7.2 Notification Procedures

As part of our commitment to the protection of our clients' information, we have established the following procedures to guide our communication in the event of a security incident. This policy is aimed at ensuring timely, appropriate, and legal notifications are made to all relevant parties.

a. Internal Notification Procedures

Upon discovery of a potential security incident, the following steps should be taken:

• Incident Reporting: The incident must be immediately reported to the Incident Response Team (IRT). The report should include as many details as possible, such as when and how the incident was discovered, the nature of the data involved, and the systems or parties involved.

• Incident Documentation: The incident, investigation, containment, and recovery process should be carefully documented in real-time. This documentation will help the organization to recover, evaluate the response, and implement preventive measures.

b. External Notification Procedures

Should a security incident result in unauthorized access to our client data, we are committed to providing prompt and detailed notifications:

• Clients Notification: In compliance with legal obligations and out of respect for our clients, we will notify affected clients as soon as reasonably possible. The notification will detail the extent of the breach, the data involved, steps taken to contain the breach, and advice on how they can protect themselves.

• Regulatory Reporting: In accordance with applicable laws and regulations, we will notify the relevant regulatory bodies. Notifications will follow the specific requirements of each regulatory body, which may include the IRS in the US..

• Law Enforcement: For serious breaches, especially those suspected of involving criminal activity, we will promptly contact appropriate law enforcement agencies.

• Third-Party Services: If the breach involves systems operated by third-party vendors or impacts services offered through third parties, these parties will be promptly informed.

• Updates: We will provide regular updates about the incident to relevant parties, regulatory bodies, and the public, as necessary.

All these procedures have been put in place to ensure a coordinated and effective response to any security incidents, with the ultimate goal of protecting our client data and maintaining trust in our services.