Information security policy

For this reason, the Group assumes the responsibility of protecting and enhancing this asset, committing to ensuring that information can be used with the appropriate guarantees of accuracy and completeness, and that it is adequately protected from misuse, unauthorized disclosure, damage or loss.

This Information Security Policy therefore expresses the commitment to ensure the security of information and of the physical, logical and organizational tools used to process it in all activities, guaranteeing the confidentiality, integrity and availability requirements of critical or sensitive information entrusted to the Group, and implementing appropriate controls to prevent violations of these requirements.

The objectives of the information security policy are:

• Consolidate the company’s reputation as a reliable and competent data manager;
• Protect its information assets related to the platform for managing third-party websites and internet applications and related services;
• Gain a competitive advantage over other market players offering similar services by highlighting the value of information for the Company;
• Avoid, as far as possible, service disruptions for users;
• Adopt measures to ensure employee loyalty and professionalism;
• Fully comply with current and applicable regulations;
• Increase staff awareness and competence on security-related topics;
• Pursue continuous improvement of the procedures and processes forming part of the ISMS.

For cloud services used by the Lynx Group, the information security objectives are:

• Security by design and by default: integrating security requirements from the earliest stages of application design and development, following principles such as least privilege and separation of duties.
• Protection of source code and repositories: ensuring controlled access to repositories (e.g., Git), with strong authentication, audit trails and protection against unauthorized changes.
• Secure management of dependencies and third-party libraries: continuously monitoring and updating external components to prevent known vulnerabilities (e.g., CVEs), using software composition analysis tools.
• Control of development, test and production environments: logical separation of environments, application of differentiated access policies and secure automated deployment (DevSecOps).
• Protection of APIs and microservices: implementing authentication, authorization, rate limiting and logging to prevent abuse and ensure traceability of calls.
• Secure management of secrets and credentials: using secure vaults for managing keys, tokens and passwords, avoiding their inclusion in code or configuration files.

Milan, 04/09/202