To establish the criteria for Microsyslabs S.A.S as the controller and processor (for wolkvox clients) of personal data, to collect, store, use, circulate, transfer, update, and delete information as authorized by the data subject and for the purposes established by the entity.

For the purpose of understanding this policy and in accordance with legal regulations, the following definitions, contained in Law 1581 of 2012, will apply:

Authorization: The prior, express, and informed consent of the Data Subject to carry out the Processing of personal data.

Privacy notice: Verbal or written communication generated by the Data Controller, directed to the Data Subject for the processing of their personal data, informing them about the existence of the information processing policies applicable to them, how to access them, and the purposes of the processing intended for the personal data.

Database: An organized set of personal data that is subject to Processing.

Personal data: Any information related to or that can be associated with one or more identified or identifiable natural persons.

Public data: Data classified as such according to the mandates of the law or the Political Constitution and those that are not semi-private, private, or sensitive. Public data includes, among others, data relating to the civil status of individuals, their profession or occupation, their status as a merchant or public servant, and those that can be obtained without any reservation. By their nature, public data may be contained, among others, in public registers, public documents, official gazettes and bulletins, and duly executed court judgments that are not subject to confidentiality.

Private data: Data that, due to its intimate or reserved nature, is only relevant to the Data Subject.

Sensitive data: Sensitive data refers to data that affects the privacy of the Data Subject or whose misuse may lead to their discrimination. This includes data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, membership in trade unions, social organizations, human rights organizations, or promoting the interests of any political party or guaranteeing the rights and guarantees of opposition political parties, as well as data relating to health, sexual life, and biometric data.

Employee: Any natural person who provides services to the Company under an employment contract.

Data Processor: A natural or legal person, public or private, who, on their own or in conjunction with others, carries out the Processing of personal data on behalf of the Data Controller.

Data Controller: A natural or legal person, public or private, who, on their own or in conjunction with others, decides on the database and/or the Processing of data.

Data Subject: The natural person whose personal data is subject to Processing.

Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, circulation, or deletion of such data.

Suppliers: Any natural or legal person who provides services to the Company under a contractual/obligational relationship.

Transfer: Refers to the sending, by the Company as the data controller or a processor, of data to a third party or natural/legal person (recipient), within or outside the national territory, for the effective processing of personal data.

Transmission: The Processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia, when it aims to carry out processing by the processor on behalf of the data controller.

For terms not included in the above list, please refer to the current legislation, especially Law 1581 of 2012 and Decree 1377 of 2013, interpreting the terms in accordance with the meaning used in said regulations when there is doubt about their definition.

The policy and procedures contained in this document apply to the various areas that make up the company and are part of the processing of personal data. They cover databases and/or files that contain personal and/or sensitive data, whether digital or physical, that are susceptible to processing.

Microsyslabs S.A.S, identified with NIT 900663379-5, with its main address at Carrera 30 #4A – 45 Office 205 Ed. Forever W&L, Medellín, Colombia; website: www.wolkvox.com, email: [email protected], phone number +57(604)322-9880, has designated the Information Security and Continuity Risk Leader as the role responsible for enforcing regulations and these policies for the processing of personal data.

This Personal Data Processing Policy is addressed to active and inactive personnel, contractors, clients, and other individuals who have had any type of relationship with Microsyslabs and whose personal data is included in the Company’s Databases.

This policy is mandatory for Microsyslabs as the data controller, as well as for the processors who process personal data on behalf of the company, in accordance with the obligations established in Law 1581 of 2012, Title IV, Articles 17 and 18.

For the purpose of ensuring the protection of personal and sensitive data, Microsyslabs will apply harmoniously and comprehensively the guiding principles of Law 1581 of 2012:

• Principle of legality in data processing: The processing referred to in this law is a regulated activity that must comply with the provisions established in it and in other regulations that develop it.

• Principle of purpose: The processing must be carried out for a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject.

• Principle of freedom: The processing can only be carried out with the prior, express, and informed consent of the Data Subject. Personal data cannot be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that exempts consent.

• Principle of truth or quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.

• Principle of transparency: The Data Subject has the right to obtain from the data controller or the data processor, at any time and without restrictions, information about the existence of data concerning them.

• Principle of restricted access and circulation: The processing is subject to the limits derived from the nature of personal data, the provisions of this law, and the Constitution. In this sense, the processing may only be carried out by persons authorized by the Data Subject and/or by persons provided for in this law. Personal data, except for public information and the authorization granted by the data subject, may not be available on the Internet or other mass communication or disclosure media, unless access is technically controllable to provide restricted knowledge only to the Data Subjects or authorized third parties under this law.

• Principle of security: The information subject to processing by the data controller or the data processor referred to in this law must be protected using technical, human, and administrative measures necessary to provide security to the records, preventing their alteration, loss, consultation, unauthorized or fraudulent use, or access.

• Principle of confidentiality: All persons involved in the processing of personal data that do not have the nature of public data are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing. They may only provide or communicate personal data when it corresponds to the development of activities authorized by this law and in accordance with its terms.

PARAGRAPH: The Data Subject may refuse to authorize the processing of their sensitive, personal, and semi-private data.

With prior and/or at the time of collecting personal data, Microsyslabs will request authorization from the data subject to collect and process their data, which must be obtained through any means or mechanisms, including electronic ones, that can be consulted later, in accordance with the law.

In accordance with the principles of purpose and freedom, data collection should be limited to personal data that is relevant and appropriate for the purposes for which it is collected or required by current regulations and as stated in this policy. Except in cases expressly provided for by law, personal data may not be collected without the data subject’s authorization.

PARAGRAPH 1: The data subject’s authorization will not be necessary in accordance with the grounds established in Article 10 of Law 1581 of 2012.

PARAGRAPH 2: The data subject may at any time request Microsyslabs, as the data controller, to delete their personal data and/or revoke the authorization granted for its processing, for which the designated channels provided in Section 18 of this Policy may be used.

Microsyslabs may process personal, private, and/or sensitive data for the following purposes, as well as those expressed in the law:

• Execute the existing contractual relationship with customers and suppliers, including national and international commercial management, purchases and sales, as well as storing their history, offering new or improved products and services, and developing customer loyalty strategies.

• Execute the contractual relationship with employees, including personnel management, time control, staff training, payroll, temporary work management, occupational risk prevention, promotion and employment management, personnel selection, storage of images and diagnostic tests, declaration and payment of social security contributions, inspection and control of safety and social protection.

• Perform background checks, including judicial records, controller and procurator certifications, Simit, Clinton List, employment references, and educational certificates.

• Provide information and notify about services, new products or services, and/or changes to them and/or products requested by users.

• Evaluate the quality of products and services.

• Send commercial, advertising, or promotional information through physical mail, email, cell phone or mobile device, text messages (SMS and/or MMS), or any other analog and/or digital communication medium created or to be created, with the purpose of promoting, inviting, directing, executing, informing, and generally conducting commercial or non-commercial campaigns, promotions, or contests carried out by Microsyslabs and/or third parties.

• Commercialization of data.

• Management of cultural, recreational, sports, social, educational, training, and similar events, as well as associated certification processes.

• Customer/citizen support (Complaints and Claims Management).

• Internal statistics management and decision-making support systems, sociological and opinion surveys, profile analysis, and advertising.

• Provision of communication services.

• Marketing, e-commerce, and publications.

• Document registration and filing.

• Development of accounting, fiscal, administrative, and economic management, as well as inventory control, collections and payments, invoicing, and handling and monitoring of judicial or administrative requirements.

• Public debt management, treasury, tax management, and collection.

• Judicial procedures.

• Security and access control to Microsyslabs facilities.

• Promotion and prevention programs.

• Data update campaigns and information on changes in the processing of personal data.

• Custody and management of information and databases.

• Data verification and references, legal, technical, and/or financial requirements.

• Information Systems administration, password management, user administration, etc.

• Sending information to data subjects related to the organization’s purpose.

• Sharing, sending, or delivering personal data to Microsyslabs’ affiliated, related, or subsidiary companies located in Colombia or any other country if such companies require the information for the purposes indicated here.

The data subjects, either directly or through their representative and/or attorney-in-fact or their successors, may exercise the following rights with respect to their personal data that is processed by Microsyslabs, in accordance with Article 8 of Law 1581 of 2012:

• To know, update, and rectify their personal data in front of the data controllers or data processors. This right can be exercised, among others, in relation to partial, inaccurate, incomplete, fragmented, misleading data, or data whose processing is expressly prohibited or has not been authorized.
• To request proof of the authorization granted to the data controller, unless it is expressly exempted as a requirement for processing, in accordance with the provisions of Article 10 of Law 1581 of 2012.
• To be informed by the data controller or data processor, upon request, about the use that has been made of their personal data.
• To lodge complaints with the Superintendence of Industry and Commerce for violations of the provisions of Statutory Law 1581 of 2012, its decrees, regulatory norms, and other norms that modify, add to, or complement it.
• To revoke the authorization and/or request the deletion of the data when the processing does not comply with constitutional and legal principles, rights, and guarantees. The revocation and/or deletion shall proceed when the Superintendence of Industry and Commerce has determined that the data controller or data processor have engaged in conduct contrary to the provisions of Law 1581 of 2012 and the Constitution.
• To access, free of charge, their personal data that has been subject to processing.

PARAGRAPH: According to the provisions of Article 20 of Decree 1377 of 2013, which partially regulates Law 1581 of 2012, the rights of the data subjects established in the Law may be exercised by the following persons:

Microsyslabs is obligated to comply with the duties established in Law 1581 of 2012 for data controllers and data processors. Therefore, the following obligations must be fulfilled:

10.1.1 Duties as Data Controller, Article 17 of Law 1581 of 2012:

• Ensure that data subjects can fully and effectively exercise their right to habeas data at all times.
• Request and keep, under the conditions provided in this policy, a copy of the respective authorization granted by the data subject.
• Provide clear and sufficient information to the data subject regarding the purpose of the data collection and the rights granted to them by virtue of the authorization.
• Safeguard the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent access, or use.
• Ensure that the information provided to the data processor is truthful, complete, accurate, up-to-date, verifiable, and understandable.
• Update the information when necessary and inform the data processor of any changes regarding the data previously provided.
• Rectify personal data when necessary and communicate such rectification to the data processor.
• Provide the data processor, as appropriate, with only the data whose processing has been previously authorized.
• Require the data processor to respect and comply with the security and privacy conditions of the data subject’s information.
• Process queries and complaints in accordance with the terms set forth in this policy.
• Adopt an internal manual of policies and procedures to ensure compliance with Law 1581 of 2012 and to address queries and complaints.
• Inform the data processor when certain information is under dispute and the process has not been concluded.
• Inform the data subject, upon request, about the use of their data.
• Report to the data protection authority any security breaches or risks in the management of the data subjects’ information.
• Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

10.1.2 Duties as Data Processor, Article 18 of Law 1581 of 2012:

• Ensure that data subjects can fully and effectively exercise their right to habeas data at all times.
• Safeguard the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent access, or use.
• Timely carry out the updating, rectification, or deletion of data.
• Update the information reported by the data controllers within five (5) business days from its receipt.
• Handle queries and complaints from data subjects in accordance with the terms established in this policy.
• Adopt an internal manual of policies and procedures to ensure compliance with the law, especially regarding the handling of queries and complaints from data subjects.
• Record the phrase “claim in progress” in the database as established in this policy.
• Insert the phrase “information under judicial discussion” once notified by the competent authority about judicial processes related to the quality of personal data.
• Refrain from circulating information that is being disputed by the data subject and has been blocked by the Superintendence of Industry and Commerce.
• Only allow authorized personnel access to the information. Report to the Superintendence of Industry and Commerce any security breaches or risks in the management of the data subjects’ information.
• Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

FIRST PARAGRAPH: If acting as a data processor on behalf of another entity or organization (data controller), it must be established that the data controller is authorized to provide the personal data that will be processed by the data processor.

SECOND PARAGRAPH: If processing data through an external data processor, it shall be considered a Data Transmission relationship, for which the scope of data processing and the activities to be carried out by the data processor on behalf of the data controller, as well as the obligations to the data subject and data controller, must be indicated.

According to the provisions of Article 25 of Decree 1377 of 2013, “the data processor undertakes to comply with the obligations of the data controller under the Information Processing Policy established by the latter and to process the data in accordance with the purpose authorized by the data subjects and the applicable laws.”

According to the content of Article 4 of Decree 1377 of 2013, the collection of personal data will be limited to those that are relevant and appropriate for the purposes established by Microsyslabs or by current regulations.

Microsyslabs may collect data, subject to obtaining the Data Subject’s Authorization, from:

• Physical and/or digital documents provided by the data subjects to Microsyslabs’ data processors.

• Telephone recordings.

• Emails.

• Data obtained from video surveillance systems, both within and outside Microsyslabs’ premises, which will be used for security purposes and as evidence in any type of process.

The personal data provided by the data subjects for the purposes stated herein will not be sold, licensed, transmitted, transferred, or disclosed, except when:

• There is express authorization to do so.

• It is necessary to enable contractors or business agents to sell goods and/or provide entrusted services.

• It is necessary to provide our services and/or products.

• It is necessary to disclose to entities that provide marketing services on behalf of Microsyslabs or to other entities with which joint marketing agreements exist.

• The information is related to a merger, consolidation, acquisition, divestment, or other corporate restructuring process.

• It is required or permitted by law.

Microsyslabs may subcontract third parties for the processing of certain functions or information. In such cases, when personal information is provided to third-party service providers, Microsyslabs will inform them of the need to protect such personal information with appropriate security measures. Furthermore, the use of the information for their own purposes and the disclosure of personal information to others will be prohibited, except in cases where there is express authorization from the data subject.

The Company acknowledges that employees under its charge and shareholders have the right to a reasonable expectation of privacy, taking into account their responsibilities, rights, and obligations with the company.

In the related information, data considered sensitive under Law 1581 of 2012 and Decree 1377 of 2013 may be found, regarding which the Data Subject has the rights established in said laws and any subsequent additions, substitutions, or modifications.

In accordance with the relationship established between the data subject and the Company, the following information will be collected, stored, used, and transferred to companies located within and outside of Colombia. Such personal data and information include, among others:

12.1. From Customers and Suppliers:

1. Name or business name, identification number or NIT with verification digit, place of domicile, address, telephone numbers, fax, email.
2. Name of the general manager or legal representative and address, telephone numbers, fax, email.
3. Name of the sales manager or coordinator, address, telephone numbers, fax, email.
4. Name of the assigned person for debt collection, email.
5. Business operating time.
6. Tax information.
7. Banking information, including the account holder’s name, bank account number, and bank name or code.
8. Financial information.

12.2. From Employees:

1. Worker and Family Group: name, identification, address, telephone, spouse’s name and children’s names, children’s names and identification, medical history, social security affiliations, medical policy, age, date of birth, education information, health status, medications used, medical authorizations, participation in recreation and sports activities.
2. Curriculum vitae, education, experience, affiliations with entities, affiliations with companies.
3. Salary and other payments.
4. Payroll deductions.
5. Pension contributions.
6. Contributions to AFC, voluntary pension funds, food vouchers.
7. Legal proceedings, seizures.
8. Debts to cooperatives.
9. Authorization for deductions.
10. Benefits throughout their work life.
11. Employment contract and changes in the employment contract.
12. Association with employers.
13. Worker’s employment history.
14. Payment of allowances and benefits.
15. Worker’s beneficiaries for the payment of allowances and benefits.
16. Affiliation with EPS (Health Promoting Entity), pension fund, Occupational Risk Administrators, Compensatory Fund.
17. Received training.
18. Psychological evaluation report.
19. Occupational medical history of the worker.
20. Work-related accidents.
21. Photographic records.
22. Annual competency evaluation.

12.3. From Shareholders:

1. Names, surnames, type and number of identification document, marital status, email address, telephone numbers, date of birth, gender, number of children, education, profession.
2. Emergency contacts (names, address, telephone numbers, etc.).
3. Mailing address, residential address, workplace address, position, visa information, nationality, country of residence, etc.
4. Health information (such as vaccination history, illnesses, complications, allergies, etc.).

In the event that Microsyslabs is unable to provide the data subject with this information processing policy, a privacy notice will be published. The text of the notice will be kept for future reference by the data subject and/or the Superintendence of Industry and Commerce. The privacy notice will be made available on the website www.wolkvox.com and on the bulletin boards at Microsyslabs’ premises.

Microsyslabs may only collect, store, use, or disclose personal data for as long as is reasonable and necessary, in accordance with the purposes that justified the processing, taking into account applicable legal provisions and the administrative, accounting, tax, legal, and historical aspects of the information. Once the purposes of the processing have been fulfilled and without prejudice to any legal provisions to the contrary, Microsyslabs will proceed to delete the personal data in its possession. However, personal data must be retained when required to fulfill a legal or contractual obligation.

The areas responsible for the processing of data according to their purpose and scope will be responsible for addressing the requests, complaints, and claims made by the data subject in the exercise of the rights set forth in section 10 of this policy. This service will be subject to the procedure outlined in section 18 of this policy.

The data subject or their representative may submit their request, complaint, or claim from Monday to Friday, from 7:00 a.m. to 6:00 p.m., to the email address [email protected]. They can also call Microsyslabs’ telephone line in Medellín at +57(604)322-98-80 and in Bogotá at +57(601) 381-9040, or submit it in person at the physical address in Medellín: Carrera 30 # 4A – 45 Office 205 Ed. Forever W&L, Bogotá: Calle 26 # 69-76 Tower 3 Office 1204 Ed. Elemento, or through the website www.wolkvox.com.

The request, complaint, or claim should contain:

• Identification of the data subject.
• Contact information: phone number, mobile number, address, email.
• Description of the facts that give rise to the claim.
• Supporting documents.

If the claim is incomplete, the interested party will be given a period of five (5) days from the receipt of the claim to remedy the deficiencies.

If two (2) months have passed since the date of the request, and the applicant has not provided the requested information, it will be understood that they have withdrawn the claim.

If the recipient of the claim is not competent to resolve it, they will forward it to the appropriate person within a maximum period of two (2) business days and inform the interested party of the situation.

Once the complete claim is received, a note stating “claim in progress” and the reason for it will be included in the corresponding database within a period not exceeding two (2) business days. This note must be maintained until the claim is resolved.

The maximum period for addressing the claim will be fifteen (15) business days, starting from the day following its receipt. If it is not possible to address the claim within this timeframe, the reasons for the delay and the date by which the claim will be addressed will be informed to the interested party. In no case shall this date exceed eight (8) business days following the expiration of the initial period.

The data subject may request Microsyslabs, as the data controller, at any time the deletion of their personal data and/or revoke the authorization they have granted for the processing of such data, by submitting a claim in accordance with Article 15 of Law 1581 of 2012.

However, it is important to note that your request for the deletion of information and the revocation of authorization will not be granted if, as the data subject, you have a legal or contractual obligation that requires your data to remain in Microsyslabs’ database.

Microsyslabs has established accessible and free mechanisms for data subjects to submit requests for the deletion of their data or the revocation of the granted authorization. These mechanisms are detailed in Section 18 of this Policy.

If, after the period specified in Section 18, Microsyslabs, as the data controller, fails to delete your personal data from its databases, you have the right to request that the Superintendence of Industry and Commerce order the revocation of the authorization and/or the deletion of your personal data. For this purpose, the procedure described in Article 22 of Law 1581 of 2012 will be applied.

In accordance with the provisions of numeral 3 of article 10 of Regulatory Decree 1377 of 2013, Microsyslabs will proceed to publish a notice aimed at data subjects to inform them about this information processing policy and the way to exercise their rights as data subjects whose personal data is stored in Microsyslabs’ databases. This notice will be published on the website www.wolkvox.com.

The Personal and Sensitive Data Handling Policy (Habeas Data) was created and published on April 3, 2019.

Any changes to this policy will be communicated through the website www.wolkvox.com or the email address [email protected]. For those who request information directly at the offices in Medellín: Carrera 30 # 4A – 45 Office 205 Ed. Forever W&L, Bogotá Calle 26 # 69-76 Tower 3 Office 1204 Ed. Elemento.

This policy can be accessed through the Wolkvox website portal: https://www.wolkvox.com/politicas-de-tratamiento-datos-personales/

The translation of the provided text is as follows:

“The review of this policy will be conducted whenever there is a modification in the laws and/or regulatory decrees related to it. Likewise, administrative decisions established by the SIC will be monitored in order to make the necessary adjustments to comply with the regulations.”

Based on Law 1581 of 2012 and Decree 1377 of 2013.