Information Security Policy

Purpose

According to the Act on Personal Data Protection and Processing of Personal Data no. 90/2018, Hefring ehf., herewithin „Hefring“, must ensure adequate security of all personal data. This Information Security Policy describes the company's emphasis on the importance of that obligation. The company's personal data must be protected from all threats, both internal and external, regardless of whether the threats are intentional or negligent. With this policy, employees, customers and others can trust Hefring intention to safeguard the security of personal data, including for confidentiality, fairness and availability.

Scope

This Information Security Policy covers the handling and storage of all personal data in the custody of Hefring. It covers the internal operations of the company and the services that Hefring provides to its customers on shared or specific equipment, as well as all internal systems, software and hardware owned and/or under full control of Hefring. It also covers premises where personal data is processed, employees and contractual parties who have access to the pertinent data.

Objective

Hefring’s objective with this policy is to:

• Ensure that all personal data is correct and accessible to those with appropriate access rights
• Guarantee the confidentiality of personal data in accordance with applicable laws and regulations
• Protect all personal data against damage, destruction, or disclosure, whether due to intent or negligence
• Ensure that all personal data processed through Hefring’s systems reaches the correct recipient, undamaged and on time
• Ensure that risks involved in processing personal data remain within defined risk limits
• Comply with all laws, regulations, and rules concerning the processing of personal data
• Comply with all agreements to which the company is a party and which concern the protection of personal data
• Report and investigate all deviations, breaches, or suspicions of information security vulnerabilities
• Continuously work on and improve information security

Ways to Achieve the Objective

Hefring’s approach to achieving the above objectives includes:

• Maintaining records of information assets containing personal data, whether in electronic or paper form, and classifying them according to the nature and importance of confidentiality
• Regularly analyzing, through formal risk assessments, the risks that processing personal data may pose to individuals
• Managing risks related to the processing of personal data within defined limits by operating an information security management system
• Performing privacy impact assessments where processing activities are likely to pose significant risks to individuals’ rights and freedoms, such as when implementing new systems that process or store personal data
• Maintaining a quality manual with documented procedures for processing personal data
• Ensuring all Hefring employees receive regular training and education on personal data security and their responsibilities
• Ensuring all employees comply with applicable laws and regulations

Responsibility

• Hefring’s Board of Directors is responsible for this Information Security Policy
• Hefring’s CEO is responsible for the implementation and day-to-day management of the policy
• Hefring’s Data Protection Officer is responsible for ensuring that staff receive appropriate training on the security of personal data
• All Hefring employees must comply with this Information Security Policy and report any security breaches or vulnerabilities
• Employees who deliberately threaten Hefring’s information security may face litigation or other appropriate legal action

Audit

This policy shall be reviewed annually and more frequently if necessary to ensure alignment with Hefring’s objectives.

Approval

Approved by Hefring ehf‘s Board of Directors on 14.02.2023.