Data Security Policy

1. Purpose:

The purpose of this policy is to define the approach and objectives of senior management to prevent breaches of law, legal, regulatory or contractual obligations and any security requirements, and to communicate these objectives to all employees and relevant parties.

2. Scope:

This policy covers the commercial activities carried out within the Company and the protection of electronic information assets obtained from logistics, storage, accounting, finance, quality assurance, purchasing, human resources, law, sales, marketing, internal audit and information processing activities related to these transactions, and the information security processes used for the processing, storage, protection, protection, confidentiality and integrity of personal data kept within the company within the scope of the law.

2.1. Internal Scope

Administration, organizational structure, roles and obligations;

2.1.1. The departments within the scope of the Company's Senior Management are; Financial and Administrative Affairs, Purchasing, Finance, IT, Corporate Communications and Business Development, Human Resources, Quality, Export, Import, Logistics, Legal, Internal Audit, Sales, Marketing

2.1.2. Roles specified in the General Management Organization Chart and responsibilities in job descriptions.

2.1.3. Policies, procedures, objectives and strategies to be fulfilled; Information Security Management System Policy, All Information Security management systems procedures, Annual Information Security management systems objectives set by management, Capabilities, understood in terms of resources and know-how (e.g., capital, time, people, processes, systems and technologies), Management Representatives and Information Security Management System team appointed by the management for the establishment, operation and maintenance of the Information Security Management System, Relationships with internal stakeholders and their perceptions and values, the culture of the organization, the standards, guidelines and models adopted by the organization, the form and breadth of contractual relationships.

2.2. External Scope

2.2.1. The social and cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local,

2.2.2. Global Competition Law, Policies and Procedures,

2.2.3. Confidentiality of supplier and customer data,

2.2.4. Quality Orientation,

2.2.5. Relationships with stakeholders who have influence on the organization's objectives and their perceptions and values;

2.2.6. All Company employees, including Senior Management, to ensure customer satisfaction,

2.2.7. All relevant legislative, regulatory, contractual requirements, standards,

2.2.8. Product certifications with TSE and other organizations are external.

3. Definitions

3.1. BGYS: Information Security Management System

3.2. Inventory: Any information asset that is important for the company.

3.3. Senior Management: Company Senior Management.

3.4. Know-How: It is the ability to do something.

3.5. Information Security: Information, like all other organizational and business assets, is an asset that has value to a business and therefore needs to be appropriately protected. Within the Company, know-how, process, formula, technique and method, customer records, marketing and sales information, personnel information, commercial, industrial and technological information and secrets are considered as CONFIDENTIAL INFORMATION.

3.6. Confidentiality Restricting the viewing of the content of information to access only by those who are authorized to view the information/data. (Example: Sending encrypted e-mails can prevent unauthorized persons from reading e-mails even if the e-mail is intercepted - Registered electronic mail (REM)

3.7. Integrity Detection of unauthorized or accidental alteration, deletion or additions or deletions of information and guaranteeing detectability. (Example: Storing the data stored in the database with summary information - electronic signature - mobile signature)

3.8. Accessibility/Usability: It is the readiness of the asset to be used whenever it is needed. In other words, systems must be continuously available for service and the information in the systems must not be lost and must be continuously accessible. (Example: Use of uninterruptible power supply and redundant power supply in chassis (UPS) so that servers are not affected by power line fluctuations and power outages. It will be used as "Accessibility" in this policy.

3.9. Knowledge Asset: Assets owned by the Company that are important for the Company to carry out its activities without interruption. Information assets within the scope of the processes subject to this policy are as follows:

3.9.1. Any information and data presented in paper, electronic, visual or audio media,

3.9.2. All kinds of software and hardware used to access and manipulate information,

3.9.3. Networks that enable the transfer of information,

3.9.4. Facilities and private areas,

3.9.5. Departments, units, teams and employees,

3.9.6. Solution partners,

3.9.7. Services, services or products provided by third parties.

4. The qualifications and competencies of the tasks for which responsibilities and authorities have been determined are defined in the job descriptions. The IT Team and the Management Representative are responsible for the maintenance and development of activities related to information security. The ISMS Team and Management Representatives have been appointed by the Senior Management. ISMS representatives were identified from the departments within the scope. Assignments were made on a name basis as ISMS team members.

4.1. Responsibility of Management

4.1.1. The Company Management undertakes that it will comply with the defined, put into effect and implemented Information Security System, allocate the necessary resources for the efficient operation of the system, and ensure that the system is understood by all employees.

4.1.2. During the ISMS installation, the ISMS Management Representative is appointed with an appointment letter. When necessary, the document is revised by the senior management and the assignment is made again.

4.1.3. Managers at managerial level help lower level staff in terms of assigning responsibility for safety and setting an example. The understanding that starts from the upper echelons and is applied, it is obligatory to go down to the lowest level personnel of the company. Therefore, all managers support their employees to comply with safety instructions and to participate in safety- related activities, either verbally or in writing.

4.1.4. Senior Management creates the budget required for Information security comprehensive studies.

4.2. Management Representative Responsibility

4.2.1. Planning the ISMS (Information Security Management System), determining the acceptable risk level, determining the risk assessment methodology,

4.2.2. Providing the necessary resources for supporting and complementary activities in ISMS installation, providing/improving user capabilities and raising awareness, providing trainings, ensuring communication, providing documentation requirements,

4.2.3. Execution and management of ISMS practices, ensuring the continuity of assessments, improvements and risk assessments,

4.2.4. Assessment of ISMS and controls through internal audits, objectives and management review meetings,

4.2.5. Maintaining the existing structure in ISMS and ensuring continuous improvements

4.3. Responsibility of ISMS Team Members

4.3.1. Conducting asset inventory and risk analysis studies related to its departments,

4.3.2. When there is a change in the information assets under its responsibility that will affect information security risks, informing the Management Representative for risk assessment,

4.3.3. Ensuring that department employees work in accordance with policies and procedures,

4.3.4. Raising awareness about their departments within the scope of ISMS, ensuring communication, ensuring documentation requirements,

4.3.5. It is responsible for maintaining the existing structure in ISMS and ensuring continuous improvements.

4.4. Responsible for conducting and reporting audit activities in the internal audits assigned in line with the internal audit plan.

4.5. They are responsible for implementing the Information Security Policy and ensuring that employees comply with the principles, ensuring that third parties are aware of the policy and reporting security breach incidents related to information systems that they notice.

4.6. Responsibility of All Employees

4.6.1. Carrying out its activities in accordance with information security objectives, policies and information security management system documents,

4.6.2. Follows the information security targets related to his/her unit and ensures that the targets are achieved.

4.6.3. Paying attention to and reporting any observed or suspected information security vulnerabilities in systems or services,

4.6.4. In addition to service contracts (consultancy, etc.) made with third parties that are not under the responsibility of Purchasing, it is responsible for making a confidentiality agreement and ensuring information security requirements.

4.7. Responsible for knowing and implementing the information security policy and complying with the behaviors determined within the scope of ISMS.

5. The Information Security Policy aims to protect the physical and electronic information assets that affect the entire operation of the company in order to guide the company employees to act in accordance with the security requirements of the company, to increase their level of awareness and awareness, to ensure that the company's core and supporting business activities continue with minimal interruption, to protect its reliability and image, and to ensure the compliance specified in contracts with third parties. Targets set by the Management are monitored at specified intervals and reviewed at Management Review meetings.

6. The company's risk management framework covers the identification, assessment and processing of information security risks. Risk analysis, statement of applicability and risk treatment plan define how information security risks are controlled. The ISMS Executive and Management Committee is responsible for the management and realization of the risk processing plan. All these activities are described in detail in the asset inventory and risk assessment instructions.

7. General Principles of Information Security

7.1. Details of the information security requirements and rules outlined in this policy, Company employees and third parties are obliged to know these policies and procedures and to carry out their work in accordance with these rules.

7.2. Unless otherwise stated, these rules and policies must be taken into account for all information stored and processed in printed or electronic form and for the use of all information systems.

7.3. The Information Security Management System is configured and operated based on the TS ISO/IEC 27001 "Information Technology Security Techniques and Information Security Management Systems Requirements" standard.

7.4. It carries out the implementation, operation and improvement of the ISMS with the contribution of the relevant parties. It is the responsibility of the ISMS Management Representative to update the ISMS documents when necessary.

7.5. Information systems and infrastructure provided by the Company to employees or third parties and all kinds of information, documents and products produced using these systems belong to the Company, unless there are legal provisions or contracts requiring otherwise.

7.6. Confidentiality agreements are made with employees, consultancy, service procurement (security, service, catering, cleaning company, etc.), suppliers and interns.

7.7. Information security controls to be applied in recruitment, reassignment and termination processes are determined and implemented.

7.8. Trainings that will increase employees' awareness of information security and enable them to contribute to the functioning of the system are regularly provided to existing company employees and newly recruited employees.

7.9. All actual or suspected violations of information security are reported; nonconformities that cause violations are identified, the main causes are found and measures are taken to prevent recurrence.

7.10. Inventory of information assets is created in line with information security management needs and asset ownerships are assigned.

7.11. Enterprise data is classified and the security needs and usage rules for each class of data are determined.

7.12. Physical security controls are applied in parallel with the needs of the assets stored in secure areas.

7.13. Necessary controls and policies are developed and implemented for the company's information assets against physical threats that they may be exposed to inside and outside the company.

7.14. Procedures and instructions for capacity management, relations with third parties, backup, system acceptance and other security processes are developed and implemented.

7.15. Audit log generation configurations for network devices, operating systems, servers and applications are set in line with the security needs of the respective systems. Audit records are protected against unauthorized access.

7.16. Access rights are assigned on an as-needed basis. The most secure technology and techniques possible are used for access control.

7.17. Security requirements are determined during system procurement and development, and it is checked whether the security requirements are met during system acceptance or testing.

7.18. Continuity plans for critical infrastructure are prepared, maintained and exercised.

7.19. The processes required for compliance with laws, internal policies and procedures, and technical safety standards are designed, and compliance assurance is ensured through continuous and periodic surveillance and audit activities.

8. Violation of the Policy and Sanctions In the event that it is determined that the Information Security Policy and Standards are not complied with, the employees who are responsible for this violation will be disciplined according to the Disciplinary Directive and Procedure 3. The sanctions set out in the relevant articles of the agreements that are valid for both parties are applied.

9. Management Review Management review meetings are organized by the ISMS Quality Management Representative and held with the participation of Senior Management and Department managers. These meetings, where the suitability and effectiveness of the Information Security Management System are evaluated, are held at least once a year.

10. Updating and Reviewing the Information Security Policy Document ISMS Management Representatives are responsible for ensuring the continuity and review of the policy document. Policies and procedures should be reviewed at least annually. It should also be reviewed after any change that will affect the system structure or risk assessment, and if any changes are required, they should be approved by senior management and recorded as a new version. Each revision must be published in a way that is accessible to all users.