Version 0 - 04/09/2024

1. Purpose

The purpose of this Information Security Policy is to protect the confidentiality, integrity, and availability of Pickatale’s information assets while supporting its mission of inspiring a love of reading and empowering young learners through innovative digital content. This policy aligns with ISO/IEC 27001:2022 standards and ensures effective information security management across the organization, while also integrating environmental considerations into our security strategy.

2. Scope

This policy applies to all Pickatale employees, contractors, third-party providers, and any other relevant stakeholders who interact with Pickatale’s information systems or data, whether hosted internally or through cloud platforms. It encompasses all digital and physical assets, including customer data, employee information, and business operations.

3. Pickatale’s Mission

Pickatale is a leading educational technology company, specializing in developing interactive reading and learning experiences for children. Our mission is to inspire a love of reading and empower young learners by providing innovative, engaging digital content and tools that foster growth and development. We dream, create, and embrace new challenges to support children in their learning journey.

Our goal is to help children thrive by offering them immersive, educational experiences through our advanced technology and creative storytelling. We are dedicated to making reading accessible, enjoyable, and impactful for every child.

4. Information Security Objectives

The primary objectives of Pickatale’s Information Security Management System (ISMS) are:

• Confidentiality: Ensuring that sensitive information is accessed only by authorized personnel.
• Integrity: Safeguarding the accuracy and completeness of data throughout its lifecycle.
• Availability: Ensuring that information is available to authorized users when needed.
• Risk Management: Identifying, assessing, and mitigating security risks that could impact our systems or services.
• Legal Compliance: Adhering to all applicable legal, regulatory, and contractual obligations as minimum standards.
• Privacy Protection: Preserving the privacy of customers, employees, suppliers, and third parties.
• Continuous Improvement: Regularly reviewing and enhancing our security controls and practices.

5. Information Security Principles

To achieve these objectives, Pickatale is committed to the following principles:

5.1 Risk Prevention and Management

All information security risks will be proactively managed. This includes performing regular risk assessments to identify vulnerabilities and implementing necessary measures to mitigate or eliminate risks, with the goal of eliminating or minimizing them wherever possible.

5.2 Legal and Regulatory Compliance

Pickatale will comply with all relevant laws and regulations regarding data protection and information security, including the General Data Protection Regulation (GDPR) and other applicable standards. Legal requirements are considered as the baseline minimum for compliance.

5.3 Environmental Protection

Pickatale is committed to reducing and preventing the environmental impacts generated by our activities, products, or services as part of our information security management practices.

5.4 Training and Awareness

Employees and contractors will receive continuous training on information security best practices. Regular workshops and updates will ensure that all staff are knowledgeable about their responsibilities and are encouraged to participate actively in the improvement of the system.

5.5 Incident Response and Management

All information security incidents, breaches, or potential threats must be reported immediately. A structured incident response plan will be followed to ensure timely identification, containment, and resolution of any issues, with measures in place to prevent recurrence.

5.5 Monitoring and Auditing

All information security incidents, breaches, or potential threats must be reported immediately. A structured incident response plan will be followed to ensure timely identification, containment, and resolution of any issues, with measures in place to prevent recurrence.

5.6 Confidentiality of Customer Data

Information systems and processes will be continuously monitored to detect unauthorized access or anomalies. Indicators at all levels will be established to make evidence-based decisions. Regular audits will be conducted to ensure compliance with internal security controls and to identify opportunities for improvement. Objectives and goals will be periodically reviewed to provide a framework for continuous improvement.

5.7 Secure Development and Maintenance

Protecting the personal data of our users, especially children, is paramount. Pickatale ensures that all sensitive data is encrypted both in transit and at rest, with strict access controls in place.

6. Roles and Responsibilities

• Security Manager: Responsible for the development, implementation, and maintenance of the ISMS, ensuring compliance with ISO 27001. This role includes investigating security incidents, defining security procedures, and coordinating risk analysis.
• Information Manager: Defines the security requirements for processed information, approves security levels, and ensures that information assets are protected.
• System Manager (IT Manager): Oversees technical development, operation, and maintenance of the information system, ensuring that it meets organizational security standards.

7. Risk Management Framework

Pickatale will maintain a dynamic risk management process to continuously assess and address threats to its information assets. This includes:

• Risk Assessment: Regular assessments to identify potential security risks.
• Risk Mitigation: Controls implemented to address identified risks, including technical, administrative, and physical measures.
• Review: Risks will be re-assessed periodically to account for changes in business processes, technology, or emerging threats.

8. Data Protection and Privacy

Pickatale is committed to protecting the privacy of its users, particularly children, by implementing:

• Data Classification: Information will be classified based on sensitivity, and safeguards applied accordingly.
• Access Controls: Access will be restricted to those with legitimate needs, reviewed regularly for compliance.
• Encryption: All sensitive data will be encrypted using industry-standard methods both at rest and during transmission.
• Privacy by Design: Privacy principles will be embedded into the design and development of new systems and processes.

9. Business Continuity and Disaster Recovery

Pickatale will maintain a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) to ensure the resilience of its information systems. Key systems will be backed up regularly, and recovery processes will be tested annually to ensure they can be effectively executed in the event of a disruption.

10. Policy Review and Continuous Improvement

This Information Security Policy will be reviewed annually or whenever significant changes occur within Pickatale's operations or IT infrastructure. Updates will be made to ensure the policy remains relevant and effective in addressing evolving security threats.