Policy for Quality, Environment, and Information Security

In order to ensure the utmost satisfaction of its customers and, more broadly, all stakeholders, the management of ABSTRACT S.R.L. (hereinafter referred to as Abstract) has defined this "Quality, Environment, and Information Security Policy," placing it within a broader corporate strategic vision.

Already certified for quality according to the UNI EN ISO 9001:2015 standard in the field of "Providing business support and consulting services, product development, installation of proprietary and third-party packages, integration of solutions, IT assistance and maintenance services," Abstract has decided to adopt and maintain an active Integrated Quality, Environment, and Data Security Management System in compliance with the UNI EN ISO 14064-1:2019 and UNI CEI ISO/IEC 27001:2014 standards.

Abstract believes that the adoption of an Integrated Management System is a cornerstone of its strategy and promotes commitment at all levels of the organization. Moreover, recognizing its leadership role, Abstract disseminates and supports the commitment to meet the requirements of the Integrated Management System and continuously improve its effectiveness, sharing its importance with all collaborators through effective communication actions and constant preventive checks to maintain the security of all data and information, both internally and as part of the customer service.

The strategic principles underlying the Integrated Quality, Environment, and Data Security Management System are as follows:

• Continuous commitment to ensuring the security of both internal and customer data and information, as well as other stakeholders;

• Strong environmental sensitivity;

• Supporting the customer to ensure that product requirements, both specific and mandatory, are met and lead to full user satisfaction;

• Ensuring availability and prompt resolution of potential incidents that may threaten the service in terms of business continuity and information security;

• Maintaining absolute rigor in identifying potential risks related to the service through continuous monitoring for the quality and security of information via Internal Audits and Management Review;

• Systematic management of activities through continuous monitoring of work status;

• Maintaining, following the review of information security risks, full compliance with company procedures, instructions, policies, and directives to ensure the system's full conformity to standards, laws, regulatory requirements, and contractual obligations related to security;

• Providing a high-quality standard with added value.

Abstract's employees are required to adhere to the Integrated Management System and the procedures it refers to in the execution of their activities, achieving the assigned objectives. To this end, the management of Abstract plans and implements ongoing activities to involve, train, and update personnel at all levels, with particular attention to compliance with set standards.

Abstract, in carrying out its activities, commits to observing the "Quality, Environment, and Information Security Policy" (Integrated Policy). The commitments of the Integrated Policy are translated into a plan of defined, measurable, and appropriate objectives for the various levels of the organization.

These objectives are based on the following principles:

Customer Focus

By maintaining a direct, honest, and transparent relationship aimed at building a partnership rather than just providing a service, constant attention is given to the needs of customers, even interpreting unexpressed needs;

Leadership

Recognizing that people are our strength and the key to our success, each individual is a leader of themselves and/or the team they manage;

Active Participation of People

Abstract's commitment is constantly directed at enhancing its collaborators who, with competence and professionalism, represent the main "critical success factor" for the company. The individual growth of Abstract's collaborators is the driving force for the overall growth of the company;

Risk and Opportunity Assessment

Abstract plans its processes with a "risk-based thinking" approach to implement the most suitable actions to assess and treat risks associated with business processes, data and information security, and the environment. It aims to exploit and strengthen identified opportunities and promote a proactive sense of risk and activity management at all levels;

Process Approach

Following a logical path that originates and evolves with our experience, we offer services and products that meet customer needs and are "scalable and adaptable" to changes;

Improvement

Applying an indispensable mental approach, starting from awareness of what we do, how we do it, and what we want to do. The constant improvement of each of us is the path that leads to the improvement of the service and customer satisfaction. Abstract has identified, in the organization's process approach and the implementation of an Integrated Management System in accordance with international standards ISO 9001, ISO 27001, ISO 14064, one of the main approaches through which to pursue its values, its Integrated Policy, and the resulting objectives;

Reduction of Environmental Impacts, Carbon Footprint

Sustainable approach to the consumption of natural resources and attention to waste to safeguard the environment. Monitor, calculate, quantify, and obtain certification of GHG emissions and assess the Carbon Footprint within the organization in accordance with the UNI EN ISO 14064-1:2019 standard.

To achieve improvement objectives, Abstract has decided to take actions aimed at reducing GHG emissions as much as possible, including the adoption of a sustainable consumption model.

Furthermore, Abstract foresees contributions to social and environmental activities through the training and awareness of its personnel and participation in specific initiatives. In terms of environmental attention and environmental sustainability, Abstract's top priority is to ensure that its activities have an increasingly reduced environmental impact.

This process, included in our Integrated Policy, is centered on the following main commitments:

Selecting sources and GHG emissions

Defining data and methodologies suitable for the needs of stakeholders and including all relevant GHG emissions;

Information

Allowing a meaningful comparison of related information, disclosing sufficient and appropriate information on GHGs to enable stakeholders to make decisions with reasonable confidence;

Improvements

Establishing a system to raise awareness among all personnel and third parties to reduce uncertainties as much as possible, encouraging behavior by all Abstract members that is particularly environmentally conscious. This leads to a reduction in emissions;

Data and Information Security

Information Security Management is of fundamental importance, with the primary goal of protecting data and information to safeguard the assets represented by company knowledge, that of its clients, stakeholders, and to protect the individuals whose personal data is involved. To this end, it commits to taking actions and behaviors aimed at preserving them.

Abstract's Integrated Information Security Policy defines and organizes the confidentiality of information, computer integrity, and manages all related aspects, from technical to management and business, including the confidentiality and availability of data.

The entire internal and external organization to Abstract is required to respect and apply the Integrated Policy and consequently the Data and Information Security Management System within the scope of the activities performed and services provided.

With specific reference to data and information security, Abstract considers the following principles essential:

Integrity

To safeguard information and data from possible unauthorized modifications or deletions due to errors, intentional actions, or system malfunctions.

Confidentiality and Privacy

To ensure that information and data are accessible only to authorized individuals and processes and are not made available to unauthorized persons or entities. Confidentiality and safeguarding of intellectual property. Ensuring the protection and control of personal data.

Availability

Ensuring that authorized individuals have access to data, information, and reference systems when requested, thereby safeguarding the entire data and information asset by ensuring its correct access, use, and confidentiality and reducing associated risks (tampering, data theft, etc.).

Control

Ensuring that data and information management always takes place through secure processes and tools. Commitment to selecting reliable suppliers and partners from the standpoint of information security management and the protection of personal data.

Legislation

Compliance with current national and international laws and regulations.

Information and Training

Adequately informing and training the organization and third parties, ensuring that everyone is fully aware of security issues, obligations, and responsibilities in managing information security and the consequences in case of intentional or unintentional events related to unauthorized use, modification, or destruction of critical information.

Evidence-Based Decision Making

Our agile and lightweight corporate structure allows us to easily share and make information evident. The management also commits to making resources and means available for achieving the objectives and goals set, in terms of competence development, equipment, information, and economic resources, constantly monitoring their adequacy.

Regular audits of the Integrated Management System are conducted to verify its implementation and effectiveness in achieving objectives and to plan any corrective and improvement actions. Abstract commits to reviewing the adequacy of the Integrated Policy at least once a year and providing indications on any corrections and/or improvements to be made to its structure.

Abstract is committed to ensuring that the Integrated Policy is communicated, respected, and understood for its application by personnel and relevant stakeholders. To this end, the management has decided to periodically review and, when necessary, publish and make company information available through the company intranet, emails, weekly meetings, online through MS Teams, and on the company's website.

To promote the dissemination and understanding of the Integrated Policy, the management constantly seeks to involve functional managers to spread awareness of the individual's role in the organization."