Request your free IT security evaluation • Reduce the risk of IT problems • Plan for problems and deal with them when they happen • Keep working if something does go wrong • Protect company, client and employee data • Keep valuable company information, such as plans and designs, secret • Meet our legal obligations under the General Data Protection Regulation and other laws • Meet our professional obligations towards our clients and customers

This IT security policy helps us:

• Rodrigo Rodriguez is the director with overall responsibility for IT security strategy. • Microsoft is the IT partner organisation we use to help with our planning and support. • Microsoft is the data protection officer to advise on data protection laws and best practices Review process

We will review this policy yearly. In the meantime, if you have any questions, suggestions or feedback, please contact security@pragmatismo.cloud

We will only classify information which is necessary for the completion of our duties. We will also limit access to personal data to only those that need it for processing. We classify information into different categories so that we can ensure that it is protected properly and that we allocate security resources appropriately: • Unclassified. This is information that can be made public without any implications for the company, such as information that is already in the public domain. • Employee confidential. This includes information such as medical records, pay and so on. • Company confidential. Such as contracts, source code, business plans, passwords for critical IT systems, client contact records, accounts etc. • Client confidential. This includes personally identifiable information such as name or address, passwords to client systems, client business plans, new product information, market sensitive information etc.

Employees joining and leaving

We will provide training to new staff and support for existing staff to implement this policy. This includes: • An initial introduction to IT security, covering the risks, basic security measures, company policies and where to get help • Each employee will complete the National Archives ‘Responsible for Information’ training course (approximately 75 minutes) • Training on how to use company systems and security software properly • On request, a security health check on their computer, tablet or phone When people leave a project or leave the company, we will promptly revoke their access privileges to

The company will ensure the data protection office is given all appropriate resources to carry out their tasks and maintain their expert knowledge. The Data Protection Officer reports directly to the highest level of management and must not carry out any other tasks that could result in a conflict of interest.

You can expect to get an update on a reported vulnerability in a day or two. security@pragmatismo.cloud