INFORMATION SECURITY POLICY

For Sisel Mühendislik Elektronik Sanayi ve Ticaret Anonim Şirketi ("Company"), information assets (all kinds of data, documents, software, hardware, systems, infrastructure components, and related services) are critical for the execution and continuity of corporate activities; therefore, all employees who use, manage, process, or have access to the Company's information assets, as well as third parties acting on behalf of the Company (service providers/suppliers/business partners), are responsible for complying with the obligations regarding the protection of information assets.

The purpose of this Policy is to protect the Company's information assets against all threats that may arise intentionally or accidentally, from internal or external sources, in order to ensure the uninterrupted sustainability of the Company's core and supporting business processes; to secure the confidentiality, integrity, and availability elements of information security; and to define the corporate control approach within this framework. The Company adopts the principle that the information security culture should be operated within a holistic structure not only through technical measures but also together with process management, authorization, awareness, audit, and continuity principles.

All employees who access and use common information assets within the Company are expected to exercise due care within the scope of their duties and responsibilities; and to act in a manner that protects corporate reputation, trade secrets, customer/employee/visitor data, and operational information. In line with corporate values, the principle of confidentiality is fundamental. Accordingly, unless explicit approval for sharing is granted by the owner of the information, authorization is provided by the relevant department, or there is a clear obligation under the applicable legislation, information may not be shared with third parties; unauthorized access, disclosure, reproduction, or removal outside the organization is unacceptable.

In line with its commitment to design and maintain information security management based on international standards, the Company aims to adopt a control framework compatible with the ISO 27001 Information Security Management System approach and best practices in the field of service management. Within this scope, the Company;

• Establishes the necessary administrative and technical mechanisms to provide secure access to the information assets of the Company and its stakeholders, to manage access according to role/need/authorization principles, and to ensure traceability,
• Protects the confidentiality, integrity, and availability of information assets; and reduces the risks of unauthorized access, data loss, data leakage, alteration, corruption, and service interruption to reasonable levels,
• Identifies, evaluates, and manages the risks that may arise on the information assets of the Company and its stakeholders; and applies risk acceptance, risk avoidance, risk reduction, risk control, and risk transfer methods in line with the risk appetite,
• Protects corporate reliability, service quality, operational integrity, and brand reputation; and systematically implements preventive and corrective measures that will reduce the impact of information security incidents,
• In the event of detection of an information security breach, vulnerability, or policy violation, carries out the necessary investigation, reporting, corrective actions, and disciplinary/sanction processes in accordance with the nature of the incident and within the framework of applicable internal regulations and legislation,
• Meets information security requirements arising from national/international/sectoral regulations, contractual obligations, and standard requirements to which it is subject; and ensures secure operations within the framework of corporate responsibilities toward internal and external stakeholders,
• Within the scope of the business continuity approach, reduces the impact of information security threats on business/service continuity; operates appropriate business continuity and redundancy principles for critical processes; and improves incident response and recovery capabilities,
• Maintains and continuously improves the level of information security through the established control infrastructure; and keeps policies and controls up to date through audit, review, and performance measurement mechanisms,
• Provides training to improve employees' competencies in order to increase information security awareness; and conducts regular awareness activities in areas such as confidentiality, data security, password security, social engineering, email security, and the use of portable media,
• Within the scope of the Personal Data Protection Law No. 6698 (KVKK) and its secondary regulations, and, where applicable, data protection regimes such as the General Data Protection Regulation (GDPR), takes the necessary organizational and technical measures to ensure the security of personal data; and observes the principles of legality and security in personal data processing activities,
• With respect to personal data security; establishes the necessary governance structure to strengthen controls and processes that prevent data leakage, through the limitation of access authorizations, traceability of records, and secure storage and destruction principles,
• Maintains compliance with applicable legislation, standards, and internal regulations related to the Company's information security and service management processes; and implements policy provisions in alignment with operational requirements, commits.

This Policy is binding for the Company's employees, third parties who access information assets or provide services on behalf of the Company, and all stakeholders who perform operations on the Company's information assets. In cases of non-compliance with the policy provisions, the necessary administrative/technical actions are taken according to the nature of the incident; and the relevant processes are carried out, without prejudice to the Company's contractual and legal rights.