Information Security and Privacy Management System Policy

1. PURPOSE

HEVI AI SAĞLIK YAPAY ZEKA VE BİLİŞİM TEKNOLOJİLERİ A.Ş. to define the approach and objectives of senior management to prevent violations of legal, legal, regulatory or contractual obligations and all kinds of security needs within human, infrastructure, software, hardware, customer information, organizational information, third party information and financial resources, and to inform all employees and interested parties of these objectives.

- To protect the information assets of HEVI AI SAĞLIK YAPAY ZEKA VE BİLİŞİM TEKNOLOJİLERİ A.Ş. against all kinds of threats that may occur from inside or outside, knowingly or unknowingly, to ensure accessibility to information as required by business processes, to meet the requirements of legal regulations, to work towards continuous improvement,

- To ensure the continuity of the three basic elements of the Information Security Management System in all activities carried out.

Confidentiality Preventing unauthorized access to important information and personal data,

Integrity: Demonstrating that the accuracy and integrity of information is ensured,

Accessibility: Authorized persons can access and use information when necessary,

- To take care of the security of not only the data kept electronically, but also all data in written, printed, verbal and similar media.

- To raise awareness by providing Information Security Management trainings to all personnel.

- To report all actual or suspicious gaps in Information Security to the Information Security Management System Team and the Data Controller and to ensure that they are investigated by the ISMS Team.

- Prepare, maintain and test business continuity plans.

- To identify existing risks by making periodic assessments on Information Security. As a result of the assessments, to review and follow up action plans.

- To prevent any disputes and conflicts of interest that may arise from contracts.

- To meet business requirements for information accessibility and information systems.

2. SCOPE

The information security management system established and operated for HEVI AI SAĞLIK YAPAY ZEKA VE BİLİŞİM TEKNOLOJİLERİ A.Ş. covers all of the assets we classify as human, infrastructure, software, hardware, customer information, company information, third party information, corporate assets and financial resources.

Physical and electronic information stored in all kinds of media related to these assets and these media are protected within the rules of ISMS and system continuity is monitored.

1. Internal Scope

Top Management, organizational structure, roles and obligations;

1. Development of software used in health institutions, procurement of hardware, sales marketing, after-sales training and support services,

2. Departments within the scope of the Company's Senior Management; Financial and Administrative Affairs, Operations, IT, Human Resources, Quality, Call Services, Assistance Services, Internal Audit, Sales, Marketing

3. Roles specified in the General Management Organization Chart and responsibilities in job descriptions.

4. Policies, procedures, objectives and strategies to be fulfilled;

1. Information Security Management System Policy,

2. All Information Security management systems procedures,

3. Annual Information Security management systems objectives set by management,

4. Capabilities, understood in terms of resources and know-how (e.g., capital, time, people, processes, systems and technologies),

5. Management Representatives and Information Security Management System team appointed by the management to establish, operate and maintain the Information Security Management System,

6. Relations with internal stakeholders and their perceptions and values,

7. The culture of the organization, the standards, guidelines and models adopted by the organization, the form and breadth of contractual relationships.

2. External Scope

1. The social and cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local,

2. Confidentiality of supplier and customer data,

3. Quality Orientation,

4. Relations with stakeholders who have an impact on the organization's objectives and their perceptions and values;

5. All Company employees, including Senior Management, to ensure customer satisfaction,

6. All relevant legislative, regulatory, contractual requirements, standards,

7. Outsourced consultancy services,

8. Product certifications with certification bodies are external scope.

3. REFERENCED STANDARDS

HEVI AI SAĞLIK YAPAY ZEKA VE BİLİŞİM TEKNOLOJİLERİ A.Ş. Information Security and Privacy Management System has been prepared with reference to TS EN ISO 27001:2013 and TS ISO/IEC 27701 standards.

4. DEFINITIONS

ISMS: Information Security Management System

5. RESPONSIBILITY

The qualifications and competencies of the tasks whose responsibilities and authorities are determined are defined in the job descriptions. The IT Team and Management Representative are responsible for the maintenance and development of activities related to information security. ISMS Team and Management Representatives are appointed by the Senior Management. ISMS representatives have been identified from departments within the scope. They have been appointed as ISMS team members on a name basis.

1. Management Responsibility

1. The Company Management undertakes that it will comply with the defined, enacted and implemented Information Security System, allocate the necessary resources for the efficient operation of the system, and ensure that the system is understood by all employees.

2. During the ISMS installation, the ISMS Management Representative is appointed with a letter of appointment. When necessary, the appointment is made again by the senior management by revising the document.

3. Managers at the management level help the personnel at lower levels in terms of giving responsibility and setting an example in terms of security. The understanding that starts from the upper levels and is applied is obligatory to go down to the lowest level personnel of the company. For this reason, all managers support their employees to comply with written or verbal security instructions and to participate in security activities.

4. Top Management creates the budget required for information security comprehensive studies.

2. Management Representative Responsibility

1. Planning the ISMS (Information Security Management System), determining the acceptable risk level, determining the risk assessment methodology,

2. Providing the necessary resources for supporting and complementary activities in ISMS installation, providing/improving user capabilities and raising awareness, providing trainings, ensuring communication, providing documentation requirements,

3. Execution and management of ISMS practices, ensuring the continuity of assessments, improvements and risk assessments,

4. Assessment of ISMS and controls through internal audits, objectives and management review meetings,

5. Responsible for maintaining the existing structure in ISMS and ensuring continuous improvements.

3. Responsibility of ISMS Team Members

1. Conducting asset inventory and risk analysis studies related to departments,

2. When there is a change in the information assets under its responsibility that will affect information security risks, informing the Management Representative for risk assessment,

3. Ensuring that department employees work in accordance with policies and procedures,

4. Raising awareness, ensuring communication, ensuring documentation requirements within the scope of ISMS related to departments,

5. Responsible for maintaining the existing structure in ISMS and ensuring continuous improvements.

4. Internal Auditor Responsibility

In line with the internal audit plan, he/she is responsible for conducting and reporting audit activities in assigned internal audits.

5. Responsibility of Department Managers

They are responsible for the implementation of the Information Security Policy and ensuring that employees comply with the principles, ensuring that third parties are aware of the policy and reporting security breach incidents related to information systems that they notice.

6. Responsibility of All Employees

1. To carry out its activities in accordance with information security objectives, policies and information security management system documents,

2. Follows the information security targets related to his/her unit and ensures that the targets are achieved.

3. To pay attention to and report any information security vulnerability observed or suspected in systems or services,

4. In addition to service contracts (consultancy, etc.) made with third parties that are not under the responsibility of Purchasing, it is responsible for making a confidentiality agreement and ensuring information security requirements.

7. Responsibility of Third Parties

It is responsible for knowing and implementing the information security policy and complying with the behaviors determined within the scope of ISMS.

6. APPLICATION

Details of the information security requirements and rules outlined in this policy, Company employees and third parties are obliged to know these policies and procedures and to carry out their work in accordance with these rules. Unless otherwise stated, these rules and policies are essential for the use of all information stored and processed in printed or electronic media and all information systems.

1. The Information Security Management System is structured and operated based on the TS ISO/IEC 27001 “Information Technology Security Techniques and Information Security Management Systems Requirements” standard.

2. Carries out the implementation, operation and improvement of the ISMS with the contribution of the relevant parties. The ISMS Management Representative is responsible for updating the ISMS documents when necessary.

3. The information systems and infrastructure provided by the company to employees or third parties and all kinds of information, documents and products produced using these systems belong to the company unless there are legal provisions or contracts requiring otherwise.

4. Confidentiality agreements are made with employees, consultancy, service procurement (security, service, catering, cleaning company, etc.) and suppliers.

5. Information security controls to be applied in recruitment, job change and resignation processes are determined and implemented.

6. Trainings that will increase employees' awareness of information security and enable them to contribute to the functioning of the system are regularly provided to existing company employees and newly recruited employees.

7. All actual or suspected violations of information security are reported; nonconformities that cause violations are identified, the main causes are found and measures are taken to prevent recurrence.

8. Inventory of information assets is created in line with information security management needs and asset ownership is assigned.

9. Corporate data is classified and the security needs and usage rules of the data in each class are determined.

10. Physical security controls are applied in line with the needs of assets stored in secure areas.

11. Necessary controls and policies are developed and implemented for the company's information assets against physical threats that they may be exposed to inside and outside the company.

12. Procedures and instructions regarding capacity management, relations with third parties, backup, system acceptance and other security processes are developed and implemented.

13. Audit log generation configurations for network devices, operating systems, servers and applications are set in line with the security needs of the relevant systems. Audit logs are protected against unauthorized access.

14. Access rights are assigned as needed. The most secure technology and techniques possible are used for access control.

15. Security requirements are determined in system procurement and development, and it is checked whether the security requirements are met during system acceptance or testing.

16. Continuity plans for critical infrastructure are prepared, maintained and exercised.

17. The processes required for compliance with laws, internal policies and procedures, and technical security standards are designed, and compliance assurance is ensured through continuous and periodic surveillance and audit activities.

7. VIOLATION OF THE POLICY AND SANCTIONS

In the event that it is determined that the Information Security Policy and Standards are not complied with, the sanctions specified in the relevant articles of the contracts that also apply to third parties are applied to the employees responsible for this violation according to the HEVIAI.KLT.PR10 Disciplinary Procedure.

8. MANAGEMENT REVIEW

Management review meetings are organized by the ISMS Quality Management Representative and held with the participation of Senior Management and Department managers. These meetings, where the suitability and effectiveness of the Information Security Management System are evaluated, are held at least once a year.

9. UPDATING AND REVIEWING THE INFORMATION SECURITY POLICY DOCUMENT

The ISMS Management Representative is responsible for ensuring the continuity and review of the policy document. Policies and procedures should be reviewed at least once a year. Apart from this, it should also be reviewed after any change that will affect the system structure or risk assessment, and if any changes are required, it should be approved by the senior management and recorded as a new version. Each revision must be published in a way that all users can access.