INTEGRATED MANAGEMENT SYSTEM (IMS) POLICY

1. Policy Statement and Commitment

Datamarket is committed to maintaining the highest level of trust with its users and partners by ensuring the security of all information assets and the continuous availability of its critical services, including Data as a Service (DaaS), Lending as a Service (LaaS), and Consent Management Platform (CMP) operations.

This policy serves as formal proof of Datamarket's commitment to upholding recognized security standards, as the Company actively progresses toward obtaining both ISO certifications. Management is committed to providing the necessary resources, training, and leadership to support this policy and the culture of resilience it promotes.

2. Scope of the IMS

The IMS applies to all personnel (the tech, data, IT and growth team), systems, technology, physical facilities, and information assets involved in the design, development, delivery, maintenance, and support of Datamarket's core services:

• Customer Data and Consent Management: Handling, processing, storing, and governing customer personal data, consent records, and unique Data IDs (D.IDs).
• Lending and Data-as-a-Service Infrastructure: The platforms and systems supporting customer acquisition, underwriting, disbursement, repayment, and secure data access for third parties.

3. Standards and Framework

Datamarket's IMS is aligned with, and informed by, the principles and requirements of ISO 27001 (Information Security Focus) and ISO 22301 (Business Continuity Focus).

a. Information Security Principles (ISO 27001 Focus)

Datamarket shall protect its information assets based on the fundamental principles of Confidentiality, Integrity, and Availability (CIA):

• Confidentiality: Ensuring that data and information are accessible only to those authorized to have access. This is paramount for user consent and sensitive financial data.
• Integrity: Safeguarding the accuracy and completeness of information and processing methods. This is critical for data quality control and reliable LaaS underwriting.
• Availability: Ensuring that authorized users have timely and reliable access to information and systems when required, especially the CMP and core APIs.

We commit to a proactive approach to risk assessment and the selection of appropriate controls to treat identified information security risks.

ISO 27001: Information Security Objectives

The primary objectives for Datamarket's Information Security Management System (ISMS) are to:

• Maintain the confidentiality, integrity, and availability of all customer D.IDs, sensitive PII and all relevant data.
• Ensure compliance with all relevant statutory, regulatory, and contractual security requirements.
• Minimize the incidence of information security breaches and ensure a robust detection capability.
• Conduct security risk assessments annually to identify and treat unacceptable risks proactively.
• Provide regular security awareness training to all personnel to foster a security-conscious culture.

b. Business Continuity Principles (ISO 22301 Focus)

Datamarket shall maintain high levels of operational resilience to withstand and recover from disruptive incidents, ensuring the continuity of essential business functions:

• Minimizing Downtime: Establishing recovery objectives (RTOs - Recovery Time Objective and RPOs - Recovery Point Objective) for critical systems (e.g. payment processing, consent verification, and DaaS APIs) that meet the needs of our stakeholders and partners.
• Preparedness: Developing, maintaining, and regularly testing Business Continuity Plans (BCPs) and Disaster Recovery (DR) procedures to ensure personnel are prepared to respond effectively to threats, including system failures, cyberattacks, and environmental disasters.
• Resilience: Implementing redundant systems and robust backup strategies to ensure the LaaS and DaaS platforms can rapidly return to operation.
• Crisis Management: Establishing clear command structures and communication protocols to manage incidents effectively during a disruption.

ISO 22301: Business Continuity Objectives

The primary objectives for Datamarket's Business Continuity Management System (BCMS) are to:

• Define, maintain, and continually improve critical service RTOs (Recovery Time Objectives) and RPOs (Recovery Point Objectives).
• Ensure uninterrupted availability of critical business functions, including Payment Processing and Consent Verification.
• Establish robust recovery and response plans to minimize disruption from catastrophic events.
• Conduct regular scenario-based testing (e.g. system failure, cyberattack) of the business continuity plan.
• Maintain effective communication channels to inform stakeholders during and after a disruptive incident.

4. Compliance, Monitoring, and Improvement

Datamarket is committed to meeting all contractual, legal, statutory, and regulatory requirements relevant to our operations, including:

• Nigerian Data Protection Act & Nigerian Data Protection Regulation (NDPR): Ensuring compliance in consent acquisition, management, and data governance.
• ISO Standards: Adherence to the requirements of ISO 27001 and ISO 22301 in preparation for achieving both certifications.

The IMS will be managed under the Plan-Do-Check-Act (PDCA) cycle:

• PLAN: Establish policy, objectives, and processes.
• DO: Implement and operate the system.
• CHECK: Monitor performance against objectives, conduct internal audits, and review effectiveness.
• ACT: Take corrective actions and continually improve the system.

Datamarket shall ensure compliance with this Policy and shall:

• Monitor adherence through audits, reviews, and assessments;
• Address non-conformities through corrective and preventive actions; and
• Take appropriate disciplinary or contractual action in cases of non-compliance.

5. Roles and Responsibilities

Compliance with this policy is a mandatory condition for all Datamarket personnel.

• Top Management + DPO: Responsible for defining the policy, providing necessary resources, and reviewing the IMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness.
• IMS Tech Team: Responsible for the day-to-day implementation, maintenance, and coordination of the combined ISMS and BCMS activities.
• All Personnel: Responsible for protecting the information they handle and following established procedures to maintain both security and continuity objectives.

In light of the foregoing, Datamarket shall ensure that all relevant personnel receive appropriate training and awareness on information security, business continuity, and their responsibilities under the IMS.

6. Risk Management and Improvement

6.1 Structured Risk Management Process

Datamarket shall operate a structured risk management process to:

• Identify information security and business continuity risks;
• Evaluate risks based on likelihood and impact;
• Implement risk treatment measures proportionate to the risk appetite of the Company; and
• Monitor and review risks on an ongoing basis.

6.2 Continuous Improvement

Further, Datamarket shall ensure that this Policy shall be continually improved through:

• Performance measurement and monitoring;
• Internal audits and management reviews;
• Lessons learned from incidents and disruptions; and
• Updates to policies, procedures, and controls as required.

7. Policy Review

This Policy shall be reviewed annually, or sooner where required due to material changes in business operations, risk profile, or applicable standards and users will be notified of any updates following such review.