Security Statement

Information security at Yaripo is approached through a risk management logic, protection of critical assets, access control, operational resilience and continuous improvement. This approach seeks to reduce exposure to incidents, reinforce client trust and protect sensitive information in the context of consulting, digital products, training and artificial intelligence solutions.

Security is integrated by design where reasonably practicable, taking into account the nature of the service, the client context, the type of data involved and the level of operational criticality.

This statement covers, as applicable, the operation and evolution of:

• consulting services in data, analytics, AI, FinOps, governance and strategy;
• current or future platforms, digital products or SaaS services;
• training environments, academy, digital content and labs;
• cloud infrastructure, integrations and associated technology components;
• internal processes for handling commercial, technical or operational information.

Yaripo may draw on recognised security and privacy frameworks, particularly those useful for B2B and enterprise environments, including best practices associated with:

• ISO/IEC 27001 for information security management systems;
• ISO/IEC 27002 for security controls;
• ISO/IEC 27701 for privacy extension and personal information governance;
• NIST Cybersecurity Framework as a capability organisation framework for identify, protect, detect, respond and recover functions.

Yaripo's security architecture is organised around classic and extended principles of information protection:

• Confidentiality: information must be accessible only to those with legitimate authorisation.
• Integrity: data and configurations must be kept complete, accurate and protected against unauthorised alteration.
• Availability: relevant systems and data must remain usable and recoverable within reasonable parameters.
• Traceability: where applicable, relevant activity must be capable of being logged, monitored or reviewed.
• Least privilege: access must be granted in accordance with genuine need and strictly required scope.

Depending on the type of service, environment or deployment, Yaripo may apply controls such as the following:

• identity and access management under role-based and least-privilege principles;
• multi-factor authentication where reasonably practicable or required;
• encryption in transit and, where applicable, encryption at rest;
• secrets, credentials and access key management;
• logging, technical monitoring and review of relevant events;
• segregation of development, test and production environments where applicable;
• hardening or reinforcement of secure configurations in systems, services and components;
• patch, vulnerability and update management;
• basic backup and restoration controls;
• containment and incident response measures.

Yaripo may process or interact with information requiring enhanced protection, including personal data, confidential commercial information, technical documentation, enterprise datasets, prompts, inputs, outputs and configurations associated with AI or advanced analytics solutions.

Protection of this information is addressed in accordance with its criticality, purpose, sensitivity and applicable contractual or regulatory requirements.

Yaripo may operate on cloud infrastructure, including single-cloud or multicloud architectures, depending on the nature of the service and client requirements. Although certain environments may initially be implemented on specific providers, the design stance remains open and non-exclusive.

The strategy considers secure configurations, logical segmentation, prudent use of managed services, permissions review, credential protection and adoption of provider-native best practices where relevant.

Yaripo may maintain processes for the identification, analysis, containment, mitigation and learning from information security incidents, in proportion to the nature and criticality of the affected service or environment.

Where applicable, notification to clients, counterparties or authorities will be carried out prudently and in accordance with applicable legal, regulatory or contractual obligations, avoiding over-commitment on absolute timelines not expressly agreed.

Yaripo may rely on third parties for infrastructure, analytics, communications, cloud, automation, observability, collaboration or training. In this context, a reasonable vendor assessment is sought based on criticality, access, sensitivity of the information processed and associated risks.

Where relevant, Yaripo may require or review commitments on confidentiality, security, privacy, access segregation or processing in accordance with service requirements.

Operational continuity is addressed through measures proportionate to the service context, including backups, restoration, configuration recovery, reasonable redundancy where applicable and review of critical dependency points.

In services where continuity or recovery is materially relevant to the client, specific commitments must be defined by commercial or contractual agreement.

Yaripo understands that in enterprise environments, security is to a large extent a shared responsibility between vendor, client, platform, cloud provider and internal operations. Effective security therefore also depends on the service scope, approved configuration, integration flows, information classification and the client's own operational discipline.

Yaripo projects a progressive evolution of its security posture, including documentary formalisation, strengthening of controls, governance maturity and eventual preparation for certification or audit processes when the business, scale and commercial demand justify it.

In particular, standards such as ISO/IEC 27001 or ISO/IEC 27701 may constitute reasonable future maturity milestones, especially as Yaripo expands its enterprise operations, client base and exposure to procurement and compliance requirements.