PERSONAL DATA PROCESSING POLICY AND PROCEDURES MANUAL

In compliance with Law 1581 of 2012, which establishes provisions for the protection of personal data, DEV GROUP S.A.S., in its capacity as the Data Controller, hereby informs the general guidelines on this matter:

1. INTRODUCTION

The Political Constitution of Colombia establishes in Article 15 that: “All individuals have the right to personal and family privacy and to their good name, and the State must respect and enforce these rights. Likewise, they have the right to know, update, and rectify the information that has been collected about them in databases and in files of public and private entities.” Through Law 1581 of October 17, 2012, “which sets forth general provisions for the protection of personal data,” further regulated by Decrees 1377 of 2013 and 886 of 2014 (now incorporated into the Single Regulatory Decree of the Commerce, Industry, and Tourism Sector 1074 of 2015), among others.

In compliance with the above provisions, DEV GROUP S.A.S. has developed this PERSONAL DATA PROCESSING POLICY, the application of which is mandatory for all employees, contractors, interns, or personnel of suppliers who process personal data recorded in the Organization’s databases. This policy contains the necessary guidelines to ensure compliance with legal obligations regarding personal data protection.

DEV GROUP S.A.S., identified with Tax ID (NIT) 901.552.847 - 8, with its principal office located at CL 85 No. 50 - 62, Barranquilla, Atlántico, website www.devgroupcorp.com, telephone (605) 3299724, in its capacity as the data controller, processes the personal data it obtains by virtue of the operations requested from or entered into with the Organization, in accordance with the principles and duties defined in Law 1581 of 2012 and other regulations governing this matter.

2. OBJECTIVE

To establish guidelines that ensure the proper processing, adequate protection of personal data handled by DEV GROUP S.A.S. in its processes, and compliance with applicable regulations in this matter.

3. RECIPIENTS

This policy is addressed to:

Our clients and individuals interested in the solutions offered by DEV GROUP S.A.S., from whom personal data is collected, so that they have access to the necessary and sufficient information regarding the processing activities and purposes for which their data is collected, as well as the rights they may exercise as data subjects before DEV GROUP S.A.S. when this Organization acts as the data controller.

Employees, suppliers, contractors, and interns whose personal data is processed by DEV GROUP S.A.S., in relation to their relationship and activities carried out within the Organization.

4. SCOPE

  • To comply with current regulations on Personal Data Protection, as well as any requirements arising from the principle of accountability.

  • To carry out proper processing of personal data, fulfilling the duties as a data controller and guaranteeing the rights of data subjects.

5. DEFINITIONS

  • Authorization: Prior, express, and informed consent of the Data Subject to carry out the processing of personal data.

  • Privacy Notice: Verbal or written communication issued by the data controller, addressed to the Data Subject for the processing of their personal data, informing them about the existence of the applicable data processing policies, how to access them, and the purposes of the intended processing.

  • Database: An organized set of personal data that is subject to processing.

  • Personal Data: Any information related to or that can be associated with one or more identified or identifiable natural persons.

  • Public Data: Data that is not semi-private, private, or sensitive. Public data includes, among others, information related to a person’s marital status, profession or occupation, and status as a merchant or public servant. By its nature, public data may be contained, among others, in public records, official documents, gazettes, official bulletins, and duly executed judicial decisions that are not subject to confidentiality.

  • Private Data: Data that, due to its intimate or reserved nature, is only relevant to the Data Subject.

  • Semi-Private Data: Information that is not intimate, reserved, or public, and whose knowledge or disclosure may be of interest not only to the Data Subject but also to a specific sector or group of people or to society in general, such as financial, credit, or commercial activity data.

  • Sensitive Data: Data that affects the privacy of the Data Subject or whose misuse may lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social or human rights organizations, or organizations promoting the interests of any political party or guaranteeing the rights of opposition political parties, as well as data related to health, sexual life, and biometric data.

  • Data Processor: A natural or legal person, public or private, who, on their own or in association with others, processes personal data on behalf of the Data Controller.

  • Data Controller: A natural or legal person, public or private, who, on their own or in association with others, decides on the database and/or the processing of the data.

  • Data Subject: A natural person whose personal data is subject to processing.

  • Transfer: The transfer of data occurs when the Data Controller and/or Data Processor sends personal data or information to a recipient, who in turn is also a Data Controller, whether within or outside the country.

  • Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, circulation, or deletion.

6. PRINCIPLES FOR DATA PROCESSING

The processing of personal data by DEV GROUP S.A.S. shall be governed by the following principles:

  • Legality: Subject to applicable regulations.

  • Purpose: Use for legitimate, informed, and specific purposes.

  • Freedom: Requires prior, express, and informed consent.

  • Accuracy or Quality: Information must be truthful, complete, and up to date.

  • Transparency: The Data Subject has the right to know how their data is used.

  • Restricted Access and Circulation: Access limited to authorized personnel only.

  • Security: Protection against unauthorized access or fraud.

  • Confidentiality: Obligation of confidentiality remains even after the relationship has ended.

7. PURPOSES OF PERSONAL DATA PROCESSING

CLIENTS / CITIZENS

  • Handling and responding to petitions, complaints, claims, and suggestions (PQRS).

  • Recording images, voice, or any other type of record for support, evidence, storage, publication, and distribution of records from events, hearings, and PQRS handling.

  • Carrying out campaigns, outreach activities, training sessions, and programs.

  • Conducting studies, statistics, surveys, and trend analysis related to the services provided by the Organization.

  • Additional purposes previously informed to the Data Subject in accordance with the Law and within the scope of the functions assigned to DEV GROUP S.A.S., expressly authorized.

PERSONNEL MANAGEMENT

  • Evaluating candidates’ professional profiles for recruitment and formal hiring, fulfilling vacancies or staffing needs across different areas and functions of the Company.

  • Verifying academic, employment, personal, family, commercial background, and other relevant socioeconomic factors of candidates, according to the job requirements.

  • Managing registration, affiliation, and updates before administrative authorities related to the general social security system, as well as other labor-related obligations and benefits.

  • Registering employees in information systems to support accounting, administrative, and financial activities related to the employment relationship.

  • Managing employment updates that impact payroll calculation and payment.

  • Promoting employee well-being and comprehensive development within their work and family environment.

  • Guaranteeing the right to collective association and managing related economic, administrative, social, and organizational aspects.

  • Managing occupational health and safety systems, aiming to mitigate risks and ensure proper handling of incidents or events.

  • Sending relevant information for the execution of the employment contract via physical or authorized email.

  • Granting employee benefits and supporting occupational health or well-being activities.

  • Publishing activities through television or radio programs, websites, social media, video-sharing platforms, and/or editorial or advertising material.

  • Administrative, strategic, financial, and tax planning and management; corporate personnel management; and compliance with regulatory, legal, governmental, judicial, or arbitration requirements.

  • Providing information for security background checks conducted by authorized entities.

  • Issuing employment certificates and income and withholding certificates.

  • Managing employee termination or retirement processes, including compliance with related financial obligations.

  • Inviting employees to events, partnerships, and organizational initiatives.

  • Capturing data through video surveillance systems, recordings, or photographs for identification badges; processing is intended for employee identification, access control, facility security, and prevention of irregular conduct.

  • Recording images, voice, or any other type of record for support, evidence, storage, publication, and distribution of records from events, hearings, and PQRS handling.

SUPPLIERS / CONTRACTORS / CLIENTS

  • Verifying commercial background, reputation, and potential risks related to money laundering and terrorism financing.

  • Legally and commercially onboarding suppliers/contractors/clients, enabling their registration in management systems for accounting, logistics, and financial operations.

  • Formalizing contractual relationships and ensuring proper execution of agreed obligations.

  • Evaluating supplier performance and results to strengthen procurement and contracting processes.

  • Inviting suppliers/contractors/clients to events, training sessions, or institutional activities.

  • Carrying out health promotion and prevention activities related to occupational health and safety.

  • Managing the Entity’s budgeting and accounting processes, including payments, contract certificates, income and withholding certificates (for individuals), and payment records.

  • Maintaining a digital archive containing information related to each contract.

  • Managing all communications derived from the commercial relationship through established channels.

  • Monitoring and validating compliance with assigned duties, obligations, and responsibilities under the contract, as well as facilitating information exchange as required by the relationship or by law, internally or with authorities.

  • Capturing data through video surveillance systems or recordings in access control systems, for contractor identification, access control, facility security, and prevention of irregular conduct.

  • Additional purposes previously informed to the Data Subject in accordance with the Law and within the scope of the functions assigned to DEV GROUP S.A.S., expressly authorized.

  • Recording images, voice, or any other type of record for support, evidence, storage, publication, and distribution of records from events, hearings, and PQRS handling.

VISITORS

  • Capturing data through video surveillance systems or recordings in visitor access systems, for access control, identification, facility security, and prevention of irregular conduct.

  • Notifying, in case of emergency, the occupational risk insurer and/or health provider (EPS) with which the Data Subject is affiliated.

8. PROCESSING OF SENSITIVE DATA

Through this policy, DEV GROUP S.A.S., in compliance with its legal and regulatory duties, seeks to ensure the effective protection of the constitutional right to personal and family privacy of all individuals, by establishing appropriate mechanisms and controls to guarantee the proper processing of the information it manages.

These terms and conditions apply to any personal data record collected either in person and/or virtually for enrollment in any product, service, or benefit offered by DEV GROUP S.A.S., which is directly responsible for the processing of such personal data.

Personal data requested directly by other organizations with which DEV GROUP S.A.S. has agreements shall be the sole responsibility of those organizations.

Personal data stored in DEV GROUP S.A.S. databases is subject to various forms of processing, including collection, exchange, updating, processing, reproduction, compilation, storage, use, systematization, and organization, whether partially or fully, in accordance with the purposes established herein. The information may be shared, transmitted, or transferred to public entities, business partners, contractors, or affiliates solely for the purpose of fulfilling the corresponding data processing objectives. In all cases, such sharing, transmission, or transfer will be carried out subject to the execution of the necessary agreements to safeguard the confidentiality of the information.

In compliance with legal obligations, the Organization may provide personal information to judicial or administrative authorities. The Organization will ensure the proper processing of minors’ personal data, guaranteeing compliance with applicable legal requirements and that all processing is previously authorized and justified in the best interests of the minor.

PROCESSING OF SENSITIVE DATA
For the purposes of this policy, sensitive data is understood as data that affects the privacy of the Data Subject or whose misuse may lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social or human rights organizations, or organizations promoting the interests of any political party or guaranteeing the rights of opposition political parties, as well as data related to health, sexual life, and biometric data.

The processing of sensitive data is optional. The Data Subject:

  • Is not required to authorize its processing.

  • Will be informed of the sensitive nature of the data.

  • Will explicitly authorize its processing.

9. DATA SUBJECT RIGHTS

DEV GROUP S.A.S. collects, stores, processes, uses, deletes, cross-checks, searches, updates, transmits, and transfers personal information, requiring the prior free, express, and informed consent of the Data Subject. The authorization is a certification that informs the Data Subject about:

  • The processing of their personal data.

  • The purposes of such processing.

  • The optional nature of responding to questions, particularly when they relate to sensitive data or to the data of children and adolescents.

  • The Data Subject’s rights to access, correct, update, or delete the personal data provided.

  • The explicit request for authorization regarding the collection of sensitive data.

  • The request for authorization for the collection and processing of personal data of children and adolescents.

  • The identification, physical or electronic address, and telephone number of the Data Controller.

DEV GROUP S.A.S. retains proof of the authorization granted by Data Subjects for the processing of personal data (Decree 1074 of 2015). Such evidence is stored as follows: authorizations provided by applicants or beneficiaries are recorded in information systems, including the date and time of consent. Communications related to employees, suppliers, and contractors are kept in their respective records. Physical forms used for the collection of personal data are also retained accordingly.

10. CONSERVATION PERIOD

Personal data will be retained, depending on its type, as follows:

  • Employment data: 20 years

  • Commercial data: 5–10 years

  • Video surveillance data: 30–90 days

Alternatively, data will be retained until the Data Subject requests its deletion, where applicable.

11. INFORMATION SECURITY
DEV GROUP S.A.S. implements technical, human, and administrative measures to protect personal data.

12. DATA SUBJECT RIGHTS
Data Subjects are informed of the rights granted to them under personal data protection laws, which DEV GROUP S.A.S. guarantees through established procedures:

  • To know, update, and rectify their personal data held by the Entity. This right may be exercised, among others, against partial, inaccurate, incomplete, misleading data, or data whose processing is expressly prohibited or not authorized.

  • To request proof of the authorization granted to the Entity, except where such authorization is not required under Article 10 of Law 1581 of 2012.

  • To be informed by the Entity, upon request, regarding the use of their personal data.

  • To file complaints before the Superintendence of Industry and Commerce for violations of Law 1581 of 2012 and any regulations that amend or supplement it.

  • To revoke authorization and/or request the deletion of data when the processing does not respect constitutional and legal principles, rights, and guarantees. Revocation and/or deletion shall proceed when the Superintendence of Industry and Commerce determines that the Entity or the Data Processor has engaged in conduct contrary to the law and the Constitution.

  • To access their personal data that has been subject to processing, free of charge.

13. DUTIES OF DEV GROUP S.A.S. AS DATA CONTROLLER
As the Data Controller, DEV GROUP S.A.S. must comply with the following duties:

  • Guarantee the Data Subject, at all times, the full and effective exercise of the right to habeas data.

  • Request and retain, under the conditions established by law, a copy of the authorization granted by the Data Subject.

  • Properly inform the Data Subject about the purpose of data collection and their rights arising from the granted authorization.

  • Safeguard the information under the necessary security conditions to prevent alteration, loss, unauthorized access, use, or fraud.

  • Ensure that the information provided to the Data Processor is truthful, complete, accurate, up to date, verifiable, and understandable.

  • Update the information and promptly communicate any changes to the Data Processor, adopting necessary measures to keep the data current.

  • Correct inaccurate information and notify the Data Processor accordingly.

  • Provide the Data Processor only with data whose processing has been previously authorized in accordance with the law.

  • Require the Data Processor at all times to respect the security and privacy conditions of the Data Subject’s information.

  • Process queries and complaints in accordance with the terms established by law.

  • Adopt specific procedures to ensure compliance with the law, particularly for handling queries and complaints.

  • Inform the Data Processor when certain information is under dispute by the Data Subject once a claim has been filed and while it remains unresolved.

  • Inform the Data Subject, upon request, about the use of their data.

  • Notify the data protection authority in case of security breaches or risks in the management of Data Subjects’ information.

  • Comply with instructions and requirements issued by the Superintendence of Industry and Commerce.

14. HANDLING OF REQUESTS, QUERIES, OR COMPLAINTS
Requests, queries, and complaints submitted by Data Subjects whose personal data is processed by DEV GROUP S.A.S. to exercise their rights (access, update, rectification, deletion, or revocation of authorization) may be submitted through the following channels:

14.1 Procedure for Exercising Data Subject Rights
For inquiries regarding personal data, requests for authorization, or information on data usage, Data Subjects may submit a request through the channels listed above. The request must include: full name of the Data Subject, description of the inquiry, address, email, and contact phone number.

All inquiries will be addressed within a maximum of ten (10) business days from the date of receipt. If it is not possible to respond within this timeframe, the interested party will be informed before the deadline, explaining the reasons for the delay and indicating the response date, which shall not exceed five (5) additional business days.

For requests related to correction, updating, deletion of data, or complaints regarding non-compliance with data protection obligations, the Data Subject must submit a written request, including: full name, description of the facts, address, email, phone number, and supporting documents.

If the request is incomplete, the applicant will be required within five (5) days of receipt to correct the deficiencies. If no response is received within two (2) months, the request will be deemed withdrawn. If the recipient is not competent to resolve the request, it will be forwarded to the appropriate party within two (2) business days, and the applicant will be informed.

Requests for update, correction, rectification, or deletion will be resolved within fifteen (15) business days from the day following receipt of the complete request. If not possible within this timeframe, the applicant will be informed of the delay and the new response date, which shall not exceed eight (8) additional business days.

15. CHANGES TO THE PERSONAL DATA PROCESSING POLICY
DEV GROUP S.A.S. reserves the right to unilaterally modify its personal data processing policies and procedures at any time. Any changes will be published on the Organization’s website. Previous versions of the policy will be retained.

Continued use of services or failure to withdraw after notification of changes constitutes acceptance of the updated policy.

16. EFFECTIVE DATE OF THE PERSONAL DATA PROCESSING POLICY
This second version of the Personal Data Processing Policy becomes effective as of March 13, 2026, approved by Ronald William Ocampo Peñaloza – Legal Representative.