The following is an excerpt from our "Information Security, Use of Assets and Intellectual Property Policy" regarding confidentiality applicable to our personnel, strategic suppliers and business partners:

2. STATEMENTS
a. EMMSA understands that the information and IT assets used for its operations are a strategic resource, and considers the Information Security, Use of Goods and Intellectual Property Policy as an integral part of its business practices, convinced that these measures give intrinsic value to the company, increasing its credibility, reputation and fulfilling its duty to safeguard the investment of its main shareholders.
b. EMMSA is committed to ensure compliance within the company with all laws, rules, regulations, contractual obligations and other relevant requirements that have to do with Information Security.
c. In order to protect the information, EMMSA establishes criteria for its classification based on the requirements of integrity, confidentiality and availability, and supports the means for its adequate treatment, trying to adapt to international standards governing this matter.

d. It also establishes security criteria based on risk analysis that includes people, processes and technology, with a proactive vision and seeking continuous improvement, aligned with the company's Quality Policy and Integrity Policy and maintained through the Information Security Management System (ISMS).
e. Finally, EMMSA understands that Information Security is a responsibility of the entire organization.

f. As a general framework for the issues discussed in this document, EMMSA adheres to the legal regulations in force regarding the commercial treatment, storage and custody of its own information and that of its customers, suppliers, business partners and related companies, and therefore it is understood that EMMSA respects and will enforce resolutions, provisions, regulations, laws, decrees, etc. issued by the competent authority that may be applicable. In this sense and by extension, all members of EMMSA are obliged to comply with them. Likewise, all collaborators or third parties that maintain a direct or indirect relationship with EMMSA and have access to the information are subject to the same requirements.
g. It is considered an implicit responsibility of EMMSA's Management to disseminate this policy, through the different means available to them, and also to supervise its compliance.
h. All information handled has a degree of confidentiality, and therefore each member of the organization is responsible for protecting, with the means at their disposal, the information in their custody. At all times, each person must take the necessary precautions to avoid exposure of the information under his/her responsibility.
i. All personnel must confirm their adherence to the Confidentiality of Information Policy by signing manually or electronically on the Intranet, and report any actual or suspected violation that they may notice. In this regard, each person is responsible for notifying his or her immediate superior of any occurrence or practice that does not comply with the guidelines, implemented controls or formalized procedures or not, inherent to security.

3. CONFIDENTIALITY
j. In the performance of their duties, employees will sometimes have access to undisclosed information, kept secret and confidential, owned by EMMSA and/or third parties who have entrusted such information to EMMSA. Likewise, through their personal or team activities, employees will sometimes generate valuable information that is not intended to be disclosed outside the company, or within the company to functions or hierarchical levels that do not correspond.
k. All employees are aware that confidential information, understood in the broad terms of the preceding paragraph, to whose knowledge they have access or generate in the performance of their work activities, is part of the assets of EMMSA and/or, eventually, of third parties of which EMMSA is the custodian. The maintenance of absolute confidentiality with respect to each and every one of these secrets constitutes an essential condition of its relationship with EMMSA of the possibility of maintaining the exclusive use and exercise of them and/or would place it in default with respect to its obligation of confidentiality towards the third party owners of them.
l. All personnel are limited to use the confidential information and in general the data and information to which they have access, only for the execution of their obligations to the company, and to preserve the secrets of EMMSA and/or of the third parties who communicated them in confidence, keeping them in strict confidentiality.
m. All personnel must, in principle, consider as confidential all the information they access or generate in the course of their relationship with EMMSA and with the company's Clients, Suppliers and/or Business Partners. In particular, and in a strict manner, all the information with respect to which there is an obligation to keep secret, all those that refer directly or indirectly to the tasks entrusted in the present contract, the products and/or business, and/or the internal organization and/or the work operations of EMMSA, or of its clients, or of the third parties that communicated secrets, in general, and in particular those that are detailed below in an exemplary and in no way limiting enumeration:

• i. Research projects, new developments or computer systems developed, computer source programs, algorithms, routines, procedures, components of any kind, of any authorship, supported on any support.
• ii. Data files of any nature, especially all those that may contain personal data that may be qualified as sensitive.
• iii. Information on business, costs, customers, commercial policies or prices, products, work processes, etc., both current and potential under evaluation.
• iv.Ideas and information related to the production of systems or the rendering of services offered by EMMSA, and/or the development of any kind of works, or inventions, or discoveries, or models, or designs.
• v. Patents and related information.
• vi. Functional or technical documentation, project documentation, diagrams, manuals, instructions, photographs, videos, etc.
• vii. Planning and management information, organizational schemes of the company or clients, workflow organization of the company's or client's processes.
• viii. Commercial documentation, contracts, etc.
• ix. Statistical data from own or clients' pages or any other information that is a consequence of a contract with a client or that is generated directly by EMMSA.
• x. The security policies of EMMSA or its customers.

n. Notwithstanding the foregoing, it is expressed that there shall be no obligation of confidentiality when it is proven that:

• i. The information was already in the public domain at the time it became known, produced or used or later entered the public domain through no fault of the employee.
• ii. The information was in the employee's knowledge, with no obligation to keep it confidential, prior to his hiring by EMMSA.
• iii. The information was legitimately developed or received from third parties by the employee on a personal and private basis, absolutely independent of his or her relationship with EMMSA.

o. The personnel is aware that any disclosure of confidential, secret or sensitive information to which it has access may constitute a criminal offense, in accordance with the provisions of art. 156 of the Penal Code, subject to the penalties provided for in that provision, and shall also be liable for any damages that its attitude may cause both to EMMSA and its customers or third party owners of secrets entrusted to the safekeeping of EMMSA.
p. If for any reason the relationship between the employee and EMMSA is terminated, the employee is obliged to return to EMMSA at the same time any documentation, publication, data or information, material or background that constitutes property of EMMSA or third parties that have entrusted such information to them, whether or not such information is confidential or secret. The obligation of confidentiality remains even after the termination of the employment relationship.
q. As an exception, third parties outside the company may be granted access to information of customers, suppliers, business partners or other related companies, only in those cases in which the request is made by a competent judicial, parliamentary or governmental administrative authority, and prior authorization from EMMSA's management is required.
These same confidentiality clauses are extended to all suppliers and business partners of EMMSA that as part of their service tasks may have access to valuable information related to our company or any of our customers.