This Policy applies to all employees, interns, trainees, temporary workers, suppliers, customers and third parties linked to Regnier.

3.1. PSI

Information Security Policy.

3.2. Remote Access

A feature that allows the user to access the IT environment (networks, systems, etc.) while away from the company, from any location, using specific software/services.

3.3. Collaborators

Executives, employees, trainees, apprentices and temporary workers who have a relationship with Regnier.

3.4. Confidentiality

Guarantee that access to information is obtained only by authorized persons.

3.5. Availability

Ensuring that authorized users have access to information whenever necessary.

3.7. Information

Data that, after being processed or organized, produces facts with a comprehensible meaning. It is an asset and, like any other important business asset, has value to the organization.

3.8. Integrity

Guarantee of accuracy and completeness of information and processing methods.

3.9. Computing Resources

Computers, Notebooks, Tablets, Smartphones, Printers, Information Systems, Network Drives, DBMS, E-Mail (Electronic Mail), Internet, Intranet and the like.

3.10. DBMS

Database management systems.

3.11. Software and Shareware

A concise or limited-time version of a program intended for sale, giving the customer the option to try it before purchasing.

3.12. Freeware software

A free program that allows users to use it as long as they do not sell it. IT: Information Technology.

3.13. Users

All those who use information technology resources, and are therefore responsible for the knowledge and application of this PSI, including Regnier Employees, including all outsourced service providers who need to access Regnier's Computing Resources.

3.14. Normative User

User responsible for the functionalities, data and information of one or more Regnier systems, who is responsible for the prior approval of improvements to be made to the system under his/her responsibility, as well as for the classification, definition of the user profile and the type of access to information.

3.15. Key User

User responsible for managing the access profiles of their business area or internal processes in which they are involved.

3.16. Support Level

Privilege granted to managers by the Human Resources department and known within the organization that defines the limits for the purposes of approving administrative acts related to the management of their areas.

4.1. IT Manager

Authorize testing to verify the security level of the Regnier environment.

4.2. Collaborators

An employee is any and all individuals, whether employed under the CLT (Consolidation of Labor Laws) or providing services through a legal entity or otherwise, who perform any activity within or outside of Regnier. Each employee will be solely responsible for any loss or damage they may suffer or cause to Regnier and/or third parties as a result of failure to comply with the guidelines and standards set forth herein.

4.3. Temporary and/or Outsourced Employees

They must understand the risks associated with their special status and strictly comply with the provisions of the approval granted by the Information Security Committee. The approval may be revoked at any time if it is determined that the business justification no longer outweighs the risk associated with the exceptional status or if the employee who received it is not meeting the conditions defined in the approval.

4.4. Process and People Managers

Maintain an exemplary approach to information security as defined in this policy, serving as a role model for employees under your management. Assign employees, during the hiring and formalization of individual employment, service, or partnership contracts, the responsibility for complying with Regnier's ISP. Require employees to sign the Commitment and Acknowledgment Agreement, assuming the duty to follow the established standards and committing to maintain secrecy and confidentiality regarding all Regnier information assets, even when leaving the company. Before granting access to Regnier information, require casual employees and service providers who are not covered by an existing contract to sign a Non-Disclosure Agreement, for example, during the proposal gathering phase.

Adapt the standards, processes, procedures and systems under your responsibility to meet this PSI.

4.5. Normative User or Key User

• Authorize the release of access rights compatible with the functions performed by users, through differentiated access profiles;
• Periodically review the access granted to the resources for which you are responsible, and may request the removal and/or readjustment of profiles for users who already have access, as well as readjustment of the permissions of the profile itself (without the need for management approval).

4.6. Normative User

Approve improvements, their classification, define user profile and the type of access to this information in the systems under your responsibility.

4.7. IT Analyst

Approve the sending of a copy of the system (programs, screens, sources, etc.) in response to any necessary demand, except for the purposes of external auditing of financial statements;

Authorize and ensure the recording of interventions made by IT in the following processes, through specific access profiles:

• In controlling the flow of electronic tax documents (NFe, CTe, MDFe, etc.) between Regnier's systems and the different State Finance Departments and vice versa, ensuring that the flow of information exchange occurs between the different environments;
• In messages exchanged between systems, which includes but is not limited to ERPs and/or automation systems, ensuring that the flow of information exchange occurs between environments;
• Execution of archiving processes (removing data from production bases and taking them to another platform integrated with the ERP):
• Record keeping in system configuration tables.

5.1. General Principles and Definitions

• Information Security is everyone's responsibility. Likewise, it must be reflected in habits, attitudes, responsibilities, and constant care when using, requesting, and approving resources.
• The IT area is responsible for maintaining and promoting the implementation of this Policy, as well as guiding users on the information security precepts to be observed by all employees, with greater or lesser integration with the rest of the organization;
• The use of information and computing resources must always be compatible with ethics, confidentiality, and the purpose of the activities performed by the user, following standards and procedures defined by Regnier, to guarantee the availability and performance of applications;
• The connection of third-party equipment to Regnier's network will only be permitted if it does not present a risk to the corporate environment and is in accordance with the Company's policies applicable to other equipment;
• Improper use of computing resources may result in suspension of access, must be notified to the Information Security area and, if necessary, the internal investigation team may initiate an investigation regarding this non-compliance;
• Any violation of any of the guidelines and directions expressed in this policy may result in appropriate disciplinary measures, as well as internal investigations, and will subject the user to administrative penalties and those provided for in civil, labor and criminal legislation.

5.2. Information Security Management

• All employees are responsible for the security of the Company's information;
• Each Regnier manager is the Regulatory User of the information within their authority domain and can delegate the functions of granting access rights/approval of changes to systems and other IT resources. To do so, they must formalize these delegations by submitting a request to the IT Manager.

5.3. Physical Security within Regnier facilities

• For the movement of equipment that is part of the basic structure of the company's computing environment (servers, routers, switches, hubs, controllers, printers, optical and magnetic backup media, etc.), it is mandatory for the requesting employee's manager to request authorization from the IT manager.
• Data Processing Centers (DPCs) must have risk prevention devices such as physical access control, fire control, smoke control, and others. It is the IT Manager's responsibility to define these protection devices, considering regional characteristics and the criticality of the
  information and technological resources involved.

5.4. Logical Security

• It is the responsibility of the IT Department to require that all logical environments (operating systems, DBMSs and information systems) have their access restricted by passwords, in compliance with the guidelines described in this Policy, except in situations where there are prohibitive technical restrictions;
• Every program or transaction developed or acquired for execution in the Regnier environment must meet the security requirements defined in the development standard document. Exceptions must be handled jointly by Regnier's IT departments and Management.
• No personal password may be stored in the source code of programs, nor in files or tables intended for other purposes. Specific tables/files for storing passwords must be stored securely using encryption;
• Note: Access—even for simple queries—to password files or tables will not be permitted under any circumstances to any employee. Such restriction must be provided by security mechanisms (e.g., encryption, database access restrictions, etc.).
• Any access account that has not been used for more than 45 days may be disabled without prior authorization from the owner or their Manager, in order to free up physical resources and/or allocated software licenses. The exception to this rule is for management and/or board members, who will be contacted before the resource is disabled;
• From 45 days after the date of termination, users may have their access deleted, without the need for prior approval;
• It is prohibited to uninstall software and/or hardware on user stations that are used to perform physical and logical control of available resources;
• Only resources approved and authorized by the company will be permitted to be used, provided they are individually identified, inventoried, with up-to-date documentation, and comply with applicable legislation. Therefore, any user who exposes the company to legal sanctions by using unapproved software, regardless of its classification (shareware, freeware, demo, etc.) without the support of the respective licenses, is subject to disciplinary measures, as well as internal investigations, and the sanctions provided for by law.
• In the case of standard access accounts that cannot be deleted or changed, the standard passwords (which come with the product) must be changed immediately after the system and/or environment is made available, without any specific request to do so;
• The existence of Security and infrastructure documentation for the implementation of information systems is mandatory, in accordance with the current methodology, and they will not be implemented if they bring weaknesses that compromise the Regnier environment;
• Only duly authorized users with justification may be administrators of their respective workstations.

5.5. Password Creation and Use

All systems in the Regnier environment must meet the requirements below, except in cases where technical impediments occur (e.g., legacy systems), duly justified by the IT analyst and/or responsible manager.

• The following criteria will be adopted to generate passwords:
• Minimum length of 8 characters;
• They can never be null or blank;
• Never visible on the screen where they are informed for update;
• Minimum of 2 numeric digits;
• Minimum of 2 alphabetic characters;
• Prohibit the reuse of the last 5 (or more) passwords used;
• Being blocked after 5 consecutive and unsuccessful access attempts.
• All individual passwords will expire every 90 days at most. Additionally, all initial passwords will be created with an expiration date and must be changed upon each user's first login.
• Personal passwords can be changed by the user, regardless of their expiration date. However, they must not be changed more than once in a single day;
• No employee may use their hierarchical or functional superiority over another to determine or force them to share their individual access password with anyone.
• Sharing individual passwords is prohibited at all levels of the organization. Likewise, opening an authenticated connection to allow someone else to use it is prohibited. Under no circumstances may a user share their individual password. Once detected, such activity will be duly reported to Regnier's Board of Directors.
• Any attempt to *crack* (try to discover) another person's individual access password, or even to invade environments or systems whose access is denied, will be notified to the Ethics Committee and may result in appropriate disciplinary measures, as set out in the Company's Code of Ethics, as well as in internal investigations;
• It is everyone's duty to keep their authentication passwords confidential, as well as to choose strong passwords that make it difficult for someone else to easily discover them;
• Exceptions to these minimum security requirements must be approved and validated by the IT Department in conjunction with the Board of Directors.

5.6. Access Security

• Each person's access account and password are unique, individual and non-transferable, being recognized as equivalent to their signature and representing the level of delegation granted for the performance of their functions;
• External access to company resources (remote access by employees, third parties, suppliers, customers and other cases that may arise) will only be granted upon prior authorization through corporate technical solutions approved by Regnier;
• Internet access is only permitted through the corporate security system. Direct Internet access through external providers while connected to the corporate network is prohibited;
• Any interconnections between networks (physically and/or logically) involving automation and/or information processes should only occur using corporate solutions defined by the IT area, in order to guarantee the availability, integrity and confidentiality of the environments.

5.7. Access Control

• The IT department must ensure that no employee or service provider obtains access rights without proper approvals;
• The Human Resources department, in conjunction with the IT department, will define a standard for user identification. This identification will be used to uniquely associate each access right with the person who holds it;
• Access rights compatible with the roles performed by users will be granted through differentiated access profiles. These profiles aim to restrict available data and operations, and their definition will be carried out in conjunction with Regulatory Users.

5.8. Segregation of Environment and Functions

The IT Area must ensure that all information systems adhere to the following guidelines:

• IT processing environments must keep the production environment segregated from others;
• In the Production environment, IT Area users and service providers who perform support activities may only have consultation access, except for exceptions that must be authorized directly between the management involved, the IT Area and the Board of Directors;
• Access to change databases in production environments will be granted solely through information systems. Any type of direct access is strictly prohibited. In extreme cases where authorization is required, the requester's IT Manager and the Board of Directors will jointly approve the changes, with the latter having veto power.
• Changes to Regnier's production computing environment must be carried out in accordance with the change management processes approved by the respective managers.

5.9. Intellectual Property

All systems, IT projects and/or configurations developed to meet the company's needs and interests are the sole and exclusive property of Regnier, and may only be transferred or sold with the approval of the IT Area and the area responsible for the system.

5.10. Audit and Investigation

• All users must be aware that the information stored in Regnier's technological resources belongs to Regnier and may be monitored at any time without prior notice;
• Internal Audit and Investigation may access any information stored in the logical environment (operating systems, DBMSs, and information systems). If any activity that could compromise the security of the IT environment is suspected, the Board of Directors may request an Audit and Investigation procedure, which may investigate and monitor any user's activities on demand, in addition to inspecting their files and access logs whenever deemed necessary.
• Systems must be developed or acquired with the aim of having audit trail resources, and these must be protected against unauthorized access and must contain at least the following information: User identifier, date and time of the operation, operation, changed data.

Privacy Policy

Jérémy Matioszek
General Director – Brazil