Information Security Policy

Applicability

This Information Security Policy applies to all functional areas of Newel. All Newel employees are required to adhere to this policy, and the policy is incorporated into agreements with external parties who may access company information. Newel shares information with external parties only when necessary for the proper conduct of business activities, and always in compliance with applicable laws and regulations.

Preamble

Newel operates primarily in the Digital Medical Device, Software as a Medical Device, and Digital Therapeutics sector. We recognize information security as essential to protecting our information assets and those of our customers, and as a foundation of trust with the patients, clinicians, and partners we serve.

Newel is committed to providing a high standard of security to its customers. To this end, the company has implemented an Integrated Management System (IMS), bringing quality, medical device safety, and information security together under a single, unified approach. The IMS is certified to ISO 9001:2015, ISO 13485:2016, and ISO/IEC 27001:2022.

Objective

Newel's IMS is designed to protect and safeguard critical information and IT resources, ensuring the delivery of secure and continuous business services. This includes the security of electronic devices, information, servers, workstations, laptops, network and communication systems, removable media, printed or written information, and information transmitted by email or any other means.

The information security objective of Newel's IMS is to ensure an adequate level of data and information security throughout the design, development, and delivery of company services, by identifying, assessing, and addressing the risks to which these services are exposed. The IMS covers all services offered by the company, particularly in the areas of:

Research, design, development, and distribution of digital medicine and digital therapeutics solutions

Newel's IMS is built around three core information security requirements:

• Confidentiality. Information is accessible only to authorized individuals.
• Integrity. Information is modified only by authorized individuals.
• Availability. Information is accessible and usable when required by authorized users and business processes.

Through this policy, Newel commits to the following information security objectives:

• Maintain Newel's reputation as a reliable and competent provider.
• Protect Newel's information assets and know-how, and those entrusted to us by our customers.
• Comply fully with applicable data protection regulations, including GDPR and, where applicable, HIPAA.
• Meet contractual requirements regarding information security.
• Build and maintain a strong culture of information security awareness across the organization.

Policy

Newel's policy requires that:

• Critical information is protected from intentional or unintentional unauthorized access, use, disclosure, modification, or disposal.
• The confidentiality, integrity, and availability of information, whether stored or in transit, are maintained at all times.
• Security incidents and suspected policy violations are reported, investigated, and addressed through defined internal procedures.
• Newel's Business Continuity Plan is kept up to date and regularly tested.
• All applicable legal and contractual requirements regarding information security are met.
• This policy is reviewed periodically to assess its effectiveness considering changes in technology, regulation, and business needs.
• Managers and department heads are responsible for implementing this policy within their areas and ensuring compliance by their teams.

Review

Newel periodically reviews the effectiveness and efficiency of its Integrated Management System, supporting continuous improvement as technology, regulations, and business needs evolve.

All Newel personnel are responsible for adhering to this policy. Responsibility for the confidentiality, integrity, and availability of company data is held at the management level, with information security governance embedded in Newel's Integrated Management System.