POLICY OF TREATMENT OF PERSONAL DATA - PHIDIAS S.A.S.

In accordance with the provisions of Law 1581 of 2012, Decree 1377 of 2013, Decree 1074 of 2015, Decree 1078 of 2015 and Circular SIC 002 of 2015, this information processing policy of Phidias S.A.S. is issued. The data of Phidias as "Responsible" for data processing, is described below:

Corporate name: Phidias S.A.S.
Tax Identification Number - NIT: 830.502.641-7
Address: Avenida 4 norte # 6N-67 oficina 706, Edificio Siglo XXI, Cali (Valle del Cauca)
Telephone: (571) 508 70 55
Personal Data Protection Officer: Angel Díaz
Email: seguridad@phidias.com.co

GENERAL DEFINITIONS
a. Authorization: Prior, express and informed consent of the holder to carry out the processing of personal data.
b. Database: Organized set of personal data that is subject to processing.
c. Personal Data: Any information linked or that may be associated to one or several determined or determinable natural persons.
d. Data Processor: Natural or legal person, public or private, who by himself or in association with others, carries out the processing of personal data on behalf of the data controller.
e. Data Controller: Natural or legal person, public or private, who by himself or in association with others, decides on the database and/or the processing of the data.
f. Data Subject: Natural person whose personal data is the object of processing.
g. Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

The personal data kept by PHIDIAS S.A.S. in its capacity as responsible or in charge of the treatment, will be treated in compliance with the principles and regulations provided in the Colombian laws in accordance with the provisions of Law 1581 of 2012 by which the General Regime for the Protection of Personal Data was issued, Decree 1377 of 2013 and other rules that complement or modify it.

PURPOSES ACCORDING TO DATABASE
Personal data held by PHIDIAS S.A.S. will be treated according to the following general purposes for each of the databases identified in the personal data protection program:

PHIDIAS S.A.S. collects data from its prospective Clients for the following purposes:
a. Maintain a history of potential customers and contact them for the offering of services and / or products.
b. Offer information through the means provided (email, landline and cell phone, physical address) related to our services, offers, promotions, partnerships, contests, training, content, etc..
c. Elaboration of statistical studies, surveys, analysis of market trends and customer needs surveys.

2. PHIDIAS S.A.S. collects personal data from its Customers for the following purposes:
a. Maintain and manage the information required to maintain the contractual and commercial relationship.
b. The remission of any type of informative communication, request for information or collection to the customer through the various channels provided by Phidias.
c. Preparation of statistical studies, surveys, analysis of market trends, satisfaction surveys on the services provided by Phidias.
d. Sending information and offers of products and services of Phidias and its potential allies, as well as carrying out marketing activities and / or marketing of services and / or products through the various commercial channels established by Phidias (service portfolio, email, phone calls, etc.).
e. Segmentation of data to offer new services or products offered by Phidias.
f. Demanding the fulfillment of contracts.
g. Validate and deliver reports of commercial, tax and corporate information.
h. Validate, legalize and constitute insurance policies, etc.

On the other hand, Phidias has the role of "Responsible" on the personal data collected by its customers (educational institutions), associated with students (minors and adults), employees, relatives, among others; and as responsible for this data, Phidias' responsibility is to protect, safeguard and ensure their safety in terms of availability, integrity and confidentiality. In no case and under no circumstances Phidias collects this information under its own name.

3. PHIDIAS S.A.S. collects data from its Selection Processes for the following purposes:
a. Maintain a history of potential employees and independent contractors to contact according to the needs of Phidias.
b. Identify you as an applicant and / or future employee or independent contractor, which may be consulted or contacted by the various means provided as fixed and cell phones, email, physical address, etc..
c. Consider applicants as candidates for current or future vacancies according to their skills and abilities, with respect to the requirements of the position requested by Phidias.

4. PHIDIAS S.A.S. collects data from its Employees for the following purposes:
a. Determine the suitability of its employees for the performance of the assigned functions.
b. To monitor their work performance.
c. Maintain evidence of contractual compliance.
d. Ensure their safety, security and access control through the use of biometric devices, video surveillance cameras and occupational health and safety systems.
e. Have control of salary, social security and parafiscal payments.
f. Generate information to control agencies that require it.
g. Comply with legal, statutory and/or regulatory provisions.
h. Establishment of the employee's contract and working conditions.
i. Evaluate the employee's health conditions according to the functions performed by the employee as part of his or her responsibility.
j. Maintain relationships and communications with former employees for future job offers, aspects of settlements after termination (if required) and validation of information in case of emergencies or requests from control entities.

5. PHIDIAS S.A.S. collects data from its suppliers of supplies and services for the following purposes:
a. Request quotes for services and products.
b. Verify the shipment and receipt of documents.
c. Update supplier and contact information within Phidias databases.
d. Request clarifications to proposals and/or services.
e. Supervise and follow up on the correct and due execution of contracts (if applicable).
f. Demand compliance with the contracts and/or delivery of products and services according to the agreed times.
g. Make reports of commercial, tax and corporate information.
h. Validate, legalize and constitute insurance policies, etc.

6. PHIDIAS S.A.S. collects the fingerprints of its employees for the following purposes (security):
a. To have control of registration of entry of employees.
b. To have physical access to the facilities of Phidias.

7. PHIDIAS S.A.S. collects data from its members of Partners and shareholders for the following purposes:
a. To make the calls to board meetings and assemblies.
b. To send relevant information for the board of directors' meetings and assemblies.
c. To register in the chamber of commerce.
d. To sign the minutes of the meetings.

DATA PROCESSING OF MINORS
Phidias can only process personal data of minors when these are of a public nature, or come from the information provided by employees or contractors at the time of their employment or provision of services with Phidias under the assumption that this is previously authorized by their representatives. The above, in accordance with the provisions of Article 7 of Law 1581 of 2012.

In any case, the treatment carried out by Phidias will always respond to and respect the best interests of children and adolescents, and will ensure respect for their fundamental rights.

On the other hand, in the case of the data of minors collected by clients (educational institutions), Phidias exercises the role of "Data Processor", and as the person in charge of this data, its responsibility is to protect, safeguard and ensure its security in terms of availability, integrity, confidentiality and privacy. In no case and under no circumstances Phidias collects this information under its own name.

Schools as "Responsible" for data collection, are responsible for correctly assigning privileges on the Phidias Academic system options in relation to access to information of students (minors and adults), employees, family members, among others, for which Phidias under its due diligence has established control mechanisms.

RIGHTS OF THE HOLDER
Any person in his condition of holder or legitimately authorized, in relation to the processing of his personal data has the right to:
a. To know, update and ratify their personal data before PHIDIAS S.A.S.
b. Request proof of authorization of treatment.
c. Be informed about the use of data when there is no prior authorization.
d. File complaints before PHIDIAS S.A.S. or before the control body (SIC).
e. Revoke the authorization and / or request the deletion of any of your data as long as the holder has no legal or contractual duty to remain in the database.

PETITIONS, COMPLAINTS AND CLAIMS
For the exercise of habeas data, the owner of the personal data or whoever demonstrates a legitimate interest as indicated in the current regulations, may do so through the only channel provided by PHIDIAS S.A.S. through the email "seguridad@phidias.com.co" establishing as the title of the message "Protection of personal data", which will be attended and managed by the Information Security Officer and Protection of Personal Data in conjunction with the legal representative.

The person exercising the habeas data must accurately provide the contact information requested in order to process and attend to his request and to deploy the charges for the exercise of his rights.

Upon receipt of the request to exercise habeas data, PHIDIAS S.A.S. will respond within the legal term of fifteen (15) working days, which may be extended for eight (8) additional days, prior communication to the person who has exercised this right.

The processing of personal data carried out by PHIDIAS S.A.S. according to this policy, will be based on the rules, procedures and instructions adopted by this company to comply with the legislation applicable to the protection of personal information.

PRINCIPLES FOR TREATMENT
PHIDIAS S.A.S. has established as part of its policy for the treatment of personal data the adoption of the following principles as established by the Law 1581 of protection of personal data.

a. Principle of legality: The treatment given to personal data is adjusted to the parameters established by Law.
b. Principle of purpose: The personal data processed by PHIDIAS S.A.S. will be used only for the purposes described above.
c. Principle of transparency: The controller guarantees the rights of the holder at any time and without restrictions in this way is of great importance to clearly inform the data that are collected and the treatment of them.
d. Principle of security: The information subject to treatment by PHIDIAS S.A.S. has the measures required by law according to the quality of the data and in order to prevent tampering, loss, consultation, use or unauthorized or fraudulent access.
e. Principle of confidentiality: All persons involved in the processing of personal data are obliged to ensure the confidentiality of information, even after the end of their relationship with any of the tasks that comprise the treatment, and may only make provision or communication of personal data when it corresponds to the development of the activities authorized by law or by the owner of the data.
f. Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited.
g. Principle of restricted access and circulation: The treatment is subject to the limits derived from the nature of the personal data, the provisions of the Law and the political constitution. In this sense, processing may only be carried out by authorized persons. Personal data, except for public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to owners or authorized third parties in accordance with the Law.

SECURITY MEASURES
The security measures adopted by PHIDIAS S.A.S. on their databases comply with those provided by law, in order to ensure proper treatment of information and minimize the risk of unauthorized access, modification, deletion, loss and / or misuse of personal data, and thus protect its integrity, availability and confidentiality.

Likewise, the company has adopted security measures related to the implementation of a Comprehensive Personal Data Protection Program (PIPDP) based on the principle of demonstrated responsibility; as well as an Information Security Management System (ISMS) based on the ISO27001 international standards and the NIST cybersecurity framework, which is made up of a compendium of security controls that cover and seek to secure the company's information assets and the life cycle of the data, from its collection and storage, to its transfer and disposal.

DUTIES OF THE DATA CONTROLLER (PHIDIAS S.A.S.):
a. Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data.
b. Request and keep, under the conditions provided for in this law, a copy of the respective authorization granted by the Data Subject.
c. To duly inform the Data Subject about the purpose of the collection and the rights he/she has by virtue of the authorization granted.
d. Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
e. Guarantee that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable and understandable.
f. Update the information, communicating in a timely manner to the Data Processor, all developments with respect to the data previously provided and take other necessary measures to ensure that the information provided to it is kept up to date.
g. Rectify the information when it is incorrect and communicate the pertinent to the Data Processor.
h. To provide to the Data Processor, as the case may be, only data whose processing is previously authorized in accordance with the provisions of this law.
i. To demand from the Data Processor, at all times, respect for the security and privacy conditions of the data subject's information.
j. To process the queries and claims formulated under the terms set forth in this law.
k. Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, for the handling of queries and claims.
l. Inform the Data Controller when certain information is under discussion by the Data Subject, once the claim has been filed and the respective process has not been completed.
m. Inform at the request of the Data Subject about the use given to his/her data.
n. Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the data subject's information.
o. Comply with the instructions and requirements given by the Superintendence of Industry and Commerce.

VALIDITY OF THE POLICY
This document updates the existing policy and is effective as of September 9, 2021. The personal data stored, used or transmitted remain in PHIDIAS S.A.S. databases for the time necessary for the purposes mentioned in this policy.

UPDATES TO THE POLICY
September 9, 2021: Restructuring of the policy, recording the databases of personal information existing to date and their purposes, aligned with the life cycle of the data.