Information Security
Policy

KOÇZER MERKEZİ HİZMETLER VE TİCARET A.Ş. (ZER) see corporate information as a very valuable asset. Information is crucial for the sustainability of our business activities; therefore it must be protected properly. At KOÇZER, we implement the Information Security Management System (BGYS) ISO 27001 standards to minimize the impact and the number potential risks posed on corporate information in terms of confidentiality, integrity, and usability.

ZER has adopted the following principles particularly:

• Assure confidentiality, integrity, and usability of the data and information systems of ZER,
• Assess and systematically manage the risks posed on the information systems,
• Meet the requirements of Information Security systems,
• Fully adopt the legislation on Information safety,
• Improve and maintain Information Safety Management System,
• Provide training courses to improve tchnical and behavioral competency to raise awareness on information safety,
• Have the Board of Information Safety prepare and publish other sub procedures linked to these principles.

These information security principles ofKOÇ ZER are binding, and apply to all ZER employees including full time, part time, permanent or contracted personnel that have Access to ZER data or business systems irrespective of their business units or geographical locations. Third party service providers and their support personnel who are not included in the aforementioned category but have access to ZER data have to follow other specially designed security instructions and rules which include the general principles of the aforementioned policy.

The purpose of these Information Security principles and this policy is to safeguard, maintain, and manage the confidentiality, integrity, and usability of the company’s sensitive data and business support systems, and the procedures and applications thereof. This means only the authorized personnel shall have access to the sensitive ZER data; the information kept shall be full, accurate, and usable; and the information and the systems shall be accessible and usable when needed. Hence, it is ZER’s employees’ including outsourced personnel and trainees’, and dealers’, subindustry personnel’s’ responsibility to safeguard the sensitive information within ZER while doing their jobs. All ZER personnel are required to not only keep ZER’s sensitive information and data full, accurate, and usable but also adopt the principles of ZER’s business ethics, and safeguard the confidential information given in ZER Personnel Regulations. ZER is committed to take the precautions set out in the Privacy Act and be in full compliance with it.

The Board of Information Safety shall have the functional responsibility of this policy and all standards, as well as other supporting documentation and trainings, and the board shall also function as an advisory board, and provide guidance to ZER on the implementation of this policy.

The Board of Information Safety shall provide the appropriate training activities on raising the awareness of Information Safety in all employees, and provide guidance on how to handle general information safety issues. When necessary, the board shall support this policy with detailed standards, procedures, and processes, and ensure they are ready to implement, when necessity arises. The board shall also have the responsibility of communicating the requirements of this policy to all-permanent or contracted- employees, and contractors of the company.

The chairman of the Board of Information Safety shall have the responsibility of maintaining and preparing a general outline of management, and keeping this policy updated, and shall ensure that the policy and the principals thereof be constantly reviewed so that they will cover the latest changes in the business related threats or the risks the data or the information systems of ZER and its affiliates are exposed to.

In addition to the property and risk updates to cover the recent risks posed on ZER data and properties, the Information Safety policies are reviewed at least once a year. The Information Safety policies are updated with the necessary additions to have control over the new risks or the changes in existed risks. Moreover, any employee of ZER may request the Board of Information Safety to modify or change any policy so that ZER can have more control over data safety when necessary. Such requests are assessed by the Board of Information Safety.

The principles set out in the Information Safety Policy should be followed and implemented parallel with the Personnel Regulations set out by the Human Resources department of ZER. The employees are required to be aware of the company’s Information Safety Policy, and follow the principles thereof.

The managers of the units are fully responsible for taking necessary actions to implement the Information Safety Policies and supervising the system.

The Board of Information Safety is responsible for periodically inspecting the compliance with all policies, procedures, and the relevant standards, and reporting their observations to the persons in charge.

Any loss of ZER arising from any breach of the Information Safety Policy, and failure of implementation of the necessary security checks against the risks posed on the company, may result in jurisdiction to be exercised, and the company may claim material compensation for such losses and damages pursuant to the new Turkish Criminal Code. Furthermore, the aforementioned breach is also the violation of the Personnel Regulations of ZER, and this may result in disciplinary action. Any breach of Information Safety Policy observed, detected, or reported may result in disciplinary actions that may be extended further to dismissal, and jurisdiction

Working collectively to implement this policy will help us protect our sensitive data and reputation, and maintain our business achievements.

In order to protect ZER’s reputation, credibility, information property, and to maintain primary and supportive business activities with as little interruption as possible, the ZER Information Safety aims to

• Ensure sustainable information systems,
• Raise the level of employees’ knowledge, awareness, and compliance with the safety requirements to the maximum,
• Ensure full compliance with the agreements entered into with third parties,
• Minimize the number of cases of violation of information safety, and turn them into learning opportunities,
• Create, access to and save information in compliance with laws,
• Implement the latest and the most effective security checks.

All ZER employees are required to support the achievement to these objectives.

ISO / IEC 27001:2013