Data Treatment and Protection Policy

SOLUTIONS & PAYROLL S.A.S. PERSONAL AND/OR CORPORATE DATA TREATMENT AND PROTECTION POLICY.

1. COMPANY IDENTIFICATION The policy is developed and applied by Solutions & Payroll S.A.S. (hereinafter The Company), identified under NIT. 900.508.955-5, domiciled in the city of Bogotá D.C. at Calle 129 No. 53 -71, Office 302, of private legal regime and whose corporate purpose is to provide business and management consulting services and activities, as well as to carry out any other lawful economic activity both in Colombia and abroad. The corporation may carry out all operations of any nature, related or complementary to the mentioned purpose, which may facilitate and develop the commerce or industry of the corporation, registered in due legal form with the Chamber of Commerce of Bogotá.

2. SCOPE This policy applies to the personal data stored in the Solutions & Payroll S.A.S. database

Solutions & Payroll S.A.S. complies with the Personal Data Treatment Law and proceeds as indicated in the normative considerations and without limiting itself to these, to the following in order of entry into force or issuance:

Statutory Law 1266 of 2008. Decree 1727 of 2009. Decree 2952 of 2010. Law 1266 of 2008. Law 1581 of 2012. Resolution 76434 of 2012. Resolution 20752 of 2013. Decree 1377 of 2010. Law 1712 of 2014. Decree 866 of 2014. Circular 02 of 2015. Circular 01 of 2017. Ruling c-748/11 Ruling c-1011/08 General Data Protection Regulation (GDPR). Regulation (EU) 2016/679). Directive (EU) 2016/680 on the protection of natural persons about the processing of personal data relating to criminal offenses or the execution of criminal penalties and on the free movement of such data.

4. DEFINICIONES
Autorización: consentimiento previo, expreso e informado del titular para llevar a cabo el tratamiento de datos personales.
Aviso de privacidad: comunicación verbal o escrita generada por el responsable dirigida al titular para el tratamiento de sus datos personales, mediante la cual se le informa acerca de la existencia de las políticas de tratamiento de información que le serán aplicables, la forma de acceder a las mismas y las finalidades del tratamiento que se pretende dar a los datos personales.
Base de datos: conjunto organizado de datos personales que sea objeto de tratamiento.
Cliente: persona natural o jurídica a la cual se le presta servicios profesionales en virtud de una relación comercial preexistente.
Cookie: entendemos un archivo pequeño con una cadena de caracteres que se envía al ordenador de quien ingresa a un sitio web, lo cual permite almacenar, entre otras, las preferencias del usuario.
Comisión europea: la comisión europea es el organismo ejecutivo de la unión europea y representa los intereses de Europa en su conjunto (diferentes de los intereses de cada país por separado).
Dato personal: cualquier pieza de información vinculada a una o varias personas determinadas o determinables o que puedan asociarse a una persona natural o jurídica.
Dato público: es el dato que no sea semiprivado, privado o sensible. Son considerados datos públicos, entre otros, los datos relativos al estado civil de las personas, a su profesión u oficio y a su calidad de comerciante o de servidor público. Por su naturaleza, los datos públicos pueden estar contenidos, entre otros, en registros públicos, documentos públicos, gacetas y boletines oficiales y sentencias judiciales debidamente ejecutoriadas que no estén sometidas a reserva.
Datos sensibles: se entiende por datos sensibles aquellos que afectan la intimidad del titular o cuyo uso indebido puede generar su discriminación, tales como aquellos que revelen el origen racial o étnico, la orientación política, las convicciones religiosas o filosóficas, la pertenencia a sindicatos, organizaciones sociales, de derechos humanos o que promueva intereses de cualquier partido político o que garanticen los derechos y garantías de partidos políticos de oposición, así como los datos relativos a la salud, a la vida sexual, y los datos biométricos.
Datos indispensables: se entienden como aquellos datos personales de los titulares imprescindibles para llevar a cabo la actividad de educación superior en docencia, investigación y extensión. Los datos de naturaleza indispensable deberán ser proporcionados por los titulares de los mismos o los legitimados para el ejercicio de estos derechos.
Datos opcionales: son aquellos datos que Solutions & Payroll S.A.S. Requiere para ofrecer servicios adicionales en investigación, extensión, ofertas laborales, convocatorias, búsquedas, inversión, estructuración, presentaciones, etc.
Empleado: persona natural que presta servicios personales a la sociedad en virtud de un contrato de trabajo.
Exempleado: persona natural que prestó servicios personales a la sociedad en virtud de un contrato de trabajo que terminó por cualquier causa.
Encargado del tratamiento: persona natural o jurídica, pública o privada que por sí misma o en asocio con otros, realice el tratamiento de datos personales por cuenta del responsable del tratamiento.
Ley de protección de datos: es la ley 1581 de 2012 y sus decretos reglamentarios o las normas que los modifiquen, complementen o sustituyan descritas en el marco legal de este documento.
Habeas data: derecho de cualquier persona a conocer, actualizar y rectificar las informaciones que se hayan recogido sobre ellas en el banco de datos y en archivos de entidades públicas y privadas.
Proveedor: persona natural o jurídica que suministra bienes y/o servicios a la sociedad en virtud de una relación comercial preexistente.
Responsable del tratamiento: persona natural o jurídica, pública o privada que por sí misma o en asocio con otros, decida sobre la base de datos y/o tratamiento de los datos.
Titular: persona natural o jurídica cuyos datos personales sean objeto de tratamiento.
Tercer país: país o territorio no perteneciente a la unión europea o diferente al país que establece la reglamentación o proceso regulatorio para el tratamiento de datos personales.
Tratamiento: cualquier operación o conjunto de operaciones sobre datos personales, tales como la recolección, almacenamiento, uso, circulación o supresión.
Transferencia: la transferencia de datos tiene lugar cuando el responsable y/o encargado del tratamiento de datos personales, ubicado en Colombia, envía la información o los datos personales a un receptor, que a su vez es responsable del tratamiento y se encuentra dentro o fuera del país.
Transmisión: tratamiento de datos personales que implica la comunicación de los mismos dentro o fuera del territorio de la república de Colombia cuando tenga por objeto la realización de un tratamiento por el encargado por cuenta del responsable.
Visitante: toda persona natural que se encuentre en las instalaciones de la sociedad y que no tenga la calidad de empleado.

5. SENSITIVE DATA Sensitive data refers to information that, if improperly used, could compromise the privacy of the individual or lead to discrimination based on factors such as race, ethnicity, political beliefs, religion, trade union membership, social organizations, health, sex life, biometric, socioeconomic status, family information, and choices. It also includes any information only known to the individual due to its nature and is irrelevant to the request.

EXCEPTIONS TO THE PRIOR AND EXPRESS AUTHORIZATION OF THE HOLDER Notwithstanding the above and under the Law, Solutions & Payroll S.A.S. may proceed with the processing of your data without requiring your prior authorization when it concerns: a. Information required by a public or administrative entity in the exercise of its legal functions or by court order. b. Data of a public nature (under the legal definition of the term). c. Cases of medical or health emergency. d. Processing of information authorized by Law for historical, statistical, or scientific purposes. e. Data related to the civil registry of persons. Solutions & Payroll S.A.S. may share the data it collects with other members of the Company worldwide, as well as with third parties who have an interest in or require this information for the execution of contracts, to establish data about services, and to comply with the corporate purpose; this may occur not only within the Colombian territory but also in other places where the Company has a presence worldwide. If such information is to be shared with third parties other than other members of the Company worldwide or with third parties who are not customers of the Company or who do not have a direct interest in the information provided, your consent and authorization shall be requested before sharing it.

6. PURPOSE OF THE PROCESSING OF PERSONAL DATA

PURPOSE OF THE PROCESSING OF CUSTOMER DATA Solutions & Payroll S.A.S. shall process clients' personal information to provide them with the professional services contracted, according to the corresponding corporate purpose. Therefore, contracts entered into with clients shall comply with the provisions of this policy or shall include a clause regulating the treatment of information accessed by virtue thereof. Solutions & Payroll S.A.S. may record and take photos, audio, and videos of customers during events, training, or other activities. The company reserves the right to use these recordings and images in newsletters, sectoral reports, or publications.

PURPOSE OF THE PROCESSING OF DATA OF WORKERS LINKED BY OUR CUSTOMERS Solutions & Payroll S.A.S. will maintain a file that contains all the personal data of the employees who have labor relationships with the clients subscribed to the outsourcing model for Personnel and Payroll Administration; this includes the process of linking, as well as the management of data related to elaboration, liquidation, labor payments, and disengagement. The purpose of this file will be the following: a. To serve as a basis for the issuance of labor certificates by the client, as provided for in Article 57, paragraph 7 of the Substantive Labor Code, at the request of the former employee or their successors in title; b. Manage the payments under the labor conditions agreed upon by the client and its employees within the framework of the employment contract they have signed. c. Compliance with the legal order regarding labor, civil, and tax issues is to be assumed by the client about its employees. d. Settlement of payroll, social security payments, and personal and financial information records, under the personnel and payroll administration process managed by Solutions & Payroll S.A.S. on behalf of the Client. e. Manage payments to third parties and in general in all processes where such information is required for the payment procedure, discount, and fulfillment of duties before governmental, social, and judicial entities with clear legal manifestation for the knowledge of the same. Solutions & Payroll S.A.S. will only be responsible for the data collected and managed until the end of the commercial relationship or until the client requests the information processed by the company; this can be either due to inherent management in its treatment or by the management of termination of the employment contract of the holder or the termination of the commercial relationship. In any case, the company will deliver the complete information without any custody unless required by law or obligation established in the commercial contract.

PURPOSE OF THE PROCESSING OF DATA OF SUPPLIERS OR PERSONS WITH WHOM THEY HAVE A BUSINESS OR TRAINING RELATIONSHIP. Solutions & Payroll S.A.S. will process the personal data of its Suppliers or the persons with whom it has a commercial or training relationship to comply with the obligations acquired by the respective commercial relationship, whether for identification or tabulation purposes. Concerning Suppliers, such obligations include, among others, evaluating their performance; establishing, managing, or terminating commercial relationships or verifying references; providing business metrics and any other obligations outlined in the agreements or contracts entered into with the Supplier. About customers, such responsibilities include, among others, the management of information of the agreements or service contracts, price agreements, service level agreements, management of sensitive data of its employees due to the outsourcing service, and all those civil, fiscal, and financial obligations established with the customer.

7. RIGHTS OF THE OWNER The owner of the data collected by Solutions & Payroll S.A.S. shall have the right to the following:

CONSULTATION The owners or their assignees duly accredited by the Law may consult, upon written request, free of charge, and under the Law, their data held in any database for which Solutions & Payroll S.A.S. is directly responsible or is designated by will and in compliance with legal agreements with customers.

RECTIFICATION AND UPDATING OF DATA Solutions & Payroll S.A.S. shall have the obligation to rectify and update, at the holder's request, the information that proves to be incomplete or inaccurate, for which the holder must follow the procedure established in Section IX paragraph b of this Policy.

PROOF OF AUTHORIZATION Provided that it does not concern those cases in which the Law exempts Solutions & Payroll S.A.S. from obtaining the authorization of the holder or those cases in which the data collection took place before June 27, 2013, the Holder may request Solutions & Payroll S.A.S. proof of the acceptance given for the processing of their data.

USE At any time, the holder shall have the right to be informed by Solutions & Payroll S.A.S., upon request, of the use made of their data.

COMPLAINTS When the holder believes that this policy or the current regulations on personal data protection have been breached, they may file a complaint with the Superintendence of Industry and Commerce if they deem it appropriate.

SUPPRESSION The Data Subject has the right to request Solutions & Payroll S.A.S. to delete their data or withdraw their consent for processing one, some, or all of their data at any time. However, this may not be possible if there is a legal or contractual obligation for the data to remain in the Solutions & Payroll S.A.S. database. This suppression does not extend to the reserves of physical, digital, or removable media-supported information when it refers or serves as evidence in legal proceedings, serves as a mechanism of accreditation of imprescriptible legal requirements such as those associated with the pension, accreditation of criminal, labor or civil proceedings, labor identity control efforts and all those inherent to the proceedings by which the fulfillment of legal obligations in charge of Solutions & Payroll S.A.S. or by a delegation of one or more of its customers in outsourcing function is accredited.

8. AREA IN CHARGE OF HANDLING DOUBTS, REQUESTS, COMPLAINTS OR CLAIMS For all purposes of this policy and in compliance with current regulations, Solutions & Payroll S.A.S. has established that the area in charge of handling doubts, requests, complaints, and claims of the holders is the Integral Management area whose contact details are as follows: Telephone: (571) 7426386 - (03) 3003689121 Address: Calle 129 No. 53 -71, Office 302. Email: soporte@solutionsandpayroll.com

9. PROCEDURE FOR THE EXERCISE OF THE HOLDER'S RIGHTS The Data Subject or their successors in title, duly accredited under the Law, who consider that the information contained in a database, for which Solutions & Payroll S.A.S. is responsible, should be subject to: a. Correction, updating, or suppression b. When they notice the alleged breach of any of the duties specified in the Law. c. When they have any concerns or complaints regarding this Policy. d. When they want to consult the information Solutions & Payroll S.A.S. has about them. In the above cases, they may submit a complaint or concern to the area in charge; this communication must contain the information indicated in Article 15 of Law 1581 of 2012 and follow the procedure described below:

10. PROCEDURE IN CASE OF CONCERNS AND/OR CLAIMS. When the data subject or their successors have concerns and/or complaints about this Policy and/or the treatment that Solutions & Payroll S.A.S. has given to their data, they must formulate their concern and/or complaint in writing and send it to any of the following addresses that appear in this document. Additionally, if the request is made by physical mail, the data subject must indicate the address where they wish the response to be sent. Once the respective communication is received, the area in charge will have 15 working days to resolve the concern and/or claim and respond to the data subject. When it is impossible to address the claim or concern within such term, the holder will be informed of the reasons for the delay and the date on which the claim will be addressed, which may not exceed eight (8) business days following the expiration of the first term.

11. SECURITY Solutions & Payroll S.A.S. is committed to adopting the instructions given by the Superintendence of Industry and Commerce and international standards that regulate the subject. Notwithstanding the above, Solutions & Payroll S.A.S. declares that it has information security policies and a technological infrastructure that reasonably protects the personal information collected, limiting access to third parties as far as possible. However, Solutions & Payroll S.A.S. will strive to improve the security standards to protect the personal information collected.

12. MINORS SOLUTIONS & PAYROLL S.A.S. is aware of the legal prohibition to collect data from minors. For this reason, and in strict compliance with current legislation, we will proceed to gather this type of data only when they are public, and the processing of such data when: a. Responds to and respects the best interest of the minor. b. Ensures the respect of their fundamental rights. c. It links information that does not violate the integrity or privacy of minors. d. The express and written consent of the parents or adult guardians is obtained. e. It is required by law, and its collection is regulated by express judicial mandate or is requested by a competent authority. f. It is required to keep records or traceability of the welfare efforts of workers or their families. The collection and processing of this data will be for specific purposes and will be regulated according to the relationship process duly authorized by their parents or the person in charge of minors.

13. INTERNATIONAL TRANSFER OF PERSONAL DATA Solutions & Payroll S.A.S. undertakes not to transfer data to third countries that do not comply with the standards of protection of personal data required by the Superintendence of Industry and Commerce and the General Data Protection Regulation - GDPR, except for the exceptions noted below: a. Information concerning which the owner has given express and unequivocal authorization for the transfer; b. Exchange of medical data, when so required by the treatment of the holder for reasons of public health or hygiene; c. Banking or stock exchange transfers, under applicable legislation; d. Transfers agreed within the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity; e. Transfers necessary for the execution of a contract between the holder and the data controller, or for the execution of pre-contractual measures, as long as the holder's authorization is obtained; f. Transfers are legally required for the safeguarding of the public interest or the recognition, exercise, or defense of a right in a judicial process. g. When processing the personal data of EU data subjects in pursuit of corporate purposes, regardless of where the data is handled. In cases not contemplated as an exception in this section, the Superintendency of Industry and Commerce shall be responsible for issuing the declaration of conformity regarding the international transfer of personal data. For this purpose, the Superintendent is empowered to request information and take the necessary steps to establish compliance with the requirements for the operation's viability at the request of SOLUTIONS & PAYROLL S.A.S. before this entity.

14. OF THE CATEGORY OF PERSONAL DATA OF INTERNATIONAL INTERFERENCE Under the existing treaties and the regulations established for each region of the world, it is stipulated that the type and amount of personal data that can be processed depends on the reasons for the processing (legal purpose used) and what they want to do with it, establishing guarantees of respect for the relevant rules established by these regions. Such regulations include the following: a. Solutions & Payroll S.A.S. establishes mechanisms to safeguard the personal data of its suppliers, customers, and international workers, treating such data in a lawful, loyal, and transparent manner, ensuring loyalty to the persons whose personal data is being processed. b. Solutions & Payroll S.A.S. establishes the specific purposes for data processing, indicating such purposes to the individuals when collecting their data, establishing that personal data cannot simply be collected for indeterminate purposes. c. Solutions & Payroll S.A.S. will only collect and process personal data that is necessary to fulfill its corporate purpose. d. Solutions & Payroll S.A.S. ensures the accuracy and currency of personal data and the correction of possible errors. e. Solutions & Payroll S.A.S. affirms that if personal data is not in line with the original purpose of its collection, it will not be used. In such cases, the data will be delivered to the owner, or it will be deleted if it is not possible to contact them. f. Solutions & Payroll S.A.S. will guarantee that personal data will not be kept longer than necessary for the purposes for which they were collected. g. Solutions & Payroll S.A.S. establishes appropriate technical and organizational safeguards to ensure personal data security, confidentiality, and integrity, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technology. If Solutions & Payroll S.A.S. has collected personal data based on legitimate interests, a contract, or vital interests, it may only use it for other purposes after verifying that the new purpose is compatible with the original purpose. In this regard, the following should be assessed: a. The relationship between the initial purpose and the new or future purpose is compatible. b. The context in which the data were collected legitimized the relationship between the company and the data subject. c. The type and nature of the data d. The possible consequences of further processing, i.e., how the further processing will affect the individual. e. The existence of adequate safeguards f. No compatibility testing is required if they want to use the data for statistical or scientific purposes. Data collected based on consent or legal requirements may only be processed within the scope of the initial approval or provision. Further processing would require obtaining new consent or a new legal basis.

15. ON THE PUBLIC ADMINISTRATION AND LEGITIMACY OF THE USE OF INFORMATION Regarding the public administration of the personal data collected, Solutions & Payroll S.A.S. is subject to the provisions established in the Colombian legal regulations, to the regulations set forth for preservation and control in the countries where it has a presence, as well as the General Data Protection Regulation - GDPR established by the European Union, regarding the processing of personal data of a natural or legal person, regardless of the legal relationship that subscribes with the Company. It will be the responsibility of suppliers, employees, customers, and all those natural or legal persons of private or public nature, whether national or international, to support Solutions & Payroll S.A.S. in its operations at local, regional, national, or international levels in preparation for the implementation of the General Data Protection Regulation - GDPR. Before processing personal data, natural or legal persons must be informed about the processing, its purposes, the types of data collected, the recipients, and their rights regarding data protection, expressly authorizing the use of such data in writing. In all the scopes prevails the existing legislation in each country for the treatment and preservation of personal data, in the absence of regulation will be established the most appropriate means for their treatment and protection, without going against the legislation of each country that Solutions & Payroll S.A.S. has presence. In cases of shared administration between Solutions & Payroll S.A.S. and its customers, it is the obligation of the latter to appoint a delegate or person in charge of data protection, which may be a natural or legal person endorsed by the parties or any of the parties that are subject to compliance with a service contract, for which the client must, using an express document, establish the scope of the information, its treatment, and security, without affecting the integrity, legality and transparency in its conservation. In cases where the personal data in possession are accidentally or unlawfully disseminated to unauthorized recipients or their access is prevented or temporarily altered, they must be notified without undue delay no later than 72 hours after becoming aware of the violation. In addition, Solutions & Payroll S.A.S. shall inform the affected persons of the breach.

16. COOKIES Solutions & Payroll S.A.S. recognizes that its websites may use cookies. Even if a user does not allow cookies, they can still access and manage the Solutions & Payroll S.A.S. websites effectively. However, Solutions & Payroll S.A.S. may gather information from cookies anonymously to enhance its operational systems and identify categories of visitors by domains and browser types. All information entered into Solutions & Payroll S.A.S. websites will enhance user experience. The data collected from natural or legal persons will be treated under the express consent of the person in charge and may be revoked at any time under this policy. Such consent will be expressly informed in each of the forms or sections of the website where it is required, establishing simple, free, and accessible systems for opposition to the processing of your data when it deems appropriate.

17. CHANGES OR UPDATES TO THIS POLICY Solutions & Payroll S.A.S. may modify, delete, or update this Policy for Personal Data Processing when deemed necessary.

18. UPDATES OF PERSONAL DATA IN THE NATIONAL REGISTRY OF DATABASES - RNBD OF THE SUPERINTENDENCE OF INDUSTRY AND COMMERCE The main objective of the NATIONAL REGISTRY OF DATABASES - RNBD, is to have a public directory of the personal databases subject to processing operating in the country, corresponding to the General Regime for the Protection of Personal Data in Colombia and whose administration shall be in charge of the Superintendency of Industry and Commerce, it shall proceed as indicated for all purposes in the User Manual of the National Registry of Databases - RNBD.

19. EFFECTIVENESS This Policy is effective as of June 04, 2020.