Pulsar : Information Security Policy

DocuSign Envelope ID: 9A89DE11-7705-47A0-85EF-E06C3DA4FEA2

DocuSign Envelope ID: 9A89DE11-7705-47A0-85EF-E06C3DA4FEA2

Pulsar Group Information Security Policy

Classifcation: PUBLIC

Contents

Contents

Policy Statement

Purpose

Policy Objectives

Policy Scope

Products

People

Premises

Data Centre Operations

Policy Statements

Risk Assessment

Management, Monitoring and Review

Legislative Compliance

Supplier Security

Asset Management

Acceptable Use

Access Control

Information Classifcation and Handling

Human Security

Information Security Training

Device Security

Secure Development

Information Security Incidents

Business Continuity

ISMS Responsibilities

Employees, Contractors and Third-Party Users

Executive Management

Senior Management

Control Owners

Asset Owners

Information Security Offcer (Governance, Risk, Compliance)

Information Security Offcer (Technical)

Risk Management

Risk Assessment

Audit

Legal Compliance

Obligations

Intellectual Property

Information Lifecycle

Data Protection

Supplier Security

New Supplier

Supplier Management

© 2024 Pulsar Group. All rights reserved. Trust Centre: https://www.pulsargroup.com/trustcentre/2

DocuSign Envelope ID: 9A89DE11-7705-47A0-85EF-E06C3DA4FEA2

Pulsar Group Information Security Policy

Classifcation: PUBLIC

Asset Management

Asset Management

Acceptable Use

Devices

Maintenance

Sensitivity Labels

Data Loss

Access Management

Access Rights

Authentication

Offce Security

Workspace

Reporting

Human Security

Security Team

Management Support

Staff Vetting

Employment Contracts

Staff Training

Engineering Security

Technical Compliance

Technical Documentation

Vulnerability Management

Backup & Restore

Activity Logs

Encryption

Change Control

Engineering Security: Development

SDLC: Analysis & Design

SDLC: Development

SDLC: Testing

SDLC: Deployment

SDLC: Maintenance & Disposal

Engineering Security: Infrastructure

Data Transfer

Network Security

Infrastructure Security

Monitoring

Incident Management

External Contacts

Incident Management: Preparation

Incident Management: Assess

Incident Management: Response

Incident Management: Review

Document Version Control

© 2024 Pulsar Group. All rights reserved. Trust Centre: https://www.pulsargroup.com/trustcentre/3

DocuSign Envelope ID: 9A89DE11-7705-47A0-85EF-E06C3DA4FEA2

Pulsar Group Information Security Policy

Classifcation: PUBLIC

Information Security Policy

Policy Statement

Pulsar Group Plc (formerly Access Intelligence) and its subsidiaries (including its subsidiaries operating the Isentia, Pulsar and Vuelio brands globally) (Group, Company or Pulsar Group) are committed to information security, data protection & privacy standards in all of its business activities.

Purpose

The purpose of this policy is to direct the design, implementation and management of an effective Information Security Program, which ensures that Pulsar Group's information assets are appropriately identifed, recorded, and afforded suitable protection at all times. This document sets forth certain principles regarding the responsible use of information by Pulsar Group and outlines the roles and responsibilities of personnel to protect the confdentiality, integrity, and availability of information assets and data.

Policy Objectives

1. Mitigate Risks of Cybersecurity Threats and Data Breaches: Identify, assess, and mitigate risks associated with cybersecurity threats and potential data breaches by conducting regular risk assessments, vulnerability scans, and penetration testing.
   Develop and implement incident response plans to effectively respond to and contain security incidents, minimising the impact on clients and our organisation.
2. Ensure Confdentiality, Integrity, and Availability of Client Data: Implement and maintain robust security measures to ensure the confdentiality, integrity, and availability of client data processed by us. This includes implementing encryption protocols, access controls, and regular data backups to mitigate the risk of unauthorised access, data loss, or service disruptions.
3. Compliance with Legal, Regulatory and Standard Requirements: Ensure compliance with relevant requirements related to information security, privacy, and data protection, such as ISO 27001:2022 and GDPR. Stay abreast of changes in legislation and standards, and update policies, procedures, and controls accordingly to maintain compliance and avoid legal consequences.

Policy Scope

This Policy shall apply to the following:

© 2024 Pulsar Group. All rights reserved. Trust Centre: https://www.pulsargroup.com/trustcentre/4

DocuSign Envelope ID: 9A89DE11-7705-47A0-85EF-E06C3DA4FEA2

Pulsar Group Information Security Policy

Classifcation: PUBLIC

• All Team Member(s), including, all of Pulsar Group's offcers, employees (whether full time, part time or casual and including executives and managers) and contractors (including consultants, advisers, agents, interns and free agents).
• All information assets, either owned by Pulsar Group or entrusted to Pulsar Group by a client under an agreement which specifcally details Pulsar Group's responsibility for that data. Including:

Products

• Pulsar
• Isentia Platform (Media Portal)
• Vuelio (UK)
• Vuelio (Australia)
• ResponseSource

People

• All Pulsar Group (Pulsar/Isentia/Vuelio) Team Members with access to business information.

Premises

• Pulsar Group Headquarters, London, United Kingdom

Data Centre Operations

• Amazon Web Services, EU West 1 region (Pulsar)
• Amazon Web Services, EU West 2 region (Pulsar DR)
• Amazon Web Services, Sydney region (Isentia Platform)
• Amazon Web Services, Sydney region alternate Availability Zone (Isentia Platform DR)
• Microsoft Azure, UK South region (Vuelio)
• Microsoft Azure, UK West region (Vuelio DR)
• Microsoft Azure, Australia East region (Vuelio Australia)
• Microsoft Azure, Australia West region (Vuelio DR Australia)
• Pulsant, South London DC (Response Source)

Policy Statements

Pulsar Group shall be committed to the protection of the information assets and supporting assets as defned within the Scope of this Policy. Pulsar Group has created its Information Security Management System (ISMS) in accordance with the international Information Security

© 2024 Pulsar Group. All rights reserved. Trust Centre: https://www.pulsargroup.com/trustcentre/5

DocuSign Envelope ID: 9A89DE11-7705-47A0-85EF-E06C3DA4FEA2

Pulsar Group Information Security Policy

Classifcation: PUBLIC

Management Systems standard ISO/IEC 27001. All Security Control Policies are described in the Appendix.

After reviewing the needs and expectations of interested parties, the scope of the ISMS was defned to support these requirements. To effectively manage and deliver its ISMS, Pulsar Group shall:

Risk Assessment

Perform regular risk assessments on all information assets, and their supporting assets, as detailed within Pulsar Group's Risk Management Policy and using the control objectives and controls as documented within Annex A of ISO/IEC 27001:2022. The documented results of risk assessments shall be reviewed to understand the level of risk to information and supporting assets, and appropriate controls applied as appropriate to address any unacceptable risks that have been identifed. A Statement of Applicability (SoA) shall be produced to record which controls have been selected and the reasons for their selection, and the justifcation for any controls not selected.

Management, Monitoring and Review

Continually monitor, review and improve the Pulsar Group ISMS, in accordance with the Management Review controls, by undertaking regular reviews, internal audits (in accordance with the Internal Audit requirements and other related activities, and taking prompt corrective actions and implementing improvement opportunities in response to the fndings of these activities.

Legislative Compliance

Ensure consistently that its Information Security Management System shall support full compliance with the requirements with applicable global legislation, e.g. GDPR.

Supplier Security

Ensure that suffcient security controls and agreements are in place to protect Pulsar Group's assets that are accessible by suppliers, in accordance with the Supplier Security Management Policy. The policy shall describe what requirements must be adhered to when engaging third parties, the standard terms that should be included in supplier agreements and how Pulsar Group will monitor compliance.

Asset Management

Defne and maintain a comprehensive Inventory of Assets, including all information assets and supporting assets as defned within the scope of this Policy. The Inventory of Assets shall detail a named owner for each asset, who shall fully understand their responsibilities for the

© 2024 Pulsar Group. All rights reserved. Trust Centre: https://www.pulsargroup.com/trustcentre/6

DocuSign Envelope ID: 9A89DE11-7705-47A0-85EF-E06C3DA4FEA2

Pulsar Group Information Security Policy

Classifcation: PUBLIC

protection of the asset in accordance with the documented Pulsar Group Asset Management Policy.

Acceptable Use

Ensure that all personnel, contractors and third-party users comply with the Acceptable Use Policy which describes how information assets and their supporting assets should be used in an acceptable manner and in accordance with all ISMS related policies and processes. This policy shall describe the acceptable methods of use of information processing systems, networks (including, for example, the internet and telephone systems) and other resources within the scope of this policy.

Access Control

Ensure that all information assets, and their supporting assets, are protected with strong passwords in accordance with the password management requirements and to ensure their confdentiality, integrity and availability is maintained. Access to information assets and supporting assets shall be in accordance with Pulsar Group's Access Control Policy and be restricted to the minimum required to undertake authorised business activities, and Pulsar Group has adopted the principle that "access is forbidden unless it has been specifcally and formally pre-authorised".

Information Classifcation and Handling

Ensure that all information assets shall be classifed and handled in accordance with Information Classifcation and Handling Guidelines, which details how information assets of different sensitivities shall be managed, handled, processed, encrypted, stored and transmitted. Information is retained in accordance with Data Retention Policy.

Human Security

Minimise risk in the workforce by implementing security controls pre-employment in accordance with the Human Security controls for Team Member screening and by including Information Security responsibilities into job descriptions.

Information Security Training

Develop a regular training and education programme, in accordance with the Information Security Training Policy, which shall be mandatory for all Pulsar Group's Team Members, which details their individual responsibilities to fully comply with the requirements of the ISMS policies, processes and work instructions defned within the scope of this policy.

© 2024 Pulsar Group. All rights reserved. Trust Centre: https://www.pulsargroup.com/trustcentre/7

DocuSign Envelope ID: 9A89DE11-7705-47A0-85EF-E06C3DA4FEA2

Pulsar Group Information Security Policy

Classifcation: PUBLIC

Device Security

Reduce risk of information leakage by only working on devices provided and managed by the organisation or for specifc processes. When unattended, devices must be locked, and no information should be displayed on the workstation as per Clear Desk and Screen controls.

Secure Development

Minimise risks during development by improving security controls for people and technology, in accordance with the controls for Data Encryption, Information Transfer, Secure Development

• Infrastructure and Change Management Policy, so that the security of Pulsar Group's information assets is not compromised, even in an ever-changing cloud environment.

Information Security Incidents

Provide a mechanism for the swift identifcation, reporting, investigation and closure of information security incidents to Pulsar Group, in accordance with the Information Security Incident Management controls, and to fully analyse reported incidents to identify the root cause of issues and take advantage of any improvement opportunities which may have been identifed.

Business Continuity

Ensure that information security is a key consideration within the Business Continuity Management Policy so that the security of Pulsar Group's information assets is not compromised even when faced with a wide variety of unplanned business interruptions.

ISMS Responsibilities

All individuals specifed within the scope of this Information Security Policy shall have individual responsibility for complying with every aspect of this policy. The requirement to comply with Pulsar Group policies is included within the Terms and Conditions of Employment and is noted within each individual user's job description. Any failure to adhere to the requirements of this policy shall result in disciplinary action being taken.

Team Members (Employees, Contractors and Third-Party Users)

Within Pulsar Group, all information security responsibilities are defned and allocated in accordance with the ISMS. All Team Members shall understand their role in ensuring the security of information assets (and their supporting assets) by complying with information security awareness training, including:

• Creating unique, complex passwords for each user account
• Completing all assigned Information Security training
• Reviewing applicable security control documentation relevant to their role

© 2024 Pulsar Group. All rights reserved. Trust Centre: https://www.pulsargroup.com/trustcentre/8

DocuSign Envelope ID: 9A89DE11-7705-47A0-85EF-E06C3DA4FEA2

Pulsar Group Information Security Policy

Classifcation: PUBLIC

• Considering the sensitivity of the information that they are processing and correctly classifying the document i.e., password protecting email attachments and/or choosing the appropriate information classifcation label when sharing documents.
• Reporting suspected and confrmed information security events to the Security Team

There are additional responsibilities defned in order that the ISMS shall operate effciently and in accordance with the requirements of ISO/IEC 27001. These are detailed below:

Executive Management

The Chief Financial Offcer (CFO) and Executive Management shall be responsible for the following activities within the Pulsar Group ISMS:

• Setting and reviewing Pulsar Group's Information Security Objectives
• Delegating appropriate resources necessary to manage and operate the ISMS effectively
• Agreeing the level of acceptable risk within the Risk Assessment Methodology
• Approving any decisions not to address any unacceptable residual risks, where identifed
• Having ultimate responsibility for actions related to information security incidents breaches
• Overseeing any disciplinary action resulting from information security incidents/breaches
• Playing an active role during Pulsar Group's Risk Assessment exercises and defning risk mitigation strategies.
• Reviewing any reports of the Information Security Program implementation status or assessments
• Approving Pulsar Group's information security policies and any changes to the policies and ensuring that the overall information security posture is aligned to business requirements and risks.

Senior Management

Senior Managers within Pulsar Group shall be responsible for:

• Ensuring that their team members are aware of and remain compliant with all information security policies, processes and work instructions, and they receive relevant training for their role
• The provision of a user training and awareness programme for applicable third-party users
• Supporting reviews, internal audits and risk assessments within their area of responsibility

© 2024 Pulsar Group. All rights reserved. Trust Centre: https://www.pulsargroup.com/trustcentre/9

DocuSign Envelope ID: 9A89DE11-7705-47A0-85EF-E06C3DA4FEA2

Pulsar Group Information Security Policy

Classifcation: PUBLIC

• Specifcally, the Head of HR for each region shall be responsible for:

• Organising background verifcation checks for all employment candidates
• Include information security compliance requirements in employment contracts
• Ensuring all Team Members comply with information security awareness training

Control Owners

Security Control Owners shall be responsible for:

• The way in which their assigned control(s) are selected, implemented and operated
• Understanding which asset(s) are reliant upon each of their assigned controls
• Contributing feedback to asset owners on the operation of each control, to assist them in undertaking accurate risk assessments of their asset(s)
• Helping in the investigation, resolution and closure of any information security incident which does or does not indicate the failure of a control.

Asset Owners

As per the Asset Management Policy, designated Asset Owners shall be responsible for:

• Assessing the value of their asset(s) to the Company
• Undertaking detailed risk assessments on their asset(s), including the identifcation of controls and assessing their effectiveness as per the Risk Management Policy
• Addressing any unacceptable risks
• Helping in the investigation, resolution and closure of any information security incident which directly or indirectly affects the security of their asset(s).
• Reviewing and authorising the levels of access to their asset(s) which are granted to others
• Contributing to the Acceptable Use monitoring, specifcally for the user of their asset(s)

Information Security Offcer (Governance, Risk, Compliance)

The Information Security Manager shall have functional GRC responsibility for the Pulsar Group ISMS, and shall be responsible for the daily operational tasks of the ISMS, including:

• Ensuring an appropriate structure of ISMS policies, processes and work instructions are created and maintained for all ISMS activities

© 2024 Pulsar Group. All rights reserved. Trust Centre: https://www.pulsargroup.com/trustcentre/10