QUALITY AND INFORMATION SECURITY POLICY

QUALITY AND INFORMATION SECURITY POLICY

The scope of the integrated quality and information security management system of Bemils Srl covers the provision of services for the “Development and management of software specialized in ticketing, finance, and—at start-up stage—for the management of the online commercial document.”

The Management has identified as stakeholders in the activities subject to the management system: its employees, customers, end-users of the software, shareholders, regulatory authorities in its sector, the Data Protection Authority, the Revenue Agency, and the provider of datacenter connectivity services.

In particular, the quality and information security management system is applied within the scope of operational activities carried out at the offices located in Via Fosse Ardeatine, 4, Cinisello Balsamo (MI).

This Policy represents the organization’s commitment to clients and third parties to ensure the security of information, and the physical, logical, and organizational tools used to process information in all business activities.

For this purpose, the creation and development of a Quality and Information Security Management System has been identified as the most appropriate means to ensure the efficiency and effectiveness of its services.

The essential requirements underlying the Management System are as follows:

• The company’s Management is directly, continuously, and permanently involved in the management of the System, ensuring the availability of necessary resources for proper implementation and encouraging the active participation of all employees so that they contribute to the effectiveness and continuous improvement of the integrated management system.
• Commitment to detecting anomalies, incidents, and vulnerabilities in information systems in order to safeguard the security and availability of services and information.
• Ensuring compliance with legal requirements and with security commitments established in contracts with third parties.
• Guaranteeing the preservation, security, and integrity of information stored in datacenters.
• Commitment to meeting explicit and implicit requirements of clients and stakeholders, and to continuous improvement.
• Commitment to ensuring, over time and in relation to processed information, the maintenance of the requirements of Confidentiality, Integrity, and Availability (CIA).
• Commitment to detecting anomalies and incidents in order to safeguard the security and availability of services and information.

For secure software development, Bemils is guided by the following principles:

• Security by design: Security must be considered from the earliest stages of the software development process.
• Defense in depth: Multiple layers of security controls must be implemented to protect the software.
• Comprehensive testing: Software must undergo rigorous testing to identify and correct vulnerabilities.
• Monitoring and incident response: Processes must be implemented to monitor software for potential security incidents and to promptly respond to such incidents.

The full compliance of the management system with the reference standards UNI EN ISO 9001:2015, ISO 27001:2024, and the applicable regulatory requirements of its sector is guaranteed.

Management is also committed to adopting environmentally friendly policies, such as selecting suppliers who use green energy.

To implement this program, a series of indices and indicators have been identified to monitor all the company’s main processes.

In particular, for the identified process classes, the determination of objectives, planning of their achievement, and related verification take place during the Quality and Information Security Management System review.

The Quality and Information Security Management System of Bemils Srl complies with the requirements of the reference standards UNI EN ISO 9001:2015 and ISO 27001:2024.

The Company Management is committed to disseminating and communicating the Quality Policy at all levels of the personnel involved and to making it available to interested parties.

Date: 01/09/2025

The Management