TAŞIMACIM SOFTWARE TECHNOLOGIES INC.
PRIVACY AND INFORMATION SECURITY POLICY

This Policy establishes a corporate commitment by TAŞIMACIM YAZILIM TEKNOLOJİLERİ A.Ş. (“TAŞIMACIM”) to protect the confidentiality of all personal, location, financial, and commercial data processed within its organization, to ensure data integrity, and to provide uninterrupted access to platform information systems. TAŞIMACIM undertakes to implement preventive and detective security controls in accordance with international standards to prevent unauthorized access, disclosure, alteration, or destruction of this information. This Policy is designed to ensure compliance with all national and international legislation, primarily the Law No. 6698 on the Protection of Personal Data (KVKK), the Law No. 6563 on the Regulation of Electronic Commerce (ETK), and the Law No. 5651 on the Regulation of Publications Made on the Internet. With this Policy, TAŞIMACIM inventoryes all its information and technology assets and proactively manages cyber and operational risks.
The policy continuously reviews and improves the Information Security Management System (ISMS). It also commits to showing maximum respect for the rights and privacy of Users and Carriers (data owners). In this context, it maximizes data security by physically and logically separating development, testing, and production environments. User and personnel authorization on the system is kept at the necessary minimum level based on the "need-to-know" principle and is regularly audited.

1. INFORMATION SECURITY MANAGEMENT AND CORPORATE GOVERNANCE

1.1. Establishing a corporate organizational structure with the support of senior management is essential for effective information security management and coordination. Within this structure, it is mandatory to define and measure the objectives of the Information Security Management System (ISMS), update them annually in line with the Company's e-commerce and logistics goals, and report them regularly to senior management. Compliance of all employees and business partners (including independent carriers) with the defined policies and procedures is ensured through written commitments and digital approvals. Ensuring that all activities comply with documented procedures within the framework of corporate risk appetite and legal requirements, and conducting regular internal/external information systems audits in this context, is a fundamental obligation.

1.2. TAŞIMACIM adopts as its fundamental business principle the continuous verification and maintenance of compliance with all national and international legislation, including the Turkish Commercial Code No. 6563, the logging legislation No. 5651, the Road Transport Law No. 4925, and the Personal Data Protection Law No. 6698. It develops the necessary cloud infrastructure and security controls to protect the accuracy and integrity of platform data and to ensure continuous access to matching/software systems.

1.3. The organizational structure created for effective information security management develops detailed procedures (Incident Response Plan) for the detection, reporting, and prevention of recurrence of cybersecurity incidents. It inventoryes information assets, identifies threats, and manages risks. It applies "Security by Design" requirements in the coding, acquisition, development, and maintenance processes of platform applications (web/mobile).

2. ASSET MANAGEMENT AND CRITICAL RISK ANALYSIS

2.1. TAŞIMACIM is primarily responsible for inventorying all assets (databases, mobile applications, GPS/route tracking systems, servers, network components) and assigning owners to them in order to ensure the security of information assets. These assets are systematically classified taking into account their sensitivity levels (confidential, private, internal, public) and legal requirements (especially the Personal Data Protection Law). Strict integrity requirements are defined in the processing and storage of location and identity data belonging to the Carrier and Users.

2.2. The company conducts periodic risk analyses to identify internal and external threats (DDoS attacks, data leaks, unauthorized access, etc.), vulnerabilities, and potential impacts on its e-commerce intermediary service provider infrastructure. Security controls such as vulnerability scanning and penetration testing are implemented to reduce identified cyber risks to acceptable levels.

2.3. Data security is maximized by adopting the principle of physically and logically separating development, testing, and production (live) environments. In particular, the use of real data (without anonymization) belonging to Users and Carriers in test environments is strictly prohibited. End-to-end encryption mechanisms are established for the secure transmission/storage of tokenized financial data and personal data related to payments made through the platform.

3. PERSONNEL AND HUMAN RESOURCES SECURITY

3.1. Authorization is implemented in accordance with the "Segregation of Duties (SoD)" principle throughout the design, development, testing, and operational implementation processes. Approval and logging mechanisms are established for critical processes such as customer support processes, return approvals, or carrier matching interventions. Personnel authorization is kept at the minimum level (least privilege) essential for the execution of the job description and is periodically audited.

3.2. The company guarantees that all personnel (software developers, operations specialists, customer representatives) comply with established security procedures by obtaining legally binding Non-Disclosure Agreements (NDAs). Periodic training programs are implemented to raise awareness on phishing attacks, social engineering, and data protection law (KVKK).

3.3. Necessary environmental measures are taken to ensure security in the physical areas where information and servers are located. Biometric or card access controls are implemented for office areas, server rooms, and archives to prevent unauthorized access. The clean desk & clear screen policy is rigorously enforced.

4. ACCESS CONTROL AND LOGICAL SECURITY

4.1. Access authorization to systems (CRM, database, administration panel) is regularly audited. It is mandatory that the processes of defining, allocating, using, and immediately terminating access rights upon departure from the company be managed through a formal Identity and Access Management (IAM) procedure, and that all access logs (time-stamped in accordance with Law No. 5651) be traceable.

4.2. Redundant infrastructures are developed to protect the accuracy and completeness of information and to provide continuous 24/7 access to the Platform and mobile applications. Multi-factor authentication (MFA/2FA) systems are integrated into the infrastructure for the security of user and carrier accounts, and suspicious login attempts are monitored in real-time.

4.3. Next-generation firewalls (WAF) and intrusion detection/prevention systems (IDS/IPS) are deployed to ensure network security against external threats. A layered security approach is adopted, with logs correlated and continuously monitored via SIEM (Security Information and Event Management) systems.

5. CRYPTOGRAPHY, NETWORK SECURITY AND DATA PROTECTION

5.1. Industry-standard cryptographic encryption and masking measures are applied for the secure transmission (data in transit – via TLS/SSL protocols) and secure storage (data at rest) of user passwords, authentication data, and sensitive communication/location information in databases. The lifecycle and confidentiality of the encryption keys used are managed through secure key management processes.

5.2. To ensure the network integrity of the platform, strict isolation rules are applied between external networks, the DMZ (Disposal Zone), and internal networks. Application programming interfaces (APIs) and integrations with payment institutions undergo high-level cryptographic checks to ensure secure communication.

5.3. Cloud-based data centers are required to have TIER 3 or higher international security certifications. Physical and environmental measures, including air conditioning, fire suppression, and uninterruptible power supply (UPS/generator) equipment, are used to ensure physical integrity.

6. INFORMATION SECURITY INCIDENT MANAGEMENT AND BUSINESS CONTINUITY

6.1. Detailed incident response procedures are implemented for the detection, classification, analysis, and isolation of information security breaches (unauthorized access, data leakage, denial-of-service attacks – DDoS). Reporting breaches to the Personal Data Protection Board and relevant parties within the legal timeframe (72 hours) and in accordance with corporate policies is essential. Root cause analyses are conducted and systems are patched to prevent recurrence of incidents.

6.2. Measures are taken to prevent disruptions in logistics and matching activities. TAŞIMACIM establishes a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) to ensure the sustainability of operations. These plans aim to quickly restore critical servers and minimize user/carrier losses in the event of a natural disaster, cyber attack, or infrastructure failure. The plans are tested through regular drills (failover tests).

7. COMPLIANCE WITH LEGISLATION AND PROTECTION OF PERSONAL DATA

7.1. TAŞIMACIM is committed to ensuring full compliance with Law No. 6698 on the Protection of Personal Data (KVKK) and related Board decisions in the processing of all personal data (User, Carrier, License Holder, Employee data). Data processing activities are carried out based on legal grounds such as Explicit Consent, Performance of a Contract, or Legal Obligation. The obligation to inform is fulfilled transparently at every point of contact.

7.2. Data subjects' legal rights arising from the Law (right to access, rectification, transfer, deletion, and to be forgotten) are meticulously protected. Through the "Data Controller Application Management Process" established within TAŞIMACIM, requests are answered as quickly as possible (maximum 30 days). Except for legally mandated retention (logging and commercial ledger) obligations, data for which the processing conditions have ceased to exist are periodically deleted, destroyed, or anonymized in accordance with the "Data Retention and Destruction Policy".

7.3. The regulatory obligations arising from being an Electronic Commerce Service Provider are fully complied with. Commercial electronic communications (including IYS integration) are kept under control in accordance with Law No. 6563; and traffic (log) records are stored in an unalterable format (hashed) for legally mandated periods as required by Law No. 5651. Legislative security requirements in information systems acquisition and third-party software integration are secured through contracts (Data Processor Agreements).