Last updated: 18th December 2025
1.INTRODUCTION
Purpose
This Information Security Policy is a guide for Praxas employees to establish guidelines and best practices for the protection of confidential, sensitive or proprietary information from unauthorized access, use, disclosure, alteration or destruction. Information is an asset and must be protected appropriately.
Definition
Information Security is the processes designed to protect data by mitigating risks. It includes digital data, physical data and cyber security.
Scope
This Information Security Policy applies to all Praxas employees regardless of employment agreement, position, or location. It also applies to any contractors and third-party service providers who have access to Company information and information systems.
Praxas shall comply with all relevant laws, regulations, and industry standards regarding information security where we do business.
2. RESPONSIBILITY
Praxas will ensure that all employees will be trained on their responsibilities and obligations regarding information security.
For the purposes of this policy, and some regional regulations, Praxas is a Data Controller (DC) and will ensure that there is an appointed Data Protection Officer (DPO) where applicable. This position should be adequately resourced, report to Directors, and not carry out any other tasks that could result in a conflict of interest. They are also the point of contact for any regional regulatory authority and individuals whose data is processed by the Company.
Management
Directors, Managers and Supervisors are tasked with implementing and overseeing policies and procedures that reduce the risk of data breaches and ensuring that there is sufficient planning to respond to incidents. Appropriate training should be provided to employees, depending on their roles and tasks.
The CIMSense IT Managers and regional IT support staff, are responsible for keeping software and devices updated with the latest security patches and updates, protecting networks from unauthorized access to systems and overseeing IT training.
Employees
All employees are required to:
- Adhere to all Praxas policies and any additional procedures and guidelines within their Company employee handbook, or other relevant Company materials, relating to data handling, email and internet usage, device management and social networks.
- Protect passwords and access credentials – create strong passwords, never share them, don’t use the same password across multiple accounts and if you access Company emails and/or documents on your personal mobile device make sure this device is sufficiently protected. As a minimum, this means making sure the device is protected with a password, pin, or biometric ID security.
- Report security incidents – be vigilant for suspicious activity (phishing emails, malware infections, suspicious logins) and report any incidents to a CIMSense IT Manager or a regional IT support staff member immediately. Incidents can also be reported via email to support@cimsense.com.
- Protect physical documents – physical documents containing sensitive information should be properly secured and securely disposed of when no longer needed.
- Avoid high risk actions – use caution when accessing public WiFi networks by ensuring your device is protected with updated anti-virus software. Don’t download software from untrusted sources that could compromise the security of the Company’s information. Think carefully before using removable media (e.g. USB drive) and remember to remove it from the host device.
3. ACCESS CONTROL
Praxas will provide all employees and other users with the information they need to carry out their responsibilities effectively and efficiently. Access to information and information systems shall be granted following the principles of least privilege and need-to-know.
At a Group level, CIMSense has several ways of protecting Information that may be provided to them via its companies, including Praxas. These include but are not limited to the CIMSense Access Control Policy.
Physical Access Control
Praxas employees who require access to confidential and sensitive information for their job role will be trained on the safe handling of all information and taught the procedures which govern how data is used, stored, shared and organised within the Company.
Personal and confidential data must be retained in locked storage when not in use and keys should not be left in the lock of filing cabinets and doors.
Digital Access Control
User accounts should be created with strong passwords, and access should be revoked upon termination of employment or contract.
Users should not share their login credentials with others or allow others to use their accounts. No generic or group IDs will normally be permitted.
Information systems shall have authentication and authorization mechanisms in place to ensure that only authorized users can access information including multi-factor authentication.
Remote users shall be subject to authorization by a CIMSense IT Manager or a regional IT support staff member. No uncontrolled external access shall be permitted to any network device of network system.
4.DATA PROTECTION
All Territories
Praxas has a separate Privacy Policy which details how the Company respects the privacy of individuals and is committed to protecting personal data.
Confidential, sensitive, or proprietary information shall be protected from unauthorized access, use, disclosure, alteration, or destruction. Praxas data usually includes names or numbers. Examples include employee details, product names, prices, costs, tax codes, registration marks, codes and dates.
Information shall be classified based on its sensitivity and appropriate controls implemented to protect it.
Encryption shall be used to protect sensitive information during transmission and storage.
Digital information shall be regularly backed up to prevent data loss in case of hardware failure or disaster.Third parties hosting digital data, e.g. Cloud Services, will be required to meet strict requirements and certification.
European Union and United Kingdom
The EU’s General Data Protection Regulations (GDPR), and the UK’s Data Protection Act 2018 that implements GDPR regulations protect personal data belonging to EU citizens or residents. As above, the Privacy Policy details how the Company handles and protects personal data.
In accordance with GDPR regulations, data subjects will be informed of any personal data breach within 72 hours of the incident.
5. MONITORING
Information systems shall be monitored for unauthorized access, use, or disclosure. Logs shall be regularly reviewed and analyzed to detect and respond to security incidents.
Vulnerability risk assessments and penetration testing shall be periodically performed to identify and mitigate potential security risks.
6. SECURITY INCIDENTS
Incidents can have a huge impact on a company in terms of cost, productivity and reputation. All security incidents should be reported to a CIMSense IT Manager, and regional IT support staff, immediately so that the incident can be contained and remediated as quickly as possible.
Incident response plans should be formulated and in place for all types of security breaches at a local and Group level. At Group level, CIMSense has an Incident Response Policy and an Incident Response Plan. All plans should be periodically tested to ensure their effectiveness.
7. NON-COMPLIANCE & DISCIPLINARY ACTIONS
Violations of this policy could result in serious consequences for CIMSense and Praxas and cause personal distress to individuals. Any breach will be thoroughly investigated and could result in disciplinary action against the offender.