Internal Regulation for the Use of Information Resources and Services

This document contains the internal policy of “KIND, S.A.”, with the aim of guaranteeing that all employees and those other possible authorized Users (hereinafter, the “User”) use in an adequate, correct, responsible, lawful and technological resources and services made available to them as necessary and/or convenient work tools for the professional development of their daily work.

The objective scope of this regulation includes, by way of example and not limitation, the use of central services, remote access terminals, desktop equipment, laptops, telephones, fax(es), mobile phones, software, Internet and Intranet (including, the use of e-mail accounts, access to databases, information, etc.).

KIND understands that all of them are tools for strictly professional use, and therefore, its object is to maintain productivity and achieve the most efficient way possible to carry out the tasks assigned to, in this way, achieve the professional goals established by KIND’s managers. . Thus, all resources and services made available to the KIND User may only be used in the development of assigned works, their use for non-professional purposes, in general, for any purpose other than the work and professional activity that must develop the Authorized User.

Article 1

Definitions

For the purposes of this regulation, the following definitions are adopted:

IT Services

The IT Services are an organic unit, formal or not, of KIND, whose function is to provide the IT infrastructure and services necessary for the operation and management of KIND, according to the principles of independence and equitable treatment enshrined in the Constitution of the Portuguese Republic (Article 35) and the Data Protection Law in force.

The IT Service is responsible, in particular, for the management and maintenance of existing IT resources and their connection to the outside, support for Users in the use of available IT resources, as well as the promotion of continuous improvement and the quality of IT resources.

By way of example and not limitation:

Access information in computer systems, performing maintenance services, backups, management of emails, software and systems, maintaining and protecting the confidentiality of any information;

Remotely access information systems from any location outside the workplace, at any time, as long as it is for maintenance and technical support functions for users;

As informed professionals, encourage the adoption of relevant policies and laws consistent with these ethical principles;

System Administrator

Person or people with competences attributed by legislation that regulates IT careers, cumulatively with the functional requirements of the career at KIND.

Information systems manager

The person in charge is designated by the management team to coordinate the IT Service.

Employees with a contractual relationship with KIND, or made available by bodies or entities of the central administration or in collaboration, regardless of the legal regime to which they are subject, service providers that, in any way, are allocated in the provision of services, under contract and employees in general who, directly or indirectly, use KIND’s information systems for the development of their professional activities;

Log Records

Describes the process of recording relevant events in an information system, usually in a log file that can be used for auditing and diagnostics. This log can be used to restore a system to its original state or to let an administrator know how systems have behaved in the past.

Responsible for data processing

Natural or legal person, the public authority, agency or other body that, individually or jointly with others, determines the purposes and means of processing personal data.

Digital information that may be of a strategic, technical, financial, legal, human resources, or any other nature, regardless of whether or not protected by confidentiality rules, provided that it is stored and/or handled in the technological infrastructure of the KIND and which constitutes its heritage;

Article 2

Scope

The present Regulation of Use and Security constitutes a set of rules of use and rules of information security in order to enable the processing, sharing and storage of KIND information, through the use of its technological infrastructure.

Users are responsible to respect the rules, norms and procedures established in these Regulations.

Article 3

Computer Service Purposes

KIND’s IT Service will supervise users’ compliance with the rules of the Regulation.

The IT Service is responsible for adopting technical measures that guarantee the creation of the indispensable technological environment for the implementation of security standards, for the analysis of all infractions committed by users (voluntarily or involuntarily) to this regulation, and must adopt the technical measures necessary to eliminate non-compliance, as well as to alert superiors to irregular and voluntary procedures of users with a view to taking appropriate corrective measures.

The IT Service is responsible for clarifying doubts, providing guidance, expressing opinions or suggestions, whenever contacted by users

The IT Service is responsible for following up on any situations of violation of the present regulation or others that are reported to them.

Article 4

Passwords and access keys

Passwords and access keys are means used by Users and Administrators to safeguard the confidentiality of the information available on their equipment and systems.

The IT Service and, specifically, the System Administrators will hold the passwords and administration keys.

The User undertakes to make diligent use of the passwords and access keys assigned and to keep them confidential, assuming any activity that takes place or takes place through their use.

The User must inform the IT Service immediately after any loss or suspicion of unauthorized access by third parties to passwords and access keys.

If the User suspects that another person knows his/her identification and access data, he/she must proceed with the immediate change of the same or communicate the fact to the IT Service, so that it allows him/her to immediately generate new key(s).

In the event of a temporary leave or absence of the User, or in the event of inaccessibility on the part of the User to the assigned equipment and systems (when not being located in the places where they are located or not having the possibility to access them remotely) the User may, for in writing, indicating the purpose, to allow the alteration of the password and keys, to the IT Service, to access the system.

The use of unauthorized encryption or encryption techniques and/or not provided by the IT Service is prohibited.

Article 5

Equipment and systems

The IT Service makes available to its workers technological resources, namely equipment (hardware) and licensed computer programs (software).

The User may not install and/or run any software other than that provided or authorized by the IT Service.

The use of unlicensed software is an unlawful conduct that can lead to serious criminal and civil liabilities, in addition to putting at risk the computer equipment and the information contained therein.

If the User needs additional software for the performance of their tasks, they must request it with reasons from their immediate supervisor who, after consideration, will submit it to the Responsible of the IT Service for consideration.

The User must use the equipment and computer systems made available to them without incurring activities that may be considered illegal or illegal, that infringe or may infringe the rights of KIND, third parties or jeopardize the security and stability of the equipment and systems, as well as the information contained therein.

Activities that constitute an infraction provided for in the legislation in force are expressly prohibited, namely:

Access, read, delete, copy or modify the e-mails or files of other Users, except with the consent of the owner depending on specific circumstances;

Access restricted areas of computer systems, other Users or third parties;

Destroy, alter, disable or in any way damage the data, programs or electronic documents of KIND, its Users, or any third parties.

Distort or falsify system LOG records;

Increase a User’s level of privileges on the system;

Decrypt keys, encryption systems or algorithms and any other security element that intervenes in KIND processes;

Voluntarily or involuntarily obstruct the access of other Users to equipment and systems by the massive consumption of computer resources, as well as carrying out actions that damage, interrupt or generate errors;

Introduce or propagate programs, viruses, applets, con ActiveX trolleys or any other logical device or sequence of characters that cause or are likely to cause any type of change in the entity’s or third party’s computer systems.

Introduce, download from the Internet, reproduce, use or distribute computer programs not expressly authorized by the IT Service or any other type of work or material whose intellectual or industrial property rights belong to third parties, when authorization is not available for that purpose.

Install illegal copies of any program, including standard ones, and delete, eliminate, modify or alter any of the legally installed programs.

Install software or applications of any kind whose license has been acquired by KIND, on equipment other than those provided for this purpose (which includes, by way of example, the User’s private equipment or devices).

The User is responsible for any alteration or installation carried out on the equipment provided with open access which, by their nature, lacks administration privileges.

The User is not allowed to run applications whose purpose is remote access by third parties to KIND’s infrastructure.

The User wishing to remotely access the KIND infrastructure will have to request the corresponding access to the IT Service.

The User is not allowed to copy, alter or delete files that have been created by third parties, without the prior consent of their author or KIND.

KIND’s equipment and systems may not be used to transmit or store content outside the scope of its professional activity without prior written consent.

The User must inform or alert the IT service whenever he detects any type of activity or abnormal behavior of the available resources, namely security issues and/or outdated systems, either by taking advantage of security flaws or by simple trial and error password hit.

Article 6

E-mail

The IT Service may make available to the User, depending on his work responsibilities, an email account of KIND.

The User must use e-mail on behalf of KIND for work purposes only.

Whenever an email, due to its content or attachments, is relevant for the purposes of a process or contains relevant information, the User must record the email received, sending it to a work folder defined for that purpose or processed by the document management service.

The User must respect the graphic aspect of the email, taking into account the signature approved by superiors and globally.

The User must not send, distribute, make known and communicate confidential or classified information.

The transmission of mails whose content is illegal, defamatory, obscene, offensive, denying or immoral is prohibited.

Once a User’s collaboration with KIND has ceased and after communication with the competent services, the User’s email account will be deactivated or closed, and an automatic message may be generated.

The IT Service may maintain, but is not obliged to do so, a backup of the email of closed accounts.

The delivery and reception of e-mails is not guaranteed, as it depends on technical factors outside the IT Service, namely, full destination mailbox, various operator problems, spam boxes.

In case of absence or impediment, the User must activate the out-of-office automatic message mechanism, or forward the email to another active KIND account, in order to ensure the normal functioning of the services.

Article 7

Internet access and use

KIND provides the User with Internet access, depending on the work responsibilities or tasks assigned to it.

The Internet is a work tool for strictly professional use.

KIND is not responsible for the content that its Users view and/or download from the Internet. The User is aware that the Internet is a worldwide network with contents that may be illegal, offensive or in general inappropriate.

Without prejudice to the provisions of the previous paragraph, and with all traffic subject to automatic monitoring and filtering, browsing on websites with the following categorization is blocked, with the exception of those from, or for, the functions performed by the user in question:

Pornography; File sharing (eg peer to peer); Terrorism; drugs; Hackers and any type of computer piracy; Games;

Violence and aggression (racism, xenophobia, etc.); Video and Audio; Music online;

Others, who are considered inappropriate for user functions.

The IT Service automatically monitors and controls information systems and technologies, and other means, validating that the necessary security measures are complied with at all times.

KIND is not responsible for the content of a non-professional nature that Users send to others, reserving the right to carry out control and disciplinary measures.

No software, executable file, database that is downloaded from the Internet or that is received by email or through any material support (CD, USB Pen…) necessary for the performance of professional tasks, can be installed on the terminal or device owned of KIND, without previously proving with the Computer Service, that it is duly licensed and virus-free.

KIND may limit the use of removable storage devices such as USB sticks, CDs and so on.

Article 8

Use of Information

In the event that, for reasons directly related to the function performed, the User accesses personal data incorporated in the files, he must treat them, solely and exclusively, in accordance with the scope of authorization expressly communicated by KIND, i.e., the purpose for which they were collected.

The User must not use personal data for illicit purposes or effects, prohibited or harmful to the rights or interests of third parties, or contrary to the purposes for which they were collected.

In these terms, it is expressly prohibited for the User to access or process personal data for which he has not obtained express authorization from the data controller. The User cannot create any database with personal data, without this being previously authorized and framed by the data controller.

The identification of the person responsible for processing the data will be disclosed after designation by the executive.

Any questions about the protection of personal data and the exercise of any rights relating thereto should be addressed to the data controller.

Article 9

Control and Supervision

In everything that does not violate the Law, KIND reserves the right to control and supervise, without prior notice, the correct and lawful use of resources and devices by Users, and specifically, compliance with the regulation, preventing activities that may affect KIND.

Any violation of the rules provided for in this regulation will be punished under the legal terms.

Article 10

Responsibilities

If KIND is obliged to compensate a third party for damages caused by a User, KIND will have the right of recourse.

The provisions of the previous number do not affect the application of disciplinary sanctions.

Article 11

Implementation

This regulation enters into force on 1 June 2018.