INSOFTAR SAS DATA PROTECTION MANUAL AND POLICY

INTRODUCTION

Through this document, INTELLIGENT SOFTWARE ARCHITECTURE SAS - INSOFTAR SAS, who for the present document and hereinafter will be called THE COMPANY establishes the Data Protection Manual - DPM attending to the development of its corporate purpose, the services provided and the users of the same.

The mere use of THE COMPANY or the services that it puts at your disposal, any of them, is considered an express acceptance of each of the clauses that are found below this; If you do not agree with the use granted or the service offered, please refrain from using or requesting the provision of the services that THE COMPANY offers you.

This document is linked to the general terms and conditions of operation of THE COMPANY, which is why they form an integral part of its operating policies.

For all legal purposes, the person responsible for providing the service of INSOFTAR SAS, a commercial company domiciled in the city of Bogotá DC in the Republic of Colombia, identified with NIT No. 900.571.314-1 hereinafter THE COMPANY, in the case there is an inconvenience, doubt or suggestion related to THE COMPANY or this Data Protection Manual, you can send an email with the request and contact information to the email: soporte@insoftar.com

1. REACH

The COMPANY's Policy will be applicable to all Databases and / or Files that contain Personal Data that are subject to treatment by us.

2. REGULATORY FRAMEWORK

The present document is based on Law 1581 of 2012, through which the General Regime for the Protection of Personal Data was issued, as well as the decrees and external circulars that regulate the norm indicated in the previous paragraph and Constitutionality Judgment C-748 of 2011 by which the Draft Statutory Law for the Protection of Personal Data was declared enforceable.

3. DEVELOPMENT OF THE POLICY

THE COMPANY integrates in all its actions respect for the protection of personal data, which is why, from the entry of the data, it will request authorization for the use of the information it receives.

THE COMPANY ensures compliance with the principles established in the law and will attend to the purposes derived from them in its actions and handling of personal data information.

THE COMPANY will implement the strategies and actions necessary to give effect to the right enshrined in statutory law 1581 of 2012 and other regulations that complement, modify or repeal it.

THE COMPANY will inform all its users about the rights derived from the protection of personal data

3.1. RECIPIENTS

This Standard will be applied and therefore will be obliged to the following people:

A. Legal representative.

B. Internal personnel of THE COMPANY, directors or not, who safeguard and process personal databases.

C. Suppliers and natural or legal persons that provide their services to THE COMPANY under any type of contractual modality, by virtue of which any personal data processing is carried out. This provision must be included in all contracts.

D. Clients who make use of the services offered by THE COMPANY and their treatment will be managed by the system implemented by the COMPANY.

E. Those other people with whom there is a legal relationship of a statutory, contractual nature, among others.

F. Public and private persons as users of personal data.

G. Other persons established by law.

4. DEFINITIONS

A. PRIVACY NOTICE: Verbal or written communication generated by THE COMPANY, addressed to the owner for the processing of their personal data, by which they are informed about the existence of the information processing policies that will be applicable, the form to access them and the purposes of the treatment that is intended to give personal data.

B. AUTHORIZATION: Prior, express and informed consent of the Holder to carry out the Processing of personal data.

C. DATABASE: Organized set of personal data that is subject to Treatment.

D. AUTOMATED DATABASE: It is the organized set of personal data that are created, processed and / or stored through computer programs or software.

E. NON-AUTOMATED DATABASE: It is the organized set of personal data that are created, processed and / or stored manually, with the absence of computer programs or software.

F. TRANSFER OF DATA: Processing of data that involves its disclosure to a person other than the owner of the data or other than who is authorized as transferee.

G. CUSTODIAN OF THE DATABASE: It is the natural person who has custody of the personal database within THE COMPANY.

H. PERSONAL DATA: Any information linked or that may be associated with one or more determined or determinable natural persons.

I. PRIVATE PERSONAL DATA: It is a category of personal data that is only relevant to its owner, among which you could find photographs, videos, data related to your lifestyle, among others.

J. SEMI-PRIVATE PERSONAL DATA: It is a category of personal data that does not have an intimate, reserved, or public nature and whose knowledge interests the owner and a certain sector or group of people or society in general, among which data could be found financial and credit, address, telephone, email, among others.

K. PUBLIC PERSONAL DATA: It is a category of personal data that, qualified as such in the law, that is not semi-private, private or sensitive, among which could be found the data related to the civil status of people, their profession or trade, their quality of merchant or public servant and those that can be obtained without any reservation, among others.

L. PERSON IN CHARGE OF THE TREATMENT: Natural or legal person, public or private, that by itself or in association with others, carries out the Treatment of personal data on behalf of the person responsible for the treatment.

M. RESPONSIBLE FOR THE TREATMENT: Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the Treatment of the data.

N. HABEAS DATA: Fundamental right of every person to know, update, rectify and/or cancel the information and personal data that have been collected from it and/or are processed in databases of THE COMPANY, in accordance with the provisions of the law and other applicable regulations.

O. HOLDER: Natural person whose personal data is subject to Treatment.

P. TREATMENT: Any operation or set of operations on personal data, such as the collection, storage, use, circularization or deletion.

Q. SENSITIVE DATA: Information that affects the privacy of the owner or whose improper use can generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of unions, social organizations, of human rights or that promotes the interests of any political party or that promotes the rights and guarantees of opposition political parties as well as data related to health, sexual life and biometric data, among others, the capture of still or on the go images, fingerprints, photos, iris, voice, facial or palm recognition, etc.

5. TREATMENT AND PURPOSE TO WHICH THE DATA PROVIDED BY THE OWNER WILL BE SUBMITTED

THE COMPANY will only collect from its users the data that is necessary, pertinent and not excessive for the established purpose. The personal data of the holders that THE COMPANY has will be processed for the following purposes:

A. Information about suppliers:
Maintain direct communication with suppliers for the purposes of orders, negotiations, business communications or payments.

B. Customer Information:
Implement marketing and loyalty strategies. Financial study for approval of credits. Commercial, customer service and portfolio management purposes.

C. Employee Information:
Necessary official communications with employees by the company. Recognitions or social and / or work activities established by THE COMPANY. Evidentiary purposes within disciplinary and / or judicial processes.

Identification and other identification or recognition documents for personnel linked to the company.

6. PRINCIPLES OF THE MANUAL OF POLICY AND PROCESSING OF PERSONAL DATA

A. LEGALITY: The processing of personal data will be carried out in accordance with the applicable legal provisions.

B. PURPOSE: The processing of personal data must obey a legitimate purpose and must be subject to what is established in the Political Constitution and the Law. The owner will be informed in a clear, comprehensive, sufficient and prior way about the information that is provided .

C. FREEDOM: The processing of personal data can only be exercised with the prior, express and informed consent of the owner. Personal data will not be obtained or disclosed without prior authorization or in the absence of a legal or judicial mandate that exonerates consent.

D. TRUTH OR QUALITY: The information subject to the processing of personal data will be true, complete, exact, updated, verifiable and understandable.

E. TRANSPARENCY: THE COMPANY guarantees the holders of personal data the right of access and knowledge of personal information that is being treated in accordance with the provisions of the Law.

F. ACCESS AND CIRCULATION: In accordance with the provisions enshrined in the law, the data operated by THE COMPANY will have restricted access and circulation in accordance with their nature and with the authorizations made by the Owner.

G. SECURITY: The personal data subject to treatment will be handled adopting all the security measures that are necessary for its conservation and proper use.

H. CONFIDENTIALITY: All officials who work for THE COMPANY are obliged to keep confidentiality regarding the personal information to which they have access during their work at THE COMPANY.

7. RIGHTS OF THE HOLDER

The owners of the personal data contained in databases that rest in the information systems of THE COMPANY have the rights described in this in compliance with the fundamental guarantees enshrined in the Political Constitution and the law.

A. RIGHT OF ACCESS:
It includes the power of the data owner to obtain all the information regarding their own personal data, whether partial or complete, of the treatment applied to them, the purpose of the treatment, the location of the databases that contain their personal data and on the communications and / or assignments made with respect to them, whether authorized or not.

B. RIGHT TO UPDATE:
It includes the power of the data owner to update their personal data when they have had any variation.

C. RIGHT OF RECTIFICATION::
It includes the power of the owner of the data to modify the data that turns out to be inaccurate, incomplete or non-existent.

D. RIGHT OF CANCELLATION:
It includes the power of the data owner to cancel their personal data or delete them when they are excessive, not relevant or the treatment is contrary to the rules, except in those cases contemplated as exceptions by law or contractually agreed to the contrary.

E. RIGHT TO REVOCATION OF CONSENT:
The owner of the personal data has the right to revoke the consent or authorization that enables THE COMPANY for a treatment with a certain purpose, except in those cases contemplated as exceptions by law or contractually agreed to the contrary.

F. RIGHT TO OBJECT:
It includes the faculty of the owner of the data to oppose the processing of their personal data, except in cases in which such right does not proceed by legal provision or because it violates general interests superior to the particular interest. The Legal Directorate of THE COMPANY, based on the legitimate rights that the owner of the personal data argues, will make the pertinent decision.

G. RIGHT TO FILE COMPLAINTS AND CLAIMS OR TO EXERCISE ACTIONS: The owner of the personal data has the right to present on the Superintendence of Industry and Commerce, or the competent entity, complaints and claims, as well as the actions that are pertinent, for the protection of their data. Prior to this, you must have exhausted the exercise of your right against THE COMPANY.

H. RIGHT TO GRANT AUTHORIZATION FOR DATA PROCESSING:
The owner of the data has the right to grant his authorization, by any means that may be subject to subsequent consultation, to process his personal data of THE COMPANY. Exceptionally, this authorization will not be requested in the following cases:

When required by a public or administrative entity in compliance with its legal functions, or by court order.

When it comes to data of a public nature.

When it is information processing authorized by law for historical, statistical or scientific purposes.

When it comes to personal data related to the civil registry of people.

In these cases, although the authorization of the owner is not required, the other principles and legal provisions on the protection of personal data will apply.s

8. DUTIES OF THE COMPANY

When THE COMPANY assumes the quality of direct data controller of the data holders, it must fulfill the following duties: Guarantee the holders, at all times, the full and effective exercise of the Constitutional right of Hábeas Data.

Request and keep, under the conditions set forth in this Standard, a copy of the respective authorization granted by the owner.

Duly inform the owner about the purpose of the collection and the rights that assist him by virtue of the authorization granted.
Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.

Guarantee that the information provided to the person in charge of the treatment is true, complete, exact, updated, verifiable and understandable.

Update the information, communicating in a timely manner to the person in charge of the treatment, all the news regarding the data that you have previously provided and adopt the other necessary measures so that the information provided to it is kept updated.

Rectify the information when it is incorrect and communicate the pertinent to the person in charge of the treatment.

Provide the person in charge of the treatment, as the case may be, only data whose treatment is previously authorized in accordance with the provisions of the law.

Require the person in charge of the treatment at all times to respect the security and privacy conditions of the owner's information.

Process inquiries and claims formulated in the terms indicated in this regulation and in the law.

Adopt an internal manual of policies and procedures to guarantee adequate compliance with the law and especially, for the attention of queries and complaints. THE COMPANY complies with this obligation through the adoption of this Standard.

Inform the person in charge of the treatment of the circumstance that certain information is under discussion by the owner, once the claim has been submitted and the respective process has not been completed.

Inform at the request of the owner about the use given to their data.

Inform the data protection authority when there are violations of security codes and there are risks in the administration of the information of the holders.

Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

When THE COMPANY carries out the treatment on behalf of a third party (in charge of the data treatment), or it is legally responsible for supplying them, it will fulfill the following duties:
Guarantee the owner, at all times, the full and effective exercise of the right to Habeas Data.

Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.

Timely updating, rectification or deletion of the data in the terms of the law.

Update the information reported by those responsible for the treatment within five (5) business days from its receipt.

Process the queries and claims made by the owners in the terms indicated in this Standard and in the law.

Adopt an internal manual of policies and procedures to guarantee adequate compliance with the law and, especially, for the attention of queries and claims by the Holders. THE COMPANY complies with this obligation through the adoption of this Standard.

Register in the database the legend "habeas data claim in process" in relation to the personal information that is discussed or questioned by the holders, in accordance with the way it is regulated by law.

Insert in the database the legend "information on habeas data in judicial discussion" once notified by the competent authority about judicial processes related to the quality of personal data.

Refrain from circulating information that is being controversial by the owner and whose blocking has been ordered by the Superintendency of Industry and Commerce or by another competent authority.

Allow access to information only to people who can have access to it.

Inform the Superintendency of Industry and Commerce when there are violations of the "Security Codes" and there are risks in the administration of the information of the holders.

Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

In the event that the person in charge of the Treatment and the Person in Charge of the Treatment concur, the fulfillment of the duties provided for each one will be required.

9. SPECIAL CATEGORIES OF DATA

A. SENSITIVE PERSONAL DATA:: Sensitive data are those data that affect the privacy of the owner or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of unions, social organizations, of human rights or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties as well as data related to health, sexual life and biometric data. THE COMPANY will restrict the processing of sensitive personal data to what is strictly essential and will request prior and express consent on the purpose of its treatment.

B. TREATMENT OF SENSITIVE PERSONAL DATA:

The data classified as sensitive may be used and processed when:

The Holder has given his explicit authorization to said treatment, except in cases where, by law, the granting of said authorization is not required.

The treatment is necessary to safeguard the vital interest of the Holder and he is physically or legally incapacitated. In these events, the legal representatives must grant their authorization.

The treatment refers to data that are necessary for the recognition, exercise or defense of a right in a judicial process.
The treatment has a historical, statistical or scientific purpose, or within the framework of improvement processes, as long as the measures leading to the suppression of the identity of the holders are adopted.

10. CLASSIFICATION OF INFORMATION AND DATABASES

The databases will be classified as follows:

A. CONFIDENTIAL DATABASES:
They are databases or electronic files with confidential information which deals with the business model of THE COMPANY, in the case of financial data, personnel databases, databases with sensitive information about managers, suppliers, etc.

B. DATABASES WITH SENSITIVE INFORMATION:
These are data that affect the privacy of the Holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties as well as data related to health, sexual life and biometric data. In THE COMPANY, access to this type of information is restricted and will only be known by an authorized group of officials.

C. DATABASES WITH PUBLIC INFORMATION:
They are the databases that contain public data classified as such according to the mandates of the law or the Political Constitution and that are not classified as semi-private, private or sensitive data. The data relating to the marital status of individuals, their profession or trade, their status as a merchant or public servant and those that can be obtained without any reservation are public, among others. By its nature, public data may be contained, among others, in public records, public documents, gazettes and official gazettes, duly enforceable judicial decisions that are not subject to reservation.

11. INFORMATION OBTAINED IN PASSIVE FORM

When the services contained within the websites of THE COMPANY are used, it may collect information passively through information management technologies, such as "cookies", through which information about hardware is collected. and the computer software, IP address, browser type, operating system, domain name, access time and the addresses of the websites of origin; Through the use of these tools, no personal data is collected directly from users.

Information about the pages that the person visits most frequently on these websites will also be collected in order to understand their browsing habits. However, the user of the websites of THE COMPANY has the possibility of configuring the operation of "cookies", according to the options of their internet browser.

12. PROCEDURE FOR ATTENTION AND RESPONSE TO REQUESTS, CONSULTATIONS, COMPLAINTS AND CLAIMS OF THE HOLDERS OF PERSONAL DATA

The COMPANY's data holder may request and consult their personal information through the following means provided by the company: email: soporte@insoftar.com In order to access said information, THE COMPANY will carry out, prior to the request, the verification of the identity of the user requesting confirmation of certain personal data that rest in the database. Once the identity of the owner has been verified, all the information about their personal data will be provided and any procedure related to them may be carried out.

In the event that the owner needs to make an additional query or requests that the information contained in THE COMPANY's database be updated, rectified, modified or deleted, or considers that there is a presumed breach in the protection of their data, this You can submit a query / claim through support@insoftar.com and Bogotá DC User Service Offices. The response process to the query / claim submitted by the user will be in charge of the User Service area

The query / claim submitted by a holder must, in all cases, be submitted in writing and must contain, at least, the following points:

A. Complete identification (name, notification address, identification document).

B. Description of the facts that give rise to the query / claim.

C. . Documents supporting the facts.

D. Way by which you want to receive the answer to your query / claim.

In case of consultation, a response will be given to the owner within ten (10) business days following the filing of the request. When it is not possible to attend the same within the previous term, you will be informed expressing the reasons for the delay and indicating the date on which your query will be attended, which in no case may exceed five (5) business days following the expiration of the foreground.

In the event of a claim, a response will be given within fifteen (15) business days from the day following the filing date. When it is not possible to attend the claim within said term, the reasons for the delay and the date on which your claim will be attended will be reported, which in no case may exceed eight (8) business days following the expiration of the first term.

If THE COMPANY is not competent to resolve it, it will notify the corresponding person within a maximum term of two (2) business days and will inform the user of the situation.

13. SANCTIONS

In accordance with the provisions of Law 1581 of 2012 in Article 23, the sanctions for the improper processing of personal data will be:

"Article 23. Sanctions. The Superintendency of Industry and Commerce may impose the following sanctions on those responsible for the Treatment and those in charge of the Treatment:

A. "Article 23. Sanctions. The Superintendency of Industry and Commerce may impose the following sanctions on those responsible for the Treatment and those in charge of the Treatment:

B. Suspension of the activities related to the Treatment up to a term of six (6) months. In the act of suspension, the corrective measures to be adopted will be indicated.

C. Temporary closure of the operations related to the Treatment once the suspension term has elapsed without the corrections ordered by the Superintendency of Industry and Commerce having been adopted.

D. Immediate and definitive closure of the operation that involves the treatment of sensitive data. "

"Article 24. Criteria for graduating sanctions. The sanctions for infractions referred to in the previous article will be graduated according to the following criteria, as far as applicable:

A. The dimension of the damage or danger to the legal interests protected by this law;

B. The economic benefit obtained by the offender or third parties, by virtue of the commission of the offense;

C. The recurrence in the commission of the offense;

D. The resistance, refusal or obstruction to the investigative or surveillance action of the Superintendency of Industry and Commerce;

E. The reluctance or contempt to comply with the orders issued by the Superintendency of Industry and Commerce;

F. The express recognition or acceptance made by the person under investigation of the commission of the offense before the imposition of the applicable sanction. "

14. NOTICE OF PERSONAL DATA POLICY

The COMPANY's data holders are informed that the privacy notice is published on the following website: www.insoftar.com

15. PROHIBITIONS

In accordance with the provisions of Law 1581 of 2012, THE COMPANY will not transfer personal data of the Holders to a country that does not offer an adequate level of data protection. To determine if a country offers an adequate level of data protection, said country must comply with the standards indicated by the Superintendency of Industry and Commerce on the matter, which in no case may be lower than those that this law requires of its recipients. This prohibition will not apply when it comes to:

Information for which the Holder has granted his express and unequivocal authorization for the transfer,

Exchange of medical data, when required by the Holder's Treatment for reasons of health or public hygiene,

Bank or stock transfers, in accordance with the applicable legislation,

Transfers necessary for the execution of a contract between the Holder and the person responsible for the Treatment, or for the execution of pre-contractual measures as long as the Holder's authorization is obtained,

Transfers agreed in the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity,

Transfers legally required to safeguard the public interest, or for the recognition, exercise or defense of a right in a judicial process.

16. VALIDITY

This personal data protection policy of the COMPANY's data holders will be in effect as of December 1, 2018.