Information security policy

Management, and all the staff of the gway s.r.l., operating in the field of design and development of application solutions, as well as in the provision of information systems, system support services and IT consulting, is committed to the protection of its information assets in order to preserve its competitive advantage, profitability, legal, regulatory and contractual compliance and, at the same time, is committed to ensuring the confidentiality, integrity, availability and resilience of personal data processed by the Organization, in order to guarantee the rights and freedoms of data subjects, as well as the resulting positive market image return that the adoption of serious privacy protection for its customers is capable of generating.

The requirements for information and personal data security are consistent with the overall objectives and operating procedures of the Organization. The Information Security Management System (ISMS) and the adopted Personal Data Protection Organizational Model are the means by which information is shared, proper operations are carried out, and information-related risks are reduced to acceptable levels.

The strategic plans of gway s.r.l. and its risk management framework provide the context for the identification, analysis, assessment and control of information-related risks. The definition of roles and responsibilities, as well as the specific identification of the processing carried out on personal data and the related analysis of the risks to which the same may be subject, constitute the context in which the Organizational Model has been implemented and is kept dynamically updated, according to the continuous evolution of the context itself. The Risk Assessment and Treatment Document and the Statement of Applicability (SOA) define the ways in which information-related risks are kept under control.

Additional key elements of this policy represent business continuity, data backup procedures, malware and intrusion protection, system access control, and reporting mechanisms when information security issues arise. Control indicators for each of these areas are defined in System documentation and supported by specific procedures.

All stakeholders belonging to the Organization and any stakeholders, considered within the perimeter defined in the scope of application of the System, as well as those responsible outside the Organization who process personal data on behalf of the Data Controllers and autonomous Data Controllers with whom the Company has decided to share some of its processing, assume behaviors in accordance with what is indicated in this Policy, the Organizational Model and the Information Security Management System that implements it. All human resources and personnel involved in the processing of personal data are subject to formal appointment and receive the necessary and appropriate training in this regard.

The ISMS and the Organizational Model are subject to continuous and systematic reviews and improvements, and gway s.r.l. is constantly engaged in effective maintenance of the relevant certification, based on the UNI CEI EN ISO/IEC 27001:2017 standard and compliance with the requirements of the EU Regulation 2016/679 on the protection of individuals with regard to the processing of personal data.

This policy is periodically reviewed to consider any changes in the risk assessment and, consequently, in the related treatment plan.

Rome, February 12, 2025

Management