Information Security Policy

To provide such a solution, Preservica develops software and services, directly and with business partners. The Board and management of Preservica are committed to preserving the confidentiality, integrity and availability of all physical and electronic information assets throughout the organisation.

Preservica recognises that information security is key to the success of the business. Within our operations we aim to prevent and minimize the impact of security incidents in order to enhance our reputation and support business growth in line with our strategic direction.

To support the above requirements Preservica has implemented an information security management system (ISMS) which complies with the ISO 27001:2013 standard. The ISMS details the organisation’s direction and commitment to the security of information. For this purpose, an Information Security Manager has been appointed who will ensure that non-compliances and exceptions will be handled as defined in the ISMS procedures.

The purpose of the policy is to help protect Preservica’s information assets, and those of customers or other parties while in Preservica control, from all threats whether internal or external, deliberate or accidental.

It is Preservica’s policy to ensure that:

• We satisfy our information security requirements;
• Information is protected against unauthorised access;
• Confidentiality of information is assured;
• Integrity of information is maintained;
• Availability of information is ensured;
• Regulatory and legislative requirements are met;
• Business continuity plans are maintained and tested;
• Information security training is available to all staff;
• Breaches of information security are reported to, and investigated by, the Information Security Team;
• Information security objectives are set, tracked, and reported; and
• We undertake continuous improvement activities.

This policy, and the ISMS which defines procedures to support the implementation of the policy, along with a framework for risk assessments and risk management, are a demonstration of our commitment to protect all information within the organisation, and to satisfy all the relevant requirements of the ISO 27001:2013 standard.

ISMS Scope

Preservica’s ISMS Statement of Applicability (SoA), version 2.1, dated 25 September 2023, which complies with Annex A of the standard, sets out the way in which the ISMS encompasses Preservica’s activities and processes that would impact on its obligations to protect data held at 32 The Quadrant, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YS, and our offices at 50 Milk Street, 16^th Floor, Boston, MA 02109 and data within the control of Preservica but stored elsewhere, and all information handling assets deemed to have a significant information security risk, up to the point at which the information is received by its intended recipient.

ISO 27001 applies to our standard products, the hosting of such products, but does not apply to bespoke products that Preservica may develop for customers. Preservica develops software to a minimum security baseline and any additional customer security requirements are documented in individual project management plans or relevant project documents.

ISMS Objectives

Preservica will manage information security to ensure that its core and supporting business operations continue to operate with minimal disruptions by securing the protection of:-

• Confidentiality: ensuring that our information is accessible only to those authorised to access it.
• Integrity: ensuring that the information relevant to this policy is accurate and complete, and that the information is not modified without authorisation.
• Availability: ensuring that information is accessible when required.
• Risk: identify, assess and effectively manage the risks to information.
• Legal, regulatory and contractual requirements: ensuring that our activities comply with all relevant legal, regulatory and contractual requirements.

The above objectives will be met by ensuring effective operation of the ISMS, allocation of responsibility, training and awareness. Objectives, responsibilities and targets are set out and renewed at least annually.

All employees of Preservica are expected to comply with this policy and the implemented ISMS. Certain external parties identified in the ISMS are also requested to comply with this policy and as required such parties will receive appropriate training.

Preservica is committed to continually improve the ISMS, its working standard and the protection of information as defined in the scope. Continued improvement will take place by regular management reviews, effective communication, internal audits and independent certification to the ISO standard.

This policy is communicated, understood and applied by all employees, and is made available to relevant interested parties as appropriate.

SEC-PY01 – September 2023