Security and Cybersecurity Policy

(Applicable to Clients, Service Providers, Employees, Suppliers, and Subcontractors)

1. Object and Scope

1.1. This Policy defines principles, standards, and procedures to ensure the confidentiality, integrity, and availability of the information and digital systems of Curiosidade Plena Unipessoal Lda. and the Holistic Travel Plan (HTP) Platform. It serves as a mandatory reference for employees, providers, and suppliers who handle such information or systems.

1.2. It applies to Clients, Providers, Employees, Suppliers, and Subcontractors, including entities outside the European Union, which must adopt equivalent measures in accordance with the GDPR and contractual clauses.

1.3. It covers the web platform, mobile applications, servers, networks, corporate emails, backups, storage, and associated physical infrastructures.

1.4. This Policy complements internal technical standards and continuity and recovery plans (BCP and DRP).

2. Fundamental Principles

2.1. Compliance with GDPR, Law 58/2019, NIS2 Directive, ISO/IEC 27001, and 27701.

2.2. Protection against unauthorized access, loss, destruction, alteration, or improper disclosure.

2.3. Assurance of traceability and accountability for all operations.

2.4. Immediate response to incidents, with mandatory notification to the CNPD and affected data subjects within 72 hours when a high risk is identified.

2.5. Integration with periodic audits and performance reports to ensure continuous improvement.

3. Responsibilities (RACI Matrix)

3.1. Data Protection Officer (DPO):

• Coordinates legal notifications and communication with supervisory authorities.
• Oversees compliance with the GDPR, Law 58/2019, and other applicable regulations.
• Validates exceptions and approves amendments to this Policy, ensuring alignment with legal and security requirements.

3.2. IT Team:

• Executes containment, mitigation, and technical analysis of incidents and vulnerabilities.
• Conducts periodic security tests (including penetration tests and vulnerability scans).
• Ensures the implementation and continuous monitoring of the technical and organizational measures defined in this Policy.

3.3. Management:

• Approves changes to security policies and authorizes duly justified exceptions.
• Oversees crisis management and makes strategic decisions in the event of serious incidents.
• Defines spokespersons and formal representatives for public and institutional communication.

3.4. Employees and Authorized Users:

• Must fully comply with this Policy and all complementary guidelines.
• Are required to report incidents, vulnerabilities, or suspicious behavior through official reporting or technical support channels.
• Must participate in mandatory security training and refreshers as defined by the company.

3.5. Service Providers, Suppliers, and Subcontractors:

• Must fully comply with this Policy and all applicable contracts.
• Must cooperate in investigations and implementation of corrective measures when necessary.
• Are subject to audits and compliance checks and may face sanctions, including contract termination and reporting to authorities, in case of non-compliance.

4. Privileged Access Management and Insider Threats

4.1. Strict control for administrative and superuser accounts, including multi-factor authentication, mandatory credential rotation every 90 days, and prohibition of generic accounts.

4.2. Mandatory quarterly audits of all privileged accesses, with documented reports submitted to management.

4.3. Continuous logging and monitoring of all activities performed by privileged accounts, with centralized and auditable logs for internal and external audits.

4.4. Creation, modification, or removal of privileged accounts may only occur upon formal authorization by Management or the DPO, with documented justification and validity period.

4.5. Implementation of detection and mitigation measures for insider threats, including investigation protocols, preventive suspension, and notification of competent authorities when necessary.

5. Change Management

5.1. All changes to systems, networks, applications, and technological infrastructures must be formally recorded, evaluated, tested, and approved before implementation. The record must include: requester, reason, expected impact, responsible parties, and planned date.

5.2. Mandatory segregation of duties: the person approving the change may not be the same person implementing it, ensuring greater impartiality and control.

5.3. Critical changes (affecting security, privacy, availability, or continuity) require a mitigation plan and prior internal communication, which may include simulations or contingency tests before implementation.

5.4. All changes must be validated after implementation through functional tests and verification to ensure no vulnerabilities or operational failures were introduced.

5.5. Quarterly reviews will be carried out on critical changes to assess cumulative impacts and ensure compliance with this Policy.

6. Physical Infrastructure Protection

6.1. Physical access is restricted to all areas where data are processed or stored, including data centers, server rooms, and critical offices. Only authorized employees and technicians may access these areas, subject to identification and registration.

6.2. Access logs and continuous surveillance: all entries and exits must be recorded in auditable logs, with 24-hour surveillance systems and alarms for detecting unauthorized access.

6.3. Controlled visits: visitors, service providers, and external technicians may only enter upon prior authorization, with formal registration and accompaniment by authorized personnel throughout their stay.

6.4. Power redundancy and environmental protection: critical infrastructures must have redundant power sources (UPS and generators) and systems for protection against fire, flooding, and other physical or environmental threats.

6.5. Audits and periodic testing: physical security measures must be tested and audited at least every six months to verify their effectiveness and compliance with this Policy.

7. Technical and Organizational Measures

7.1. Controlled access: Mandatory multi-factor authentication, role-based profile segregation, and semi-annual review of all granted permissions, with documented changes.

7.2. Encryption: Use of strong encryption standards (AES-256 and TLS/SSL) for the protection of data at rest and in transit, applicable to all systems and authorized devices.

7.3. Encrypted daily backups: Storage in certified data centers, with regular integrity and recovery tests duly documented.

7.4. Centralized monitoring and logs: Continuous recording of access and critical events, with periodic audits and minimum retention in accordance with legislation and internal audits.

7.5. Active system protection: Firewalls, antivirus, intrusion detection, and regular updates of protection and monitoring software.

7.6. Vulnerability management: Patches and fixes must be applied within 72 hours for critical flaws, according to a formal update schedule and risk-based prioritization, with documented reports.

7.7. Penetration testing and vulnerability scanning: Conducted at least semi-annually by internal teams or certified external providers, with mandatory reports and action plans.

7.8. Network and Wi-Fi segmentation: Dedicated networks for operations and guests, with strict isolation; corporate devices must have automatic lock, encryption, and centralized management.

7.9. BYOD (Bring Your Own Device) management: Personal devices may only access corporate systems with formal authorization, updated antivirus, encryption, and remote management enabled.

7.10. Protection of data on endpoints and storage devices: All equipment must ensure that decommissioned devices or storage media are wiped using certified cryptographic methods (secure wipe) or physically destroyed to prevent data recovery.

8. Information Classification and Retention

8.1. Public: Information accessible without restrictions, which can be disclosed without impact on the organization.

8.2. Internal: Information restricted to use by authorized employees and service providers, subject to basic protection and controlled access measures.

8.3. Confidential: Personal or corporate data protected by law or contracts, including sensitive financial and operational information. Must be encrypted at rest and in transit, with access only for authorized profiles.

8.4. Highly Confidential: Strategic, proprietary, or high-risk data (including intellectual property and regulated information). Access must be extremely restricted and monitored, with reinforced authentication and mandatory access logging.

8.5. Retention periods:

• Security and audit logs: minimum of 12 months, extendable by legal or contractual requirements.
• Backups: 90 days, unless a longer period is required by law or contract.
• Personal data: in accordance with applicable legislation (e.g., GDPR), to be deleted once the purpose has been fulfilled.

8.6. Secure deletion: All data and media will be erased through certified cryptographic wipe or verified physical destruction, with formal record and approval by the DPO or IT Manager.

8.7. Periodic review: The DPO, together with the IT Team, will conduct annual reviews of retention and destruction policies to ensure legal and operational compliance.

9. Supplier and Subcontractor Management

9.1. Before contracting critical suppliers and subcontractors, a formal risk assessment must be carried out, including an analysis of security practices, compliance history, and available certifications.

9.2. All suppliers with access to HTP data or systems must sign contractual clauses covering confidentiality, information security, and data protection, including specific GDPR compliance obligations where applicable.

9.3. Critical suppliers must undergo annual audits and provide security and compliance reports, as well as maintain relevant certifications such as ISO 27001, SOC 2, or equivalents.

9.4. Where applicable, suppliers will be subject to periodic security testing and independent certification, conducted by HTP or qualified third parties.

9.5. In case of non-compliance, a corrective action plan with defined deadlines will be established. If failures are serious or remain uncorrected, HTP may terminate the contract and notify clients and competent authorities as required by law.

10. Incident Management, Communication, and Recovery

10.1. Incidents are managed in six stages: detection, assessment, containment, mitigation, communication, and recovery, in a documented and auditable manner.

10.2. All employees, service providers, and authorized users have access to a formal 24-hour incident and vulnerability reporting channel and must report suspicious situations immediately.

10.3. Incidents are classified as low, medium, or critical, with maximum response times of 24 hours, 12 hours, and immediate, respectively, and are escalated according to severity.

10.4. Continuity (BCP) and Recovery (DRP) Plans: Define an RTO of 4 hours for critical services and an RPO of 30 minutes for databases, to be reviewed and tested annually based on metrics and simulations.

10.5. Documented escalation flow: Technical incidents escalate from the IT Team to Management, with immediate reporting to the DPO whenever personal data or legal notification obligations are affected.

10.6. Mandatory reports and lessons learned: Each incident must generate a documented report, including root cause analysis, impact, and future prevention plan, approved by Management.

10.7. Annual crisis simulations (‘war games’), involving critical suppliers, to test joint response and contingency plan effectiveness.

10.8. Designated spokespersons and formal representatives are responsible for managing communication with the media, authorities, partners, and users in serious incidents.

10.9. External and public communication plans: Include impact reports, mandatory notices to affected clients and users, and formal notification to competent authorities (including the CNPD), where applicable.

11. Continuous Monitoring, Metrics, and KPIs

11.1. HTP performs continuous monitoring of performance indicators (KPIs) related to information security and cybersecurity, including:

• Total number and severity of recorded incidents;
• Average response and resolution time for incidents;
• Percentage of employees and providers who have completed mandatory training;
• Frequency of penetration tests, audits, and system updates;
• Operational risk metrics associated with suppliers and critical systems.

11.2. Annual performance goals and thresholds are defined, such as:

• Resolution of critical incidents within 4 hours;
• Completion of mandatory training by at least 95% of employees and providers;
• Correction of critical vulnerabilities within 72 hours.

11.3. Monitoring will take place monthly through internal reports and quarterly through presentations to Management.

11.4. Whenever KPIs fall below defined thresholds, mandatory corrective actions will be implemented, with follow-up plans and defined deadlines.

11.5. The results of metrics and reports will be integrated into internal and external audits, serving as the basis for reviewing and continuously improving this Policy and security procedures.

12. Testing, Training, and Simulations

12.1. HTP conducts semi-annual tests and simulations to assess operational resilience, including phishing scenarios, DDoS attacks, critical system failures, and disaster recovery.

12.2. All tests and simulations must have results recorded, analyzed, and documented, generating reports with corrective action plans and deadlines for resolving identified weaknesses.

12.3. Annual performance KPIs will be defined, including:

• Maximum acceptable click rate in phishing tests (e.g., <10%);
• Minimum execution and approval rate in simulations (e.g., >90%).

12.4. Annual mandatory cybersecurity training for all employees and providers with access to data or systems, with formal records of participation and results.

12.5. Continuous training and specific certification for critical roles (system administrators, risk managers, technical leads, and DPO), with updated content reflecting new threats and regulations.

12.6. Employees who fail security tests or simulations must undergo mandatory corrective training and re-evaluation within defined timeframes.

12.7. All employees and providers must be informed and trained on the use of the whistleblowing channel to report vulnerabilities or poor security practices.

13. User Rights

13.1. Clients and Service Providers have the right to:

• Be clearly and promptly informed of incidents or personal data breaches that may affect their rights or freedoms, as required by the GDPR;
• Request, at any time, access, rectification, portability, and deletion of their personal data, as well as restriction or objection to processing, in accordance with applicable law;
• Request logs and processing reports regarding their information, whenever technically feasible and without compromising the security of other users;
• Request corrective or compensatory measures, where applicable, in case of failures or misuse of data.

13.2. All requests must be submitted through HTP’s formal channel (digital form or DPO contact) and will be handled within a maximum of 30 days, extendable in duly justified cases.

13.3. HTP guarantees that any communication with users regarding data breaches will be clear, accessible, and within legal deadlines, including guidance on risk mitigation measures.

14. Final Provisions and Continuous Improvement

14.1. This Policy is part of HTP’s overall governance system and must be applied consistently with other internal and regulatory frameworks in force.

14.2. Continuous improvement of security controls, processes, and technologies will be ensured through periodic reviews, corrective actions, and updates aligned with the evolution of threats and regulatory requirements.

14.3. All employees, service providers, and partners must collaborate in identifying opportunities for improvement, reporting vulnerabilities, and proposing preventive or corrective measures to strengthen the organization’s resilience.

14.4. The DPO and IT team are responsible for maintaining an annual improvement plan that includes updating procedures, adopting best practices, and implementing new technical or organizational measures as needed.

15. Audits and Evidence

15.1. Annual internal audits and biennial independent external audits will be conducted, complemented by quarterly thematic audits focused on privileged access, backups, incident response, and regulatory compliance.

15.2. Extraordinary audits may be carried out whenever serious incidents occur, significant infrastructure changes are made, legal requirements arise, or at the request of competent authorities.

15.3. Audits will be coordinated by Management, the DPO, and the IT team, and may involve external specialized consultants when necessary.

15.4. Whenever non-conformities or vulnerabilities are identified, a corrective action plan with defined deadlines will be created, and its execution will be monitored and documented.

15.5. Audit reports will be stored for at least 5 years, ensuring traceability and compliance with applicable legislation and contractual requirements.

15.6. Evidence and records of incidents, training, tests, audits, and risk metrics will be maintained in an organized and accessible manner for internal consultations, regulatory inspections, and external reviews.

15.7. The results of the audits will be used to support the annual review of this Policy and related security procedures, promoting continuous improvement.

16. Sanctions and Consequences

16.1. Non-compliance with this Policy by employees, providers, suppliers, or subcontractors may result in sanctions proportional to the severity of the infraction, including:

• Formal warning and mandatory corrective training, in cases of negligence or low-impact failures;
• Temporary suspension of access or duties, when necessary to protect HTP and processed data;
• Internal disciplinary measures, including contract termination, in cases of serious or repeated violations;
• Civil and criminal liability when the conduct constitutes a legal violation, including mandatory reporting to competent authorities.

16.2. A distinction will be made between infractions due to negligence (unintentional non-compliance with procedures) and intentional or serious infractions (unauthorized data access or use, fraud, sabotage, or deliberate omission).

16.3. Any person or entity responsible for a violation must fully cooperate with internal investigations, external audits, and regulatory authorities, providing information and documents when requested.

16.4. In cases of infractions resulting in significant risks or harm to clients, partners, or users, HTP may formally notify affected parties and competent authorities, in accordance with applicable law.

17. Integration with Other Policies

17.1. This Policy is part of the integrated governance and compliance framework of the Holistic Travel Plan (HTP) and must be interpreted and applied together with all other official documents available on the HTP Platform, ensuring coherence and consistency across all policies, procedures, and operational standards.

Definitions of Technical Terms

• Antivirus and Intrusion Detection (IDS/IPS): Software and systems that identify, block, and prevent threats, suspicious access, and malicious activities on networks and devices.
• Independent External Audit: Evaluation carried out by an external entity or consultant to verify compliance with standards, legislation, and security best practices.
• Multifactor Authentication (MFA): Access system requiring more than one verification method (for example, password and code sent by SMS or app).
• Encrypted Backup: Encrypted copy of data securely stored for recovery in case of loss or attack.
• BCP (Business Continuity Plan): Plan that ensures the maintenance of critical services during failure or disaster situations.
• BYOD (Bring Your Own Device): Policy regulating the use of personal devices to access corporate systems, with security requirements.
• Whistleblowing Channel: Formal means for employees, providers, and users to report vulnerabilities or poor security practices, distinct from the Permanent Security Contact Point.
• Formal Channel for Exercising Rights: Official means (such as digital form or dedicated email) for users to exercise their rights over personal data (access, rectification, deletion, etc.).
• Encryption: Process of encoding data so it can only be read or accessed by authorized individuals or with a decryption key.
• Sensitive Data: Information protected by law, such as biometric, health, financial, or other confidential data.
• DDoS (Distributed Denial of Service): Cyberattack that overloads systems and services, making them unavailable.
• DPO (Data Protection Officer): Person responsible for ensuring compliance with privacy laws and communicating with authorities.
• DRP (Disaster Recovery Plan): Plan focused on restoring systems and data after critical failures.
• Firewall: Security system that monitors and controls network traffic to prevent unauthorized access and protect systems from external attacks.
• IDS/IPS (Intrusion Detection/Prevention System): Systems that monitor networks and servers to detect and block malicious or suspicious activities.
• Security Incident: Event that compromises data, systems, or services, whether intentional or accidental.
• ISO/IEC 27001 and 27701: International standards defining best practices in information security and privacy management.
• KPIs (Key Performance Indicators): Key indicators that measure security performance, such as response times, vulnerability correction rates, and training participation.
• Logs: Automatic records of system activities and accesses used for auditing and incident detection.
• Centralized Logs: Collection of activity records aggregated into unified systems to facilitate auditing and incident investigation.
• Risk Matrix: Document identifying and evaluating the organization’s operational and security risks.
• NIS2: European Directive on network and information security that establishes cybersecurity requirements for organizations.
• Phishing: Fraudulent attempt to obtain confidential information through false or deceptive communications.
• Corrective Action Plan (CAP): Set of measures defined to correct non-conformities identified in audits or incidents.
• Permanent Security Contact Point: Exclusive channel for reporting technical incidents and vulnerabilities to the HTP security team.
• Pseudonymization: Technique replacing identifiable personal data with identifiers, reducing privacy risks.
• GDPR: General Data Protection Regulation, European legislation governing personal data protection and processing.
• RPO (Recovery Point Objective): Point in time (in minutes or hours) to which data can be restored after failure.
• RTO (Recovery Time Objective): Maximum time allowed to restore a service or system after interruption.
• Traceability: Ability to maintain detailed records of all operations, accesses, and changes to ensure auditability and accountability.
• Network Segmentation: Division of a network into isolated sections to limit incident propagation and strengthen internal security.
• Crisis Simulation: Controlled exercise to train responses to incidents, covering cyberattacks, system failures, and physical disasters.
• Penetration Testing (Pentest): Controlled simulation of attacks to identify system vulnerabilities.
• TLS/SSL: Encryption protocols used to protect data during transmission across networks and applications.
• Critical Vulnerability: High-risk security flaw that must be corrected as a priority and within short deadlines.
• War Game: Practical exercise simulating cybersecurity crisis scenarios to test the integrated response of the organization and partners.
• Cryptographic Wipe: Data deletion method that overwrites information with random patterns, making it irrecoverable.

Version History and Dates
• Version number: 00000001
• Creation Date: 02.10.2025
• Effective Date: 02.10.2025
• Last Update: 02.10.2025
• Next Scheduled Review: 02.10.2026