Information Security Code of Practice

Bolt (Bolt Operations OÜ, registration code 14532901, or Bolt Technology OÜ, registration code 12417834, or any other affiliate, subsidiary, legal entity directly or indirectly belonging to the same group with Bolt) has introduced this Information Security Code of Practice (“Code of Practice”) to ensure security of Bolt’s data, Bolt’s data environment, electronic or computing devices, premises, and network owned or leased by Bolt.

This Code of Practice applies in situations such as (but not limited to):

a) the application of the Code of Practice has been agreed in writing;

b) Bolt’s data is handled, including without concluding a written agreement;

c) entering Bolt's physical or virtual environment (including remote access), including without entering into a written agreement.

Bolt’s employees, contractors, consultants, temporaries, and other workers at Bolt (“you”, “your”) shall comply with this Code of Practice and its updates and upgrades at all times.

For the sake of clarity, data, for the purposes of this Code of Practice, is data owned, processed, or held by Bolt, whether primary or secondary, irrespective of storage location. It’s used interchangeably with the term ‘information’.

1. General security

   1.2. You shall provide services which are designed, delivered, and at all times support compliance with industry standards and best practices, such as ISO 27001/27002, ISF Standard of Good Practices for Information

   Security and ISO 22301 for Business Continuity Management Systems, whenever feasible and not in conflict with other agreed requirements. If credit card data is processed, the Payment Card Industry Data Security Standard must be complied with.

   1.3. You shall independently and proactively follow industry developments and endeavour to incorporate the newest approved best practices into daily operations. Within fourteen (14) calendar days of Bolt’s request, you shall provide Bolt with your policies and methodologies demonstrating how you’re following and incorporating changes in industry best practices.

   1.4. You shall have a comprehensive, documented information security policy and related guidelines, and communicate them to all individuals with access to your information and systems.

   1.5. You shall adopt and document security measures for information
   systems and the creation, use, modification, and deletion of data. The measures shall be commensurate with the data contained and processed in the systems, and be based on an information classification scheme (e.g. internal, restricted or confidential). Information ownership must be defined at all times.

   1.6. You shall implement and regularly update your security risk management system, which incorporates emerging threats, possible business impacts, and probabilities of occurrence. You shall modify security-related processes, procedures, and guidelines accordingly.

   1.7. You shall comply with EU and other applicable statutory, regulatory, and legal obligations relating to the services provided to Bolt and its systems used to provide such services or containing Bolt-related data.

2. Audit

   The following audit provisions apply unless otherwise agreed in an agreement concluded in writing between you and Bolt.

   2.1. You shall detail how Bolt-related data is protected to ensure that Bolt data security, privacy, and other compliance requirements are met.

   2.2. You shall regularly conduct independent reviews and assessments (e.g. internal/external audits, certifications, vulnerability, and penetration testing) on your compliance with this Code of Practice. Visibility of the assessment results shall be provided to Bolt, including, at a minimum, the scope of the assessment, security findings, and their mitigation status when requested by Bolt. You shall immediately report any critical vulnerabilities or findings to Bolt.

   2.3. Bolt (or an auditor or a qualified adviser appointed by Bolt) may audit you according to an audit plan upon three (3) business days’ notice of its intention to conduct an audit unless such an audit is conducted in respect of a critical vulnerability. In this event, no notice is required. Bolt may also request to audit your subcontractors respectively. You shall provide unfettered and immediate access to the information and/or systems required to conduct the audit and provide assistance in conducting the audit to the best of your ability. Additionally, Bolt or its designated security auditing partners may perform ad hoc testing and application security reviews of any service about to be deployed or that's currently operated by you. Bolt strives to inform you seven (7) calendar days before such testing and reviews.

   2.4. Bolt is responsible for the costs of the reviews and tests referred to in this section. However, should the testing or review reveal any violation or breach of this Code of Practice by you, you shall, without delay, compensate Bolt for the costs arising from the audit and remedy the breach without any cost to Bolt.

   2.5. All policies, guidelines, plans, systems, schema, assessment results, methodologies, and others outlined in this Code of Practice shall be submitted to Bolt within fourteen (14) calendar days at any time as requested by Bolt if no shorter period is prescribed. Additionally, you shall provide visibility to Bolt-related security incidents, security incident investigations, and authority requests without unreasonable delay.

   2.6. You shall provide Bolt visibility on where Bolt-related data is processed, stored, transmitted, and where it may be accessed from. You shall inform Bolt in writing in advance should you intend to transfer Bolt-related data to another location with a different regulatory environment from the initially approved location and obtain Bolt’s prior written consent for such transfer. The data retention timeline is two (2) years if applicable laws, regulations, rules or contractual agreements don't foresee otherwise.

3. Incident handling and response

   3.1. You shall have adequate and documented issue/incident response procedures (or plans) and nominated persons to react timely and prevent any further damage caused by security, privacy, or any other compliance issues, vulnerabilities, or incidents.

   3.2. You shall inform Bolt (security@bolt.eu) without delay in case:

   3.2.1. of any Bolt-related security incident;

   3.2.2. Your capability to continue to provide agreed service levels and continuity requirements is affected in any way;

   3.2.3 of any other breach of this Code of Practice.

   3.3. You shall have proper forensic procedures in place to ensure chain of custody, which is required for the presentation of evidence to support potential legal action subject to the relevant jurisdiction after an information security incident.

   3.4. You shall maintain the capability to detect potentially suspicious network behaviours and/or file integrity anomalies and the capability to support forensic investigative capabilities in the event of a security breach.

4. Business continuity

   4.1. You shall have business continuity/disaster recovery plans documented and implemented. To minimise the impact of a realised risk event (e.g. natural disasters, accidents, equipment failures, or sabotage) on the organisation, including subcontractors providing end- to-end service to your customers. you shall demonstrate the functioning of such plans by conducting regular tests and exercises. At Bolt’s request, you shall provide reports on the tests and exercises it has undertaken to verify its ability to recover from a realised risk event.

   4.2. You shall enforce a documented backup policy that ensures the capability to fulfil agreed service levels and continuity requirements during emergencies. The backups shall be stored in secure storage. Actual restoration of all required backups must be tested regularly to ensure their usability. You shall store backups of Bolt-related data based on the criticality of the data. At a minimum, you shall store daily backups for the last thirty (30) calendar days and monthly backups for the last twelve (12) months from the moment of creation unless required otherwise by statutory, regulatory, or legal obligations. Additionally, you shall store system backups for the last twelve (12) months from the moment of creation to ensure recovery from a clean version in case of contamination of the whole service.

5. Personnel security and awareness

   5.1 You shall ensure that your employees and subcontractors are bound by statutory or contractual confidentiality obligations before accessing Bolt-related data. Employees shall be informed of what action might be taken in case of a violation, and disciplinary measures must be stated in policies and procedures.

   5.2 You shall perform proper vetting (including background and other security checks) for critical staff according to relevant national legislation at no additional cost to Bolt.

   5.3 You shall maintain an appropriate entry and exit procedure for personnel changes that includes disabling user access rights upon termination of employment with you or termination of assignment for Bolt.

   5.4 You shall conduct security and privacy awareness training during induction and at least annually for all existing employees and new hires performing services for Bolt. Due emphasis shall be given to client confidentiality, understanding the agreed confidentiality obligations and, specifically, the sensitivity of personal data. Advanced security training shall be given to key roles (e.g. administrators or employees with full access to Bolt-related data) working with sensitive information and assets (e.g. consumer data, financial data, or employee data).

   5.5 You shall have documented guidelines that define the acceptable use of data according to its classification. You shall ensure that all employees have access to up-to-date guidelines at all times, and you shall have measures in place to maintain and increase awareness of the guidelines.

6. Physical security

   6.1 Adequate physical security perimeters (e.g. fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols) shall be implemented to safeguard sensitive data and information systems.

   6.2 You shall have a premises access control system where:

   a) every individual has a unique access card and/or key to access the premises;

   b) physical access control log data is stored for at least ninety (90) calendar days unless otherwise restricted by local legislation;

   c) access to sensitive areas (e.g. server rooms) is granted separately by named owners of the area and only for those who need access to the area to perform work-related duties;

   d) there’s a regular access rights auditing and revocation process.

   6.3. You shall have up-to-date documented policies and/or guidelines for responding to premises intrusions and a capability to react timely to intrusions to premises where Bolt assets or related data is processed, transmitted, or stored.

   6.4. Keys, access codes, and intrusion alarm revocation codes to areas where Bolt-related data is processed, transmitted, or stored shall not be given to anyone without a valid business need, including cleaning and maintenance staff.

   6.5. Your respective sub-contractor hosting servers containing Bolt- related data shall have adequate fire protection in server rooms.

   6.6. You shall install and maintain movement recording video cameras of appropriate quality for facial recognition, used to passively monitor individual physical access to sensitive areas (including entrances & exits) where Bolt-related data is stored, processed, or transmitted.

   6.7. You shall ensure that all power and telecommunications equipment, cabling carrying data, or supporting information services are protected from interception or damage and designed with redundancies, alternative power sources and alternative routing.

   6.8. If Bolt-related data is printed and/or stored in paper form, you shall have a clean desk practice, and You shall use secure/dedicated printers, shredders, and locked bins for hardcopy information when appropriate according to information sensitivity.

7. IT security

   7.1. You must implement information security measures to protect Bolt- related data against unauthorised or accidental access, use, disclosure, deletion, loss, alteration, or amendment. Bolt-related data shall only be stored and processed in an environment where security and privacy controls have been implemented. You shall not copy or reproduce information on data files, hard copy or other tangible media that results in the removal of any marking or ownership or of information classification scheme.

   7.2 You shall logically isolate all Bolt-related data from its own and all of its other customers’ data so that Bolt-related data is processed, transmitted, accessed, and stored by a minimum number of authorised persons who only have access to such data that they need to perform their work-related duties (role-based access control). This also concerns backups and logs.

   7.3 Identity and Access Management for development and administrative purposes must fulfil the following requirements, including but not limited to:

   a) you shall have policies and/or guidelines for approving, creating, and terminating user access rights

   b) you shall have policies and/or guidelines for the strength and rotation of access credentials, e.g.

   i) Implementing an automatic and forced password resetting process

   ii) Prohibiting and preventing the use of default or weak passwords

   iii) Securely handling and delivering credentials (such as user name and password)

   c) Every user must be individually identifiable. Common/shared user accounts are prohibited, and their use shall be prevented.

   d) Any credentials must have the minimum permissions required for their intended use.

   e) As part of software development, two-factor authentication shall be implemented based on threat analysis. In the case of administrative remote access to an environment with Bolt-related data, two-factor authentication is always required.

   7.4 You shall ensure that there is a sufficient audit trail of the use of access privileges in place for Bolt-related data. Logs regarding user access and all activity that creates, changes, or deletes Bolt- related data shall be collected and stored for at least twelve (12) months or more from the moment of creation if required by statutory, regulatory or legal obligations. Access to log data shall be restricted to prevent compromise and misuse of log data. Bolt has the right to know who has access to its data. You shall support Bolt in case of security investigations or requests from authorities by providing visibility to relevant logs.

   7.5 You shall protect at your own premises and/or systems all Bolt data by appropriate controls including, but not limited to, network segmentation using a host-based firewall or network-based firewall, firewall log monitoring, network intrusion detection or prevention systems (IDS/IPS), web application firewalls, log management, correlation capability, malware prevention for servers and end-user computing devices, and application and infrastructure vulnerability scanning. You shall maintain documented processes to ensure that all systems are protected from unauthorised access and that all updates are conducted based on an agreed maintenance plan.

   7.6 You shall deploy any host systems using a standardised secured configuration (hardened, i.e. provide only necessary ports, protocols, and services to meet the functionality requirements). Sufficient vulnerability and patch management processes shall be maintained and followed to promptly implement security patches and fixes according to industry best practices and the criticality level.

   7.7 Sharing of Bolt-related data shall only be undertaken through secure data-sharing portals or tools. The use of insecure file transfer protocols is strictly forbidden.

   7.8 You shall maintain cryptographic certificates needed to provide the services, monitor the expiry of all TLS certificates, and manage their timely replacement.

   7.9 You shall encrypt all information and/or data by using current industry-standard strong encryption, key management and related standards when processing, transmitting and/or storing personal data, consumer data, Bolt confidential or secret information in public cloud environments, including consumer cloud storage services, and transmission of data over the public Internet.

   7.10 When transferring e-mail over the public Internet, the preferred way is to use end-to-end or gateway-to-gateway encryption (e.g. TLS). At a minimum, you shall be able to send adequately encrypted attachments.

   7.11 You shall establish policies and procedures and implement mechanisms for effective key management to support data encryption in storage, transmission, and authentication. Key management and usage shall be separated duties.

   7.12 You shall have remote access and remote work policies, practices, guidelines and restrictions in place. Wireless access and remote connections shall be protected from eavesdropping (e.g. VPN).

   7.13 If Bolt’s virtual meeting solution isn’t used, you shall ensure that the following controls are implemented for a virtual meeting solution:

   a) Remote control of the web camera is disabled;

   b) The web camera shall automatically shut down when a virtual meeting session has ended.

   7.14 All laptop hard disks and other client devices (USB memory sticks, netbooks, smartphones, tablet computers, portable media players etc.) and other removable/backup media containing Bolt-related data shall use full data encryption.

   7.15 You shall securely and permanently destroy/wipe Bolt-related data in a Bolt-approved manner from all media and/or devices when no longer required for services. Any old or broken media containing Bolt-related data shall be effectively and permanently wiped without the possibility of retrieving any data or destroyed before being decommissioned or reused. You shall ensure that necessary backup arrangements are considered before disposal.

   7.16 Workstations and other end-user devices used to access Bolt- related data shall be installed from standardised installation images or using standardised installation or configuration procedures. Devices shall be configured to resist attacks according to industry standards and best practices. The means of connecting to networks, IT services or other end-user devices shall be designed to be secure and protected against unauthorised disclosure or alteration of business information. All software used in workstations shall be regularly patched, and personal firewalls shall be used.

   7.17 All devices used or added to the end user environment (e.g. Bring your own device - BYOD) shall be approved, protected by appropriate security controls, and supported by standard operating procedures or instructions for acceptable use.

   7.18. Automated, up-to-date, and functional malicious code protection (such as antivirus and anti-spyware/malware) shall be installed in all systems that deliver end-to-end services for Bolt.

   7.19. Administrative tools capable of potentially overriding system, object, network, virtual machine, and application controls shall be restricted.

8. Prohibited use

   8.1. Offences against the confidentiality, integrity and availability of Bolt data, including but not limited to the production, sale, procurement for use, import, distribution, or otherwise making Bolt data available, are prohibited.

9. Right to Terminate

   9.1. Bolt may terminate the applicability of this Code of Practice, including the right to handle Bolt’s data and enter Bolt's physical or virtual environment at any time without a good reason with immediate effect.

10. Effect on cessation of application

    10.1. When this Code of Practice ceases to apply, you shall deliver or destroy all Bolt data, including any originals and copies of confidential information in your possession, without delay, as instructed by Bolt.

Last amended 15.03.2023