INFORMATION SECURITY POLICY

1. Purpose, Scope of Information Security, and Management Adoption

ThinkCut regards corporate information as a highly valuable asset. Information is critical to the continuity of our business activities and must be appropriately protected. ThinkCut aims to minimize risks and impacts related to Confidentiality, Integrity, and Availability of corporate information by implementing the ISO 27001 Information Security Management System (ISMS).

This policy is approved by the senior management of ThinkCut.

ThinkCut management is particularly committed to:

- Ensuring the confidentiality, integrity, and availability of ThinkCut information and information systems.

- Identifying and systematically managing risks to information assets.

- Complying with Information Security Standards requirements.

- Complying with all legal regulations related to Information Security.

- Evaluating and carrying out continuous improvement opportunities to sustain the ISMS.

- Conducting training to increase information security awareness and develop technical and behavioral competencies.

- Preparing and publishing subsidiary procedures related to this policy by Information and Communication Technology responsible parties.

ThinkCut's Information Security Policies apply to all employees using corporate information or business systems, whether full-time, part-time, permanent, or contract, regardless of geographical location or business unit. This also applies to third-party service providers and their support staff who need access to corporate information.

2. Responsibilities of All Employees

The purpose of Information Security and this policy is to protect, maintain, and manage the confidentiality, integrity, and availability of information and all supporting business systems, processes, and applications. This means ensuring that ThinkCut's information remains in authorized hands, is complete, accurate, and available, and that systems are ready for use when needed. Therefore, all institutional and external personnel, as well as interns, regardless of their positions or duties, are responsible for performing their jobs in a way that ensures the protection of information within the institution.

In addition to ensuring that ThinkCut's information is complete, accurate, and available, all personnel must comply with the confidentiality clauses in their employment contracts and the institution's business ethics principles.

ThinkCut commits to taking measures as outlined in the Personal Data Protection Law and working in full compliance with the Personal Data Protection Policy.

3. Policy Ownership and Guidance in Information Security

The functional ownership of this policy, all standards, and other supporting documents and training activities will be carried out by Information Security Managers. These managers will also serve as advisors and guides for the implementation of the policy throughout the institution.

Information Security Managers will ensure that all employees receive appropriate training to raise awareness about Information Security and will provide guidance in addressing information security incidents. When necessary, they will support this policy with detailed standards, procedures, and processes, ensuring they are ready for use as needed. They are also responsible for ensuring that all employees (permanent or temporary) and contractor personnel are informed about this policy and its requirements.

The IT Manager is responsible for establishing and maintaining the general management framework related to Information Security and ensuring that this policy is reviewed regularly to reflect the current operational needs, risks, and threats to corporate information and information systems.

Information Security policies are reviewed at least once a year in parallel with asset and risk updates to reflect the current risks to ThinkCut information assets. Information Security Policies are updated with necessary additions to control new risks and changes in risks. Any employee can request changes to the policies for better reflecting the controls required by the institution. Such requests will be addressed and evaluated by the Information Security Management.

The principles of the Information Security Policy should be applied in parallel with ThinkCut's Human Resources personnel rules. Employees are also responsible for being aware of and complying with the Information Security Policy principles.

4. Auditing, Compliance with Policies, and Resolving Non-Compliance

Each unit manager is primarily responsible for taking the necessary measures to ensure compliance with the Information Security Policy and monitoring the system.

The Information Security Management is responsible for the periodic audit of compliance with all published policies and procedures, including the main Information Security Policy, and for reporting to relevant parties.

Violations of the Information Security Policy can cause ThinkCut to suffer damages due to the lack of needed controls against risks and may also result in criminal liability under the new Turkish Penal Code, leading to disciplinary actions up to termination of employment and initiation of judicial and criminal legal proceedings. Therefore, such violations are also considered violations of the institution's Personnel Regulations, potentially resulting in disciplinary actions. Any detected violations, whether through monitoring, auditing, or reporting, may lead to internal disciplinary actions up to and including termination and initiation of judicial and criminal proceedings.

Working together to implement this policy will help continuously protect our information and reputation and ensure the continued success of our business.

5. Information Security Policy

ThinkCut aims to protect the institution's reputation, reliability, information assets, and to ensure the continuity of basic and supporting business activities with minimal interruption through Information Security,

- Protecting the confidentiality, integrity, and accessibility of information assets processed, stored, and shared with other organizations,

- Managing information assets, determining the security values, needs, and risks of the assets, developing and continuously improving the management system established to implement controls for security risks,

- Determining continuous improvement needs and opportunities by assessing risks arising from activities in line with the institution's vision and mission,

- Keeping up with and following technological developments and changes within the scope of the services provided,

- Ensuring business continuity by reducing the impact of information security risks,

- Complying with national and international regulations, legal and relevant legislative requirements, obligations arising from agreements, and corporate responsibilities towards internal and external stakeholders,

- Having the competence to quickly respond to information security incidents and minimize the impact of the incident,

- Maintaining and improving the level of information security over time with a cost-effective control infrastructure,

- Enhancing the institution's reputation, protecting it from negative impacts based on information security,

- Safeguarding personal data within the scope of the Personal Data Protection Law,

- Conducting training to enhance employees' information security awareness and competencies, providing the necessary support, and integrating with other management systems to be an exemplary organization in the sector,

Every ThinkCut employee is responsible for contributing to these goals.