Search
Ask AI
Terms & Privacy

Exhibit C — Information Security Policy

Exhibit C (EU)

Information Security Policy

Technical and organisational measures (SOC 2 Type II)

Last update: 05/18/2026

This Exhibit C (EU) forms part of, and is incorporated by reference into, the Software as a Service Agreement (the "SSA") between Maestra B.V. ("Provider") and the Customer identified in the Engagement Letter. This Exhibit describes the technical and organisational measures implemented by Provider to ensure the security of Customer Data and End Customer Data Processed through the Services. Capitalized terms not defined in this Exhibit have the meanings given in the SSA.

1. Security Programme

1.1. Provider maintains a comprehensive information security programme designed to protect Customer Data and End Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. The programme is risk-based and is reviewed and updated periodically to reflect changes in the threat environment, technology, and applicable legal requirements.

1.2. Provider’s information security programme is certified to the SOC 2 Type II standard, with annual independent audits performed by qualified external auditors. The scope of the SOC 2 Type II audit covers the Trust Services Criteria for Security, Availability, and Confidentiality. Provider shall make a current SOC 2 Type II report available to the Customer on reasonable written request, subject to execution of a customary non-disclosure agreement.

1.3. Provider conducts annual information security risk analyses, annual inventories of information assets, and periodic external information security audits, in each case as part of its SOC 2 compliance programme.

2. Governance and Personnel

2.1 Policies and Procedures

Provider maintains a documented set of information security policies covering, at a minimum: access control, acceptable use, confidentiality, password management, risk management, asset management, incident response, business continuity, secure development, cryptography, supplier management, and physical security. Information-security responsibilities are formally assigned and reviewed at least annually.

2.2 Personnel Security

Provider personnel are subject to the following controls:

  • Signed non-disclosure obligations as a condition of employment or engagement;

  • Mandatory information security awareness training upon onboarding, and refreshed at least annually;

  • Role-based access provisioning: each employee receives only the access necessary for their role (least-privilege principle);

  • A formal list of positions authorised to Process Personal Data;

  • Documented onboarding and off-boarding checklists, including timely revocation of access on termination or role change;

  • A maintained register of employee acknowledgement of personal-data Processing rules.

3. Access Control

3.1. Provider implements role-based access control (RBAC) across all production systems containing Customer Data. Access to Personal Data is restricted to personnel with a legitimate need-to-know, and is logged centrally.

3.2. Authentication controls include:

  • Two-factor authentication for all production-system access by Provider personnel;

  • Protection against brute-force attacks: account lockout after five (5) consecutive failed login attempts;

  • Use of enterprise password-management tools;

  • Session tokens for application sessions; signed-link authentication for certain restricted flows;

  • Configurable password expiration policies in the Customer’s account, set by the Customer.

3.3. The Customer can differentiate access rights among its own Authorized Users, including by hiding Personal Data from certain Authorized Users through the Customer’s administrative interface. The Customer can also mask Personal Data from Provider support employees, and can review actions taken by Provider support employees in the action log.

4. Network and System Security

Provider implements the following network and system security controls:

  • Network segmentation with VLAN-level Access Control Lists between segments;

  • Enterprise-grade firewalls at the perimeter, with rules to filter incoming traffic and to block all unused ports;

  • Regular external web application vulnerability scanning;

  • Testing of new versions of information systems in an isolated environment prior to production deployment;

  • Endpoint protection (Microsoft Defender or equivalent) installed on all employee workstations;

  • Master data management tools for configuration and asset tracking;

  • A maintained registry and annual inventory of information assets.

5. Encryption

5.1. Data in transit: All connections to the Services from the Customer and from End Customers use industry-standard transport-layer encryption (TLS 1.2 or higher).

5.2. Data at rest: All Customer Data and End Customer Data stored at rest is encrypted. The Customer can select the encryption type from the options offered in the Customer’s account configuration.

5.3. Recommended data-transfer channels for the Customer’s integration with the Services are described in the Provider’s Documentation.

6. Logging and Monitoring

Provider maintains the following logging and monitoring controls:

  • Centralised collection and analysis of security logs;

  • Logging of user and administrator activity through built-in operating system and application controls;

  • Logging of administrator logins and exits;

  • Logging of access grants and revocations;

  • Audit logs available to the Customer for actions taken in the Customer’s account, including by Provider support employees acting on the Customer’s behalf.

7. Data Lifecycle Management

7.1. Data masking. Personal Data may be masked for Provider employees by default. The Customer can configure additional masking rules for its own Authorized Users.

7.2. Retention. The Customer can set retention periods for Personal Data through the Customer’s account configuration. Personal Data is deleted in accordance with the applicable retention period.

7.3. Backup. Provider performs daily backups of production data, with backup storage maintained at a separate location from the primary data centre. Backups of deleted data are retained for six (6) months, after which they are permanently deleted. This backup capability is operational and does not constitute a service-level commitment in the absence of a separately-signed Service Level Agreement.

7.4. Disposal. Decommissioned hardware and storage media are securely wiped or destroyed prior to disposal, using methods that prevent recovery of Personal Data.

8. Physical Security

Production data is hosted in third-party data centres operated by Amazon Web Services, Microsoft Corporation (Azure), and Leaseweb Deutschland GmbH, each of which maintains its own enterprise-grade physical security controls (including 24/7 staffed monitoring, biometric or badge access controls, environmental controls, and CCTV surveillance) and holds appropriate independent certifications.

In Provider’s own offices, the following physical security controls are implemented:

  • CCTV at office entrances;

  • Equipment sited as recommended by respective manufacturers and security regulations;

  • Clean desk policy, clean screen policy, and lock screen policy;

  • Mobile device management combined with anti-virus software and enforced updates.

9. Incident Response

9.1. Provider maintains a documented information security incident response plan. The plan defines roles, communication channels, escalation procedures, evidence-preservation requirements, and timelines for containment, eradication, recovery, and post-incident review.

9.2. Provider maintains a log of information security incidents and conducts post-incident reviews to identify systemic improvements.

9.3. In the event of a personal data breach concerning Personal Data Processed by Provider as a processor on behalf of the Customer, Provider shall comply with the notification obligations set forth in the applicable DPA (Annex 1 (EU) or Annex 2 (EU), as applicable), consistent with Articles 33 and 34 of the GDPR.

10. Supplier and Sub-processor Management

10.1. Information security obligations are incorporated into contracts with counterparties, including suppliers, sub-processors, and service providers with access to Provider’s information assets.

10.2. Provider conducts due diligence on prospective sub-processors prior to engagement, and reviews existing sub-processors periodically as part of its supplier-management programme.

10.3. The current list of sub-processors authorised to Process Personal Data on behalf of the Customer is set forth in the applicable DPA (Annex 1 (EU) Annex III or Annex 2 (EU) Annex III). Changes to that list are subject to the prior-notice procedure set forth in the applicable DPA.

11. Customer Controls

In addition to the controls implemented by Provider, the Customer can configure the following security features through its Customer account:

  • Two-factor authentication enforcement for the Customer’s Authorized Users;

  • Password expiration policies;

  • Differentiation of access rights among Authorized Users;

  • Masking of Personal Data from selected Authorized Users;

  • Masking of Personal Data from Provider support employees;

  • Selection of the encryption type for data at rest;

  • Retention periods for stored Personal Data;

  • Audit log review of actions taken in the Customer’s account.

The Customer is responsible for configuring these features in line with its own risk profile and applicable legal requirements, and for the security of any credentials, API keys, or tokens issued for use with the Customer’s account.

12. Updates

12.1. Provider may update the technical and organisational measures described in this Exhibit C (EU) from time to time to reflect changes in technology, applicable Law, and security best practices, provided that any such update shall not materially diminish the overall level of security.

12.2. Provider shall publish updated versions of this Exhibit C (EU) on its website, and the version then in force shall apply to the Processing of Personal Data under the SSA. The Customer can request a current copy of this Exhibit at any time through the Means of Communication.