Smartek Information Security Policy Last updated: January 20, 2026 This Information Security Policy (“ISP”) establishes guidelines, duties, and responsibilities for the protection of information and technological assets of SMARTEK LIFE LTDA (“Smartek”, “We”, or “Company”).

1. Terms and Definitions

Privileged Access: Special permission granted to users or processes to perform actions beyond the capabilities of ordinary users within Smartek’s systems and platforms. Asset: Every element that holds value for Smartek, including information, equipment, software, networks, systems, and people. Information Assets: Objects capable of creating, receiving, transmitting, processing, storing, moving, and disposing of information related to Smartek. Authenticity: The property that ensures the verification and reliability of the origin of information or the identity of a user. Collaborator: Any person acting for Smartek under a formal employment contract (CLT), independent contractor (PJ) agreement, internship, young apprentice program, or equivalent. Confidentiality: The guarantee that information is accessed only by authorized individuals. Custodian: The area, sector, or person who keeps information under their guard and responsibility. Personal Data: Information related to an identified or identifiable natural person, such as name, email, ID number, taxpayer ID (CPF), telephone, address, image, geolocation, IP, device identifiers, preferences, and behaviors. Sensitive Personal Data: Data regarding racial/ethnic origin, religious conviction, political opinion, union membership or religious/philosophical/political organization affiliation, data concerning health or sexual life, genetic or biometric data. Availability: The property that guarantees access and use of information and assets by authorized users, when necessary, without undue interruptions. Manager: The person responsible for an area, team, or function within Smartek’s organizational structure. Information Security and/or Privacy Incident: An unwanted or unexpected event or series of events that may compromise operations, assets, data, and/or the privacy of data subjects. Information: An organized set of data that constitutes a message about an event or phenomenon within the context of Smartek, in any format (printed, digital, transmitted, or displayed). Integrity: The property that guarantees the accuracy and completeness of information, protecting it against unauthorized changes. Non-Repudiation: The ability to prove the occurrence of an event/action and its authorship within Smartek’s systems. Information Security: Preservation of Confidentiality, Integrity, Availability, Authenticity, and Secrecy of information in any medium. Secrecy: The guarantee of non-disclosure of information to unauthorized persons, entities, or processes. Third Parties: Individuals without an employment/internship link to Smartek, such as service providers, partners, consultants, auditors, and suppliers. Team: A group of collaborators who perform specific activities in the same area.

2. Objective

This ISP aims to establish guidelines for the protection of Smartek’s information and assets, preserving Confidentiality, Integrity, Availability, Authenticity, and Non-Repudiation, guiding the appropriate use of assets and strengthening the Company’s capacity to prevent, detect, respond to, and reduce vulnerabilities to security incidents and incidents related to personal data, observing the following principles:

• Confidentiality: access only by authorized persons
• Integrity: protection against improper changes
• Availability: access when necessary, without undue unavailability
• Authenticity: guarantee of reliable origin/identity
• Non-Repudiation: traceability and accountability for actions and events

3. Guidelines

Smartek adopts guidelines and controls for the protection of its information and assets, including:

3.1 Commitments and governance

• Top Management Commitment: providing adequate organizational and technological structure, with continuous improvement of security controls.
• Strategic alignment: this ISP must be aligned with business planning and risk management.
• Security culture: continuous awareness and engagement of collaborators and third parties.

3.2 Minimum controls and processes

1. Risk Management Smartek maintains practices for identifying, evaluating, and treating security risks, observing best practices and applicable regulations.
2. Business Continuity Documented, tested, and periodically reviewed continuity plans for essential services, considering information security requirements.

III. Continuity Testing Minimum scenarios covered:

• critical processes (BIA, where applicable)
• interruptions resulting from security incidents
• crisis and response criteria

1. Personal Data Protection Smartek applies privacy and security guidelines for personal data, in line with the Privacy Notice and applicable legal requirements.
2. Incident Management Incidents must be recorded, classified, analyzed, and handled according to criticality and impact, with the objective of:

• reducing operational and privacy impact
• notifying authorities and data subjects when applicable (e.g., ANPD), according to legal criteria
• ensuring adequate internal and external response

1. Reporting of relevant incidents Smartek may share information with authorities and/or partner institutions when necessary and permitted by law.

VII. Data leak prevention Adoption of controls to prevent loss, theft, misuse, or leakage, including endpoint monitoring and traffic and transfer controls. VIII. Classification and treatment of information Information and assets must be handled according to the degree of secrecy and relevance throughout the lifecycle (creation, storage, use, sharing, and disposal).

1. People Management Recruitment, admission, movement, and termination processes must consider security and confidentiality controls.
2. Access Management Physical and logical access must be granted by necessity, reviewed, and revoked according to function changes or termination. Identification controls may include credentials and equivalent authentication mechanisms.
3. Privileged Access Privileged access must be identified, controlled, monitored, and auditable, according to the criticality level of the asset.

XII. Passwords and authentication Passwords are personal and non-transferable, with minimum complexity requirements and best practices. When applicable, multi-factor authentication is recommended. XIII. Clean desk and clear screen It is the collaborator’s responsibility to protect physical and digital information, avoiding improper exposure. XIV. Use of IT Assets Only authorized/homologated assets, software, and tools must be used for corporate purposes.

1. Backup Relevant information must be protected by backup, retention, and restoration testing mechanisms.

XVI. Secure disposal and destruction Assets and media must be securely disposed of/destroyed to prevent information leakage. XVII. Encryption Appropriate use of encryption for secure storage and transmission of information, when applicable. XVIII. Network security Network controls must restrict access and ensure segmentation, protection, and monitoring. XIX. Relationship with Third Parties Third parties must be evaluated by security and privacy criteria, with compatible contractual requirements. Access to critical assets must be supervised and traceable.

1. Acquisition, development, and maintenance of systems Application of secure development practices and periodic security assessments (including third-party systems, when applicable).

XXI. Auditing and compliance Periodic evaluation of compliance and adherence to this ISP and applicable legislation. XXII. Monitoring and logs Smartek may monitor the use of corporate assets and systems, according to current legislation, for proactive detection and traceability. XXIII. Change management Changes in environments and systems must be evaluated, tested, documented, and implemented in a controlled manner. XXIV. Patch management Security updates must be applied within a reasonable time according to criticality and stability. XXV. Controls against malware Prevention and detection controls on endpoints and corporate environments. XXVI. Vulnerability management Periodic scans and procedures to identify and reduce vulnerabilities. XXVII. Penetration tests Periodic internal/external tests (at least annually or according to risk) to assess security layers. XXVIII. Cloud Computing Cloud service contracts must undergo security and privacy assessments, with contractual rules and continuous monitoring.

4. Duties and Responsibilities

I. Information Security (or Committee/responsible area)

• coordinate actions, controls, and security projects
• conduct awareness and training
• respond to and handle incidents
• evaluate exceptions to this ISP
• perform periodic scans and tests
• report security performance to management, when applicable

II. Information Technology (IT)

• operationalize IT controls and procedures related to the ISP
• ensure backups, restoration, inventory, and hardening
• maintain logs and audit trails
• correct vulnerabilities according to prioritization
• manage networks, segmentation, encryption, and patches
• prevent improper use of production data in non-production environments without adequate controls

III. Governance and Compliance (or DPO/Officer, when applicable)

• support risk and compliance methodology
• act as an interface with regulatory bodies when necessary
• coordinate document review and approval, when applicable

IV. Human Resources (HR)

• ensure onboarding and security training
• communicate terminations, movements, and changes in link status
• make available applicable security norms and guidelines

V. Collaborators and Stakeholders

• know and comply with this ISP and related norms
• report incidents and non-conformities
• protect assets and information under their responsibility
• maintain secrecy during and after the link, according to contracts and internal rules

5. Final Considerations

Commitments and penalties: Non-compliance with this ISP may be considered a serious offense and result in disciplinary measures, contractual and/or legal sanctions, as applicable. Training and awareness: Smartek may promote periodic training and educational actions to reinforce best security and privacy practices.

6. Reporting and Contact Channels

Questions or reports of incidents and violations of this ISP should be directed through official channels: 📧 Email for questions and reporting: [email protected] Smartek seeks to guarantee confidentiality and non-retaliation for reports made in good faith.