Information Security Policy

I.
Purpose

According to the laws on data protection and processing of personal information No. 90/2018, Vefmiðlun ehf. (hereinafter referred to as Manor) is obligated to ensure appropriate security of personal information. This information security policy describes the company's emphasis on the importance of this obligation. Manor must protect personal information from all threats, both internal and external, regardless of whether those threats are intentional or accidental. With this policy, employees and others can trust the company's commitment to safeguarding the security of personal information, including confidentiality, integrity, and accessibility.

II.
Scope

This information security policy applies to the handling and storage of all personal information within Manor's operations. It covers both internal operations and services provided by the company to its employees through shared or dedicated infrastructure, as well as all internal systems, software, and hardware owned and under full control of Manor. It also encompasses premises where personal information is processed and individuals, including employees and contractual partners, who have access to such information.

III.
Objectives

The objectives of this information security policy are to ensure that personal information is accurate and accessible to authorized individuals, and to maintain the confidentiality and trustworthiness of personal information in accordance with relevant laws and regulations. It aims to protect personal information from damage, destruction, or disclosure, whether intentional or accidental. Additionally, it ensures that personal information processed within Manor's systems reaches the intended recipients unchanged and in a timely manner. It also aims to keep the risks associated with handling personal information within defined limits. Full compliance with laws, regulations, and rules governing the processing of personal information should be ensured.

Full adherence to privacy protection agreements and the safeguarding of personal information shall be ensured. Any deviations, breaches, or suspicions of weaknesses in information security should be reported and investigated in accordance with rules and security standards. Furthermore, Manor ensures that data and information security is a key consideration in all aspects of product development and regular operations.

IV.
Implementation

The implementation of this policy aims to achieve the defined objectives. It involves maintaining records of information assets containing personal information, whether in digital or paper form, and classifying them based on their nature and importance of confidentiality. Regular formal risk assessments are conducted to identify the risks associated with processing personal information for individuals. An information security management system is employed to manage the risks associated with processing personal information within defined boundaries. Impact assessments on privacy are conducted when specific processing activities may pose a privacy risk, such as system changes or the introduction of new systems that handle or store personal information.

A quality manual with procedures and processes is maintained. Manor's employees receive regular training and education on the security of personal information and their responsibilities in this regard. Requirements are set for employees to operate entirely within applicable laws and regulations, and any doubts or uncertainties should always be interpreted in favor of increased personal information security. Particularly, measures are taken to ensure that copies of personal information are taken and stored securely.

V.
Responsibility

The management of Manor is responsible for the information security policy and its regular review. The company's operations manager is accountable for policy implementation and daily management of information security, along with relevant personnel such as the system manager and software development manager. The Data Protection Officer ensures that staff receive appropriate training on the security of personal information.

All employees, contractors, and consultants of Manor are required to work in accordance with the information security policy. They are obligated to report security incidents and vulnerabilities related to information security.

Legal action or other appropriate measures shall be taken against individuals who intentionally threaten the information security of the company.

VI.
Review

This policy shall be reviewed annually and more frequently as necessary to ensure its alignment with Manor's objectives.

Confirmed by the Manor Board of Directors at 01.01.2022.