Privacy Policy

Cybersecurity Policy

1. Introduction
Introduction This cybersecurity policy establishes the guidelines and principles that will guide Pyramid Consulting S.A.S.'s actions in protecting its digital assets and preventing security incidents. This policy is based on applicable cybersecurity regulations and laws and aims to guarantee the confidentiality, integrity, and availability of information, as well as maintain the operational continuity of its consulting services in SAP ERP platform administration and multicloud services.
2. Definitions
a) Cybersecurity: Set of measures and practices aimed at protecting systems, networks, and data from potential cyber threats and attacks.
b) Digital assets: All information, data, systems, networks, devices, and technological resources used by Pyramid Consulting S.A.S.
c) SAP ERP platform administration consulting: Advisory and management services related to the implementation and maintenance of SAP ERP systems.
d) Multicloud services: Services related to the administration and management of platforms and applications hosted on multiple cloud service providers.

3. General Provisions
This policy aims to establish the necessary guidelines and guidelines to guarantee the security of information and the protection of Pyramid Consulting SAS's digital assets in the area of cybersecurity. This policy applies to all employees, contractors, and third parties who have access to the company's systems and data.
Article 1. Purpose. The objective is to guarantee the confidentiality, integrity, and availability of information, as well as the protection of Pyramid Consulting SAS's digital assets, through the implementation of security measures and best practices in the area of cybersecurity.

Article 4. Cybersecurity Principles.
a) Confidentiality: Controls and security measures will be established to ensure that Pyramid Consulting SAS's information and digital assets are only accessible by authorized persons for the legitimate purpose of their duties.
b) Integrity: Protection mechanisms will be implemented to ensure that information and digital assets are not modified or altered in an unauthorized manner, ensuring their accuracy and reliability.
c) Availability: Measures will be implemented to ensure that information and digital assets are available to authorized persons when needed, minimizing any unplanned disruptions.

Validity: 2023/06/08 – V:02
GO-M-05 Cybersecurity Manual and Policy
d) Responsibility: Each employee and user of Pyramid Consulting S.A.S. systems is responsible for protecting the company's information and digital assets and must comply with established policies and procedures.

Note: For more information on information security at Pyramid Consulting, please refer to the information security manual.

Article 4. Duties of the company's Cybersecurity Officer. The person responsible for information security must:
a) Coordinate and oversee the implementation of the security measures established in this policy.
b) Stay up-to-date on new threats and trends in the field of cybersecurity.
c) Periodically assess security risks and propose corrective and preventive measures.
d) Promote cybersecurity awareness and training for all employees.
e) Conduct periodic audits to verify compliance with security policies and regulations.

Article 5. Applicable Regulations and Legislation. Pyramid Consulting SAS must comply with the following cybersecurity regulations and laws applicable in Colombia:
a) Law 1273 of 2009: Which modifies the Colombian Penal Code, establishes the crime of abusive access to computer systems, and enacts other provisions.
b) Decree 620 of 2020: Which regulates Law 1273 of 2009 and establishes provisions related to the protection of information and personal data.
c) Resolution 276 of 2021: Which adopts the National Cybersecurity Strategic Plan and establishes measures for the protection of information in the public and private spheres.

Article 6. Validity of the manual. This manual is effective as of June 8, 2023. The databases in which your personal data will be stored will be valid for as long as the information is maintained and used for the purposes described in this policy. Once those purposes have been fulfilled, and provided there is no legal or contractual obligation to retain your information, your data will be deleted from our databases.

Data Protection Policy

How does Pyramid Consulting SAS collect your information?
PYRAMID CONSULTING SAS only collects your personal data when you provide it directly. If you are listed in any of our databases, it is because you have had or maintain a business relationship with PYRAMID
CONSULTING SAS, or because you have voluntarily submitted your data at business events where PYRAMID CONSULTING SAS participates .

1.2. How does Pyramid Consulting SAS use your information?
The information you provide to PYRAMID CONSULTING SAS is intended to carry out the corporate purpose of the company, its parent company, subsidiaries, and affiliates, for the purposes described in the Privacy Notice, which includes, but is not limited to:
statistical, contractual, informational, service or solution monitoring, customer notification and contact for satisfaction surveys, relationship marketing and/or similar purposes, accounting and payroll matters, and other matters applicable to each of the data subjects.

1.3. Who has access to the information?
PYRAMID CONSULTING SAS is always committed to presenting new solutions that enhance the value of its services. To achieve this goal, your information may be shared internally and with some of our business partners, such as subsidiaries and affiliates nationally and internationally. PYRAMID CONSULTING SAS takes all
possible measures to ensure that the information provided is used in compliance with the Security and Privacy Policy.

1.4. How do you want the information to be used?
By providing your personal data, you automatically authorize PYRAMID CONSULTING SAS to use it in accordance with this Security and Privacy Policy. If you do not agree with the proposed use suggested by PYRAMID CONSULTING SAS, you may limit its use or request its deletion by writing to tratamiento.datos@pyramidconsulting.co or by calling 3000069 ext. 2201, or by writing to Carrera 7 #156-68, Torre 3, Office 703.

2. General recommendations for minors
Page 2 of 9
Validity: 2023/06/08 – V:02
GO-M-02 Data Protection Policy
If you are a minor, ask your parents or guardians for permission before revealing your personal data to any person or through digital mechanisms.

2.1. Introduction
The following are the Information Processing policies that govern the activities carried out by PYRAMID CONSULTING SAS and the management of its databases.
This document is developed in compliance with Law 1581 of 2012 and its regulatory decrees, which establish the general provisions for the protection of personal data. According to this law, all public or private entities that
handle personal data must adopt an internal manual of policies and procedures to guarantee proper compliance with the Law and, in particular, to ensure the effective exercise of the rights of the data subjects.

All information received by PYRAMID CONSULTING SAS through its various communication channels, whether digital or printed, and which constitutes our databases, obtained from clients, suppliers, employees or contractors, and other data subjects, is governed by the following usage policies. This data may be stored and/or processed on servers located in data centers, whether our own or contracted with third-party providers, which is authorized by our clients, contractors, employees, and suppliers upon accepting this Privacy Policy.

QUALITY POLICY, SCOPE AND OBJECTIVES

1. QUALITY POLICY.

“At PYRAMID CONSULTING, we offer project consulting and management services for CLOUD and SAP technology platforms. We are committed to helping our clients meet their requirements and needs in a constantly evolving technological environment. Our goal is to provide our clients with confidence through a team of highly trained professionals and close collaboration with senior management. We are committed to continuous improvement and compliance with applicable requirements to achieve concrete results.”

2. SCOPE OF THE QUALITY MANAGEMENT SYSTEM.

“Project management and technology platform administration services, technical support, and functional support for SAP All-In-One, SAP B1, and non-SAP workloads, both on-premise and in the cloud (multi-cloud), along with associated security, cybersecurity, and data analytics services.”

3. QUALITY OBJECTIVES.

• Attract and hire highly competent personnel within the timeframes established by the organization.
• Continuously improve customer satisfaction through the effective use of the company's resources.
• Maintain and improve the perception of customer satisfaction.
• Increase the company's profitability through process improvements and operational efficiency.
• Promote staff development in strategic areas for the organization.
• Ensure that staff are properly trained and educated to carry out the organization's projects and services.

4. HISTORY OF MODIFICATIONS.

Revision: R:1 V:1 (2021/04/08)

INFORMATION SECURITY POLICY, SCOPE AND OBJECTIVES

1. INFORMATION SECURITY POLICY.

At PYRAMID CONSULTING SAS, we provide consulting services on SAP and CLOUD technology platforms, committed to meeting our clients' requirements and needs in a constantly evolving environment. Our goal is to build trust through skilled professionals and collaboration with senior management. We are dedicated to continuous improvement and compliance with ISO 9001 and ISO 27001 standards to ensure the quality and security of our services. With a culture rooted in risk management and awareness of quality and security, we protect the confidentiality, equipment, and availability of the information entrusted to us. Through this policy, we reaffirm our commitment to excellence and trust in an ever-changing technological world.

2. SCOPE OF INFORMATION SECURITY.

Pyramid Consulting SAS's Information Security Management System (ISMS) applies to the security, cybersecurity, and data analytics services we offer our clients, as well as to project management and technology platform administration services, including technical and functional support for SAP All-in-One, SAP B1, and non-SAP workloads, both on-premise and in the cloud (multi-cloud). Our ISMS is based on ISO
27001:2013 and aims to ensure the security, confidentiality, and integrity of information, mitigate information security risks, and protect the critical data assets of our clients and the company.

3. INFORMATION SECURITY OBJECTIVES.

• Properly manage information security risks to ensure the confidentiality, integrity, and availability of information assets by implementing established guidelines.
• Train and raise awareness among staff on information security issues, seeking a progressive increase in the information security culture within the company.
• Continuously improve the performance of the Information Security Management System by implementing effective corrective actions and improvements resulting from internal and external audits.
• Properly manage information security incidents by generating, documenting, and applying lessons learned to reduce the possibility or impact of future incidents.
• Comply with current legal, regulatory, and contractual requirements applicable to the organization's operations.

4. HISTORY OF MODIFICATIONS.

R:2 V:2 (2023/06/08)