Information Security Policy

Version 2.0. Last updated 2025-09-23.

Introduction

This Information Security Policy defines how Connectel AB manages information security across its organization. Its purpose is to demonstrate the company’s commitment to protecting confidentiality, integrity, and availability of information assets.

Purpose

The purpose of this policy is to:

• Protect all information assets, whether processed by humans or systems
• Ensure compliance with legal, regulatory, and contractual obligations
• Maintain customer trust by safeguarding their information
• Support the implementation, maintenance, and continual improvement of Connectel’s Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2022

Scope

This policy applies to:

• All Connectel employees, consultants, contractors, and third parties accessing Connectel systems or information
• All information assets, including digital, physical, and intellectual property
• All systems, networks, cloud services, and devices used for information processing

Information Security Statement

Connectel is a CPaaS (Communication Platform as a Service) company, and information processing is fundamental to its operations. Protecting the security of information is critical to achieving business objectives, maintaining compliance, and sustaining customer trust.

Governance and Responsibilities

Information Security Group (ISG)

• The ISG is responsible for managing information security across all systems, maintaining and implementing security measures, incident response, performing risk assessments, and reviewing policies.
• The ISG ensures awareness, permissions management, and adherence to best practices.
• The Data Protection Officer (DPO) is a member of the ISG, overseeing privacy compliance.
• ISG members and the DPO are appointed by the Board and reviewed annually.

Management Commitment

Top management fully supports the implementation and continual improvement of the ISMS. Adequate resources are allocated to achieve security objectives and foster a strong security culture.

Employee Responsibility

• Employees must follow security policies, procedures, and workflows.
• Confidential information must not be disclosed to unauthorized parties
• Misuse of systems or information may result in disciplinary actions.

Information Security Culture

Connectel promotes a culture of information security awareness, ensuring employees understand risks and their responsibilities.

Information Security Framework

Access Control

Access and privileges are assigned based on the principle of least privilege, in accordance with internal policies for access control and privileges.

Acceptance of Information Systems and Assets

All new information systems and assets must be reviewed and approved by internal processes and procedures before use.

Business Continuity & Disaster Recovery

Connectel maintains tested continuity and recovery plans to ensure resilience in the event of disruptions.

Change Control

All changes to systems, applications, or assets require review and approval by internal processes and procedures before production deployment.

Cryptography

All confidential and sensitive information must be protected using strong encryption whenever it is stored (at rest) or transmitted over any network (in transit). Encryption methods and key management practices must comply with the organization’s Cryptography Policy, ensuring that data remains secure against unauthorized access, interception, or disclosure throughout its lifecycle.

Mobile Devices

Connectel recognizes that mobile devices, including laptops, tablets, and smartphones, are essential tools for employees and contractors. To ensure the confidentiality, integrity, and availability of information processed or stored on these devices, Connectel has established internal procedures and policies that govern their secure use.

These procedures and policies include:

• Maintaining a comprehensive inventory of all mobile devices issued or authorized for use
• Enforcing security configurations, such as strong authentication, encryption, and remote lock and wipe capabilities
• Managing the device lifecycle, including onboarding, transfers, and secure decommissioning
• Providing guidance and training to users to prevent theft, unauthorized access, and data exposure

All employees, contractors, and other authorized users are required to follow these procedures and policies. Non-compliance may result in disciplinary action and could compromise Connectel’s ability to protect its information assets.

Incident Reporting and Management

All security incidents, including suspected breaches, vulnerabilities, or any unauthorized access to information or systems, must be reported immediately through the established reporting channels. Once reported, each incident will be formally assessed, investigated, and managed according to the organization’s Incident Response Procedure.

Information Classification

Information is classified based on risk assessment to determine appropriate handling and protection measures.

Information Risk Assessment

Risks are identified, assessed, and assigned ownership following the Risk Assessment Procedure. Risk reviews are conducted continuously.

Non-Disclosure Agreements (NDA)

All employees, consultants, customers, and vendors must sign NDAs before exchanging sensitive information.

Network, Communication, and Physical Security

Connectel ensures that both network and physical access to information systems and assets are restricted, monitored, and controlled to protect the confidentiality, integrity, and availability of information.

Key requirements include:

• Secure Remote Access: Employees, contractors, and third parties must use approved secure access methods, including VPNs and IP whitelisting, in accordance with the Remote Worker Policy.
• Physical Security: Access to offices, data centers, and other facilities housing information systems is controlled and monitored. Physical security measures for cloud providers are assessed during vendor evaluations to ensure adequate protection.
• Monitoring and Enforcement: Access logs and security controls are maintained to detect and respond to unauthorized access attempts.

Training & Awareness

Employees receive ongoing training to ensure understanding and compliance with information security policies.

Vendors & Cloud Providers

Connectel ensures that all vendors, suppliers, and cloud infrastructure providers meet the organization’s information security requirements before being allowed to process or store company information.

All vendors and cloud providers are assessed for security, operational practices, and compliance with relevant laws and regulations. Contracts include clear obligations for confidentiality, access control, and data protection.

Cloud providers must demonstrate secure management of their services, and responsibilities for security controls are clearly defined between Connectel and the provider. Risks related to vendors and cloud services are continuously monitored, and reassessments are conducted periodically.

Procedures are in place for the secure onboarding, management, and decommissioning of all vendors and cloud providers to ensure that information remains protected throughout the relationship.

Compliance and Enforcement

• All employees, contractors, and third parties must adhere to this policy.
• Non-compliance may result in disciplinary actions and/or contractual remedies.