Information Security Policy

The Policy provides a basis for setting and reviewing information security objectives, supports risk management practices, and ensures compliance with applicable legal, regulatory, and contractual requirements, as well as the expectations of clients and other interested parties.

I. Optimapharm is committed to maintaining the highest standards of information security in all its business operations. The Company ensures that information assets are protected against internal and external threats, whether deliberate or accidental. The full adherence to the following guidelines, requirements, and procedures is mandatory: • Good Clinical Practice • Declaration of Helsinki • Clinical Trial EU Directives and Regulation(s) • National legislation related to the conduct of clinical trials, non-interventional studies and medical devices studies, including safety reporting • FDA regulations • ISO/IEC 27001 Information Security Management Systems • General Data Protection Regulation (GDPR) and applicable data protection laws • National and international regulatory requirements related to data protection and information security • Client contractual requirements regarding data handling and security • Internal policies, procedures, and controlled documents related to information security • Industry best practices and standards for cybersecurity and data protection II. Optimapharm is committed to: Preventing information security incidents and minimizing their potential impact • Protecting information against unauthorized access, disclosure, alteration, or destruction • Ensuring business continuity through effective planning, maintenance, and testing • Applying a risk-based approach for identifying, assessing, and managing information security risks • Defining and reviewing internal and external context, as well as interested parties’ requirements, relevant to information security • Providing appropriate information security education, training, and awareness to all employees • Ensuring that all actual or suspected information security incidents are reported and investigated III. Optimapharm establishes, monitors, and continually improves measurable information security objectives to enhance the effectiveness of the ISMS. IV. Optimapharm’s President of the Management Board as well as Senior Management are fully committed to the Information Security Policy through active participation in information security management activities and leadership by example, including communicating the importance of effective information security management, promoting a culture of security awareness, risk-based thinking, and continuous improvement, and ensuring conformity with the Information Security Management System requirements and the availability of necessary resources.

The Information Security Policy is communicated to all relevant interested parties and is available internally and, where appropriate, externally. The President of the Management Board and Management Board have the overarching responsibility to ensure that Optimapharm complies with this Policy. The Management Board must also regularly review the effectiveness of this Policy and encourage and empower Company personnel to participate in information security management activities through teamwork and focused task groups. All Company personnel are responsible for understanding and applying this Information Security Policy in their daily activities, protecting information assets, and ensuring the confidentiality, integrity, and availability of information and promptly reporting any actual or suspected information security incidents. This Policy is reviewed periodically during Management Review meetings, or whenever significant changes occur, to ensure its continuing suitability, adequacy, and effectiveness.