Information & Quality Security Policy

1. Scope and Purpose of the Policy

Across Opinion's services, the core theme of the systems established to the ISO/IEC 27001:2022 Information Security Management System (ISMS) standard is to demonstrate that information security management is ensured across people, infrastructure, software, hardware, customer information, organizational information, all business operations, third-party information and financial resources; to safeguard quality and risk management; to measure the process performance of information and quality security management; and to regulate relationships with third parties on matters related to quality, information security and customer satisfaction.

Accordingly, the purpose of our ISMS Policy is to protect Opinion's information assets against all kinds of threats that may arise internally or externally, knowingly or unknowingly; to provide appropriate access to information through business processes; to meet legal and regulatory requirements; and to carry out activities aimed at continual improvement.

2. The Three Core Elements of Information Security

We commit to ensuring the continuity of the three core elements of the Information Security Management System across all activities carried out:

• Confidentiality: Preventing unauthorized access to critical information.
• Integrity: Demonstrating that the accuracy and integrity of information are maintained.
• Availability: Demonstrating that authorized parties can access information whenever required.

3. Leadership and Commitment

Our company's top management leads the establishment and implementation of the ISMS and provides high-level participation in ISMS practices. We commit to addressing the security not only of data held in electronic form, but of all data in written, printed, verbal and similar forms.

4. Our Policy Commitments

As top management, we commit to the following:

• Protecting Opinion's information assets against all kinds of threats that may arise internally or externally; providing appropriate access to information through business processes.
• Meeting legal and regulatory requirements and carrying out activities aimed at continual improvement.
• Raising awareness by providing Information Security Management training to all personnel.
• Reporting all actual or suspected vulnerabilities in information security to the ISMS Team and ensuring they are investigated by the ISMS Team.
• Preparing, maintaining and testing business continuity plans.
• Identifying current risks through periodic information security assessments; reviewing and following up on action plans based on the assessment results.
• Preventing all kinds of disputes and conflicts of interest that may arise from contracts.
• Meeting business requirements for information accessibility and information systems.

5. Important Note on MINA Platform Data

Within the scope of the MINA platform (TIS hospital / SIT insurance), Opinion AI does not collect, process or store any patient, clinical or operational data. For such data, the data controller role belongs to the institution (hospital / insurance company), and the data remains within the institution's own infrastructure. This policy concerns the management of Opinion AI's own corporate information assets and service processes.