INFORMATION SECURITY POLICY

Userlytics shall establish, implement, operate, monitor, review and continuously improve a documented
Information Security Management System (“ISMS”) to manage risks relating to the information assets,
either outsourced/owned or operated by the company, by appropriately protecting the confidentiality,
integrity, and availability of the information assets thereby enhancing trust and confidence among its
customers.
This document defines the information security policy of Userlytics.
As a modern, forward-looking business, Userlytics recognizes at senior levels the need to ensure that its
business operates smoothly and without interruption for the benefit of its customers, shareholders, and
other stakeholders.
In order to provide such a level of continuous operation, Userlytics has implemented an Information
Security Management System (ISMS) in line with the ISO/IEC 27001:2013 Requirements for Information
Security Management Systems standard. This standard defines the requirements for an ISMS based on
internationally-recognized best practices.
The operation of the ISMS has many benefits for the business, including:

● Protection of revenue streams and company profitability
● Ensuring the supply of goods and services to customers
● Compliance with legal and regulatory requirements

This policy applies to all systems, people, and processes that constitute the organization’s information
systems, including board members, directors, employees, suppliers, and other third-parties who have
access to Userlytics systems.

Information Security Requirements

A clear definition of the requirements for information security within Userlytics will be agreed and
maintained with the internal business and the service customers so that all ISMS activity is focused on
the fulfillment of those requirements. Statutory, regulatory, and contractual requirements will also be
documented, and input to the planning process. Specific requirements with regard to the security of
new or changed systems or services will be captured as part of the design stage of each project.
It is a fundamental principle of the Userlytics Information Security Management System that the
controls implemented are driven by business needs and this will be regularly communicated to all staff
through team meetings and briefing documents.

Framework for Setting Objectives

A regular cycle will be used for the setting of objectives for information security, to coincide with the
budget planning cycle. This will ensure that adequate funding is obtained for the improvement activities
identified. These objectives will be based upon a clear understanding of the business requirements,
informed by the management review process during which the views of relevant interested parties may
be obtained.
Information security objectives will be set and documented for an agreed period, together with details
of how they will be achieved. These will be evaluated and monitored as part of management reviews to
ensure that they remain valid. If amendments are required, these will be managed through the change
management process.
In accordance with ISO/IEC 27001, the reference controls detailed in Annex A of the standard will be
adopted where appropriate by Userlytics. These will be reviewed regularly in the light of the outcome
from risk assessments and in line with information security risk treatment plans.
In addition, enhanced and additional controls from the following codes of practice will be adopted and
implemented where appropriate:

● ISO/IEC 27002 – Code of practice for information security controls

The adoption of these codes of practice will provide additional assurance to the customers and help
further with our compliance with international data protection legislation.

Continual Improvement of the ISMS

Userlytics policy about continual improvement is to:

• Continually improve the effectiveness of the ISMS
• Enhance current processes to bring them into line with good practice as defined within ISO/IEC
27001 and related standards
• Increase the level of proactivity (and the stakeholder perception of proactivity) about
information security
• Make information security processes and controls more measurable to provide a sound basis for
informed decisions
• Review relevant metrics on an annual basis to assess whether it is appropriate to change them,
based on collected historical data

• Obtain ideas for improvement via regular meetings and other forms of communication with
interested parties, including cloud service customers
• Review ideas for improvement at regular management meetings to prioritize and assess
timescales and benefits
Ideas for improvements may be obtained from any source including employees, customers, suppliers, IT
staff, risk assessments, and service reports. Once identified they will be recorded and evaluated as part
of management reviews

Last update: 02/04/2021