This Information Security Policy describes how Eureka Technology Partners (Pvt.) Ltd manages and protects all physical and electronic information assets. We are committed to preserving the Confidentiality, Integrity, and Accessibility of all information across our operations. This policy is reviewed regularly and updated whenever there is a material change to our risk environment. We encourage you to check this page periodically to remain aware of any changes.

This policy is aligned with ISO/IEC 27001 and applies across all operations of Eureka Technology Partners (Pvt.) Ltd, registered at Bernards Business Park, 2nd Floor, 106 Dutugemunu St, Dehiwela 10350.

What is the scope of this policy?
This policy applies to all employees, sub-contractors, consultants, and any external parties who access or handle information assets belonging to Eureka Technology Partners (Pvt.) Ltd. It covers all physical and electronic information assets, including servers, workstations, laptops, mobile devices, cloud systems, and any information stored, transmitted, or processed on behalf of the organisation or its customers.

What are our key information security commitments?
The Board and management of Eureka Technology Partners (Pvt.) Ltd are committed to preserving the security of all information assets. Our Information Security Management System (ISMS) is designed to enable secure information sharing and reduce information-related risks to acceptable levels. Key commitments include:

• Information security risks are assessed and reviewed periodically and upon any major change to our systems or business environment
• All employees and relevant external parties are required to comply with this policy
• An Information Security Committee oversees our ISMS and reviews this policy on a regular basis
• All staff receive information security awareness training appropriate to their role
• Security incidents and policy violations are managed through our formal disciplinary and incident management processes

In this policy, information security means preserving:

• Confidentiality — Information is accessible only to those authorised to access it, preventing deliberate or accidental unauthorised disclosure.
• Integrity — The accuracy and completeness of information is safeguarded, and unauthorised modification or destruction is prevented.
• Accessibility — Information and associated systems are available to authorised users when needed, supported by resilient infrastructure and continuity plans.

How do we manage information security risks?
We maintain a formal risk management framework to identify, assess, and treat information security risks. Risks are evaluated against their potential impact on confidentiality, integrity, and accessibility. Controls are selected in accordance with ISO/IEC 27001 and documented in our Statement of Applicability (SOA). Risks that exceed our acceptable threshold are mitigated, transferred, or escalated to senior management for treatment.

How do we classify information assets?
All information assets are inventoried, owned, and classified. Our classification scheme ensures information is handled and shared only in ways that are appropriate to its sensitivity:

• Confidential — Restricted to authorised individuals only; must be transmitted using secure, encrypted methods.
• Sensitive — Accessible to relevant staff only; not for external release.
• Private — For internal use only; not for external release.
• Public — May be released externally; unclassified information is treated as Public by default.

How do we protect information physically and operationally?
We implement a comprehensive range of physical and operational security controls across all our locations and operations. These include:

• Physical access controls and CCTV monitoring at all office and data centre locations
• Environmental protections including power backup and infrastructure monitoring to ensure continuous availability
• Enterprise-grade antivirus and firewall solutions deployed and actively managed across all systems
• Regular security patching applied in accordance with a risk-based prioritisation process
• Encrypted and regularly tested data backups maintained under our Business Continuity Management framework
• Removable media controls including encryption and restrictions on unauthorised media use
• All company-owned devices centrally managed through Mobile Device Management (MDM), with automated patch enforcement and enterprise antivirus protection
• Data Loss Prevention (DLP) controls applied to devices and systems handling sensitive customer data, restricting unauthorised transfer or disclosure of information

How do we control access to information systems?
Access to information systems is granted on a need-to-know basis and managed through formal user access controls. All access rights are documented and reviewed regularly. We enforce strong authentication requirements, account lockout policies, and automatic session timeouts across all systems. Users are prohibited from installing unauthorised software or connecting unauthorised storage devices to company systems.

How do we manage communication security?
All electronic communications involving company or customer information are subject to our acceptable use and email security policies. Controls are in place to prevent unauthorised bulk distribution of information. Emails containing sensitive or confidential content must be encrypted. All internet and email activity is subject to monitoring for security and compliance purposes.

What is our policy on personal devices and remote working?
The use of personal devices to access company systems is not permitted by default and requires formal authorisation. Authorised personal devices must meet our security requirements, including enrolment in our device management platform, multi-factor authentication, and approved security software. Use of unsecured public networks for company work is strictly prohibited.

Remote working is permitted subject to management approval. Remote employees are required to maintain a secure and private working environment, use only company-issued and approved devices, and follow all applicable security policies. Any security incidents must be reported promptly through our formal incident reporting process.

How do we handle information security incidents?
We maintain a formal incident management process aligned with ISO 20000. All suspected or confirmed security incidents, as well as identified security weaknesses, must be reported promptly to our security team. Incidents are classified, investigated, and resolved in accordance with defined response procedures. Vulnerability remediation is prioritised based on risk severity and addressed within defined timeframes.

Do we share information with third parties?
We do not sell, trade, or transfer confidential or sensitive information to outside parties. Trusted third parties engaged to support our operations are required to maintain confidentiality through a signed Non-Disclosure Agreement (NDA) and to comply with applicable information security requirements. Information may be disclosed where required by applicable law or regulation.

Changes to this policy
We may update this Information Security Policy from time to time. Any changes will be posted on this page. We encourage you to review this page periodically to stay informed of how we protect information assets.

Your acknowledgement
By engaging with Eureka Technology Partners (Pvt.) Ltd, you acknowledge that you have read and understood this Information Security Policy.

Contacting us
If you have any questions about this policy, or wish to request further information, please contact us at www.eurekamsp.com/contact or call +94 11 208 6788.