risk environment.

Incident Response and Recovery Planning

While processes are in place to minimize the occurrence of a successful cyberattack, we have institutionalized detailed incident response procedures to address a cyber threat that may occur despite these safeguards. The response procedures are designed to identify, analyze, isolate and contain, remediate, and, if applicable, report any such material cyber incidents that occur. We are not only committed to reducing the probability of successful cyberattacks but also to minimizing the potential impact of cyber incidents. During the year ended December 31, 2024, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition.

Training and Awareness

We maintain a comprehensive information and cybersecurity awareness and training program for all employees and contracted resources. This includes mandatory annual information security and privacy information protection training, periodic simulations such as social engineering drill, regular communications on relevant topics and policies related to data privacy, phishing, email security best practices, among others. We provide specialized security training for certain roles with access to sensitive data, including human resources or employees who regularly handle personal or sensitive information.

Governance (Management Oversight and Engagement with the Board of Directors)

We are actively working to establish a robust, revised and comprehensive reporting framework to ensure the board receives regular updates on our cybersecurity program, including risk assessments, policy implementation, incident response preparedness, mitigation plans, reporting and decision-making hierarchy, and strategic initiatives. While periodic reporting is not yet in place, with the goal to ensure compliance with cybersecurity reporting requirements in applicable jurisdictions, we are committed to implementing effective and resilient measures and process for cybersecurity reporting during 2025.