Security Incident Management Policy

A security breach is any incident that results in the destruction, loss, accidental or unlawful alteration, unauthorized disclosure, or unauthorized access to personal data processed by cepaos.

This includes, among other cases:

• Unauthorized access to personal data stored in our systems.
• Exfiltration or copying of personal data by unauthorized third parties.
• Accidental loss or destruction of data without the possibility of recovery.
• Accidental disclosure of data to unauthorized recipients.
• Compromise of access credentials that enabled access to personal data.

cepaos is committed to managing any security breach with transparency, diligence, and adherence to applicable data protection regulations.

In the event of a confirmed breach affecting personal data:

• We will notify affected users within 5 business days of determining the scope of the breach and containing the incident.
• We will notify the competent data protection authority within 72 hours of becoming aware of the breach, in accordance with applicable regulations.
• We will adopt immediate technical and organizational measures to contain the incident and prevent recurrence.

When cepaos notifies users about a security breach affecting them, the communication will include:

• Nature of the incident: a clear description of what occurred, in understandable terms.
• Data affected: categories of personal data that may have been accessed, altered, or disclosed.
• Incident period: the timeframe during which data was exposed, to the extent determinable.
• Measures taken: actions taken by cepaos to contain the incident and protect the data.
• Recommendations for the user: concrete steps the user can take to reduce exposure (e.g., password change).
• Contact: direct channel for inquiries and follow-up.

Notifications to affected users will be made through the following channels:

• Registered email: sent to the email address registered in the user's cepaos account.
• Dashboard notice: a visible notification upon logging into the platform, available to all members of affected organizations.

In cases of high severity with widespread impact, cepaos may additionally publish a notice on its website.

If you detect or suspect unusual activity in your cepaos account, or believe you have identified a security vulnerability in the platform, please inform us immediately:

• Security email: security@cepaos.com

We commit to responding within 24 business hours of receiving your report.

If you report a security vulnerability in good faith, cepaos commits to not taking legal action against you for said report, provided you have not accessed, copied, or disclosed third-party data.

cepaos maintains an internal record of all declared security incidents.

As of the update date of this policy (March 27, 2026), no security breaches affecting personal data of users have been recorded.

This history will be updated in the event of any future incident that must be communicated to affected users.

This policy is framed within applicable data protection regulations, including but not limited to:

• GDPR (General Data Protection Regulation, EU 2016/679) and applicable national implementations.
• CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act) where applicable.
• Applicable national data protection laws in the user's jurisdiction.

For more information on how cepaos processes your personal data, please see our Privacy Policy.

For inquiries about this policy or to report an incident:

• Security: security@cepaos.com
• Privacy and personal data: privacy@cepaos.com
• cepaos LLC — Wyoming, United States