Presentation

DIRA is a product owned by Scrummers committed to the strictest compliance with the law and the protection of the rights of individuals, such as habeas data, privacy, intimacy, good name and in development of our policy of total responsibility, it is very important to us the conservation, protection and integrity of the personal data that you have made available to us.

For this purpose, this policy establishes the terms, conditions and purposes under which SCRUMMERS, will treat the personal data provided freely and voluntarily, whether via face-to-face or virtual, collected directly from national and international branches or through the consortiums or temporary unions of which it is a part; In addition to the above, data collection information that the owners of the information provide will be used in the development of the functions of the company according to the legal relationship held with each of them.

This Personal Data Protection Policy will apply to all Databases and/or Files that contain Personal Data subject to treatment by Scrummers SAS and Scrummers USA Inc considered as responsible and/or in charge of the processing of such Personal Data.

However, current technologies allow companies to manage, operate and store efficiently the personal information that it uses for the fulfillment of its corporate and business objectives, such as their selection and hiring processes, or the processes related to the service and customer service, users, suppliers, shareowners and managers, among others.

In this context, the purpose of this document is to cover said guarantees and instruments taking into account our condition as responsible for the processing of personal data in light, in particular, of the provided for in literal K of article 17 of the aforementioned law and in article 13 of Decree 1377 of 2013.

1. IDENTIFICATION OF THE PERSON RESPONSIBLE FOR PERSONAL DATA

SRUMMERS S.A.S., identificada con NIT 901382374, con dirección contractual carrera 53ª #127 70 de Bogotá D.C., teléfono 3017549851 y correo electrónico: datospersonales@scrummers.co

SCRUMMERS USA INC identified with No. EIN 86-3394678, with contractual address at 320 S Flamingo Rd # Suite 305, Pembroke Pines, FL 33027, phone +1 954 397 0799 and email: personaldata@scrummers.co 86-3394678, con dirección contractual  en 320 S Flamingo RD # Suite 305, Pembroke Pines, FL 33027, teléfono +1 954 397 0799 y correo electrónico: datospersonales@scrummers.co

CHAPTER I GENERAL PROVISIONS

ARTICLE 1. APPLICABLE LEGISLATION:

Law 1581 of 2012 "By which general provisions are issued for the protection of personal data" and the Decree 1377 of 2013 “By which Law 1581 of 2012 is partially regulated”. These Policies they will be applicable all other rules that complement or replace the above.

Due to the foregoing, SCRUMMERS issues this Privacy Policy and Data Processing Personnel that rest in their databases (hereinafter the "Policy"), which belong to the people natural, owners of the information, who have authorized SCRUMMERS to handle them in accordance with the corporate guidelines and this Policy.

ARTICLE 2. DATABASES. The policies and procedures contained in this document apply to the Databases managed by SCRUMMERS.

ARTICLE 3. PURPOSE. The purpose of this policy is to establish the handling of personal data in accordance with the parameters determined by law, thus establishing the way in which the company will handlEof the personal data to which you have access. Similarly, the procedures for collection, management and treatment of personal data carried out by SCRUMMERS, in order to guarantee and protect the fundamental right of habeas data.

ARTICLE 4. DEFINITIONS. For purposes of applying the rules contained in this document and In accordance with the provisions of Law 1266 of 2008 and Law 1581 of 2012, it is understood as:

Authorization: It is the consent given by any person so that the companies or persons responsible for the information processing, may use your personal data.

Privacy Notice: It is one of the verbal or written communication options provided by law to make the owners of the information aware ot it, it's existence and the ways to access the policies of treatment of the information and the purpose of its collection and use.

Database: Organized set of personal data that are subject to treatment.

Personal Data: This is any information linked or that can be associated with a specific person, such as your name or identification number, or that may make you determinable, such as your physical features.

Private data: It is the data that, due to its intimate or reserved nature, is only relevant to the owner. such as tastes or preferences of people, for example, correspond to private data.

Public data: They are considered public data, among others, the data related to the marital status of the people, his/her profession or trade and to his capacity as a merchant or public servant. By its nature, data may be contained, among others, in public records, public documents, gazettes and newsletters official and duly enforced judicial sentences that are not subject to reservation.

Semi-private data: These are data that are not of an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to the owner but also to a certain sector or to society in general. The financial data and credit or commercial activity or services, are some examples.

Sensitive data: They are those that affect the privacy of the owner or may lead to the discriminate, that is, those who reveal their racial or ethnic origin, their political orientation, the convictions religious or philosophical, membership in trade unions, social organizations, human rights, as well as data related to health, sexual life, and biometric data, among others.

Person in Charge of Treatment: It is the natural or legal person who performs the processing of personal data, from a delegation that makes him responsible, receiving instructions about the way in which data must be managed.

Responsible for Treatment: It is the natural or legal person, public or private, who decides on the purpose of the databases and/or their treatment.

Owner: It is the natural person whose personal data is subject to treatment.

Data Transfer: This is the operation carried out by the person in charge or in charge of processing the data. data located in Colombia, sends the information or personal data to a receiver, who in turn is Responsible for the Treatment and is inside or outside the country.

Transmission: Treatment of Personal Data that implies the communication of these inside or outside the territory of the Republic of Colombia when its purpose is to carry out a Treatment by the Duty manager on behalf of the Responsible.

Treatment: Any operation or set of operations on personal data, such as the collection, storage, use, circulation or disposal.

Administrator of the Personal Database: Area in charge or in charge that is in charge and performs Treatment to one or more Databases that have personal information.

Authorized entities: SCRUMMERS, the companies subordinated to it or linked, its parent or controlling company, the subordinate companies of its parent or controlling company.

CHAPTER II AUTHORIZATION

ARTICLE 5. AUTHORIZATION. The collection, storage, use, circulation and in general the treatment of Personal Data that rests in the SCRUMMERS Databases require the free, prior, express and informed of the owners of the same. The personal data of the owners will be kept in the SCRUMMERS Databases for as long as they are used for authorized purposes, unless if the owner requests its elimination.

ARTICLE 6. FORM AND MECHANISMS TO GRANT THE AUTHORIZATION. The Authorization can be recorded in a document physical, electronic, data message, Internet, website or also verbally or by telephone or in any other format that allows to guarantee its subsequent consultation; or through unequivocal conduct of the owner that allows to reasonably conclude that he granted the authorization; or through a mechanism technical or suitable technology through which it can be concluded unequivocally, that if they had not obtained the consent of the owner, the data would never have been collected and stored in the Database.

With the consented authorization procedure, it is guaranteed to the owner of the the Personal Data, that your personal information will be collected and used for certain and known purposes in accordance with this Policy and the corresponding Privacy Notice and the right that assists you to request access, update, rectification and deletion of your Personal Data in any moment, through the mechanisms made available by SCRUMMERS. The foregoing in order that the owner take informed decisions regarding your Personal Data and control the use of your personal information.

ARTICLE 7. PROOF OF AUTHORIZATION. SCRUMMERS will take the necessary measures to maintain records or suitable technical or technological mechanisms of when and how the authorization was obtained by the owners of Personal Data for the Treatment of the same.

CHAPTER III RIGHTS AND DUTIES

ARTICLE 9. RIGHTS OF THE owners OF THE INFORMATION. In accordance with the provisions of article 8 of the Law 1581 of 2012 and articles 21 and 22 of Decree 1377 of 2013 the Owner of the Personal Data has the following rights:

1. Know, update and rectify your Personal Data against SCRUMMERS, in its capacity as Responsible to the Treatment.
2. Request proof of the Authorization granted to SCRUMMERS, in its capacity as Responsible for the Treatment.
3. Be informed by SCRUMMERS, upon request, regarding the use that has been given to your Personal Data.
4. Submit to the Superintendency of Industry and Commerce complaints for violations of the provisions of the Law 1581 of 2012 and the other regulations that modify, add or complement it, once the Procedure query or claim before the Data Controller.
5. Revoke the Authorization and/or request the deletion of the data when the Treatment does not respect the constitutional and legal principles, rights and guarantees.
6. Free access to your Personal Data that has been processed.

SCRUMMERS will provide at all times contact means enabled so that the Data owners can exercise their rights and apply the procedures provided for in this policy, which will be informed and made available to provision in the Privacy Notice.

ARTICLE 10. DUTIES OF SCRUMMERS AS RESPONSIBLE IN RELATION TO DATA PROCESSING

PERSONAL. SCRUMMERS.

1. Guarantee the owner, at all times, the full and effective exercise of the right of habeas data.
2. Keep the information under the security conditions necessary to prevent its manipulation, lost, unauthorized or fraudulent consultation, use or access.
3. Duly inform the owner about the purpose of the collection and the rights that assist him by under the Authorization granted.
4. Guarantee that the information provided to the Treatment Manager is true, complete, exact, up-to-date, verifiable and understandable.
5. Carry out in a timely manner, this is in the terms provided in articles 14 and 15 of Law 1581 of 2012, updating, rectification or deletion of data.
6. Provide the Treatment Manager, as the case may be, only data whose Treatment is previously authorized in accordance with the provisions of this law.
7. Require the Treatment Manager at all times, respect for the security conditions and Privacy of the owner's information.
8. Inform at the request of the owner about the use given to their data.
9. Process the queries and claims made by the owners in the terms indicated in the Articles 14 and 15 of Law 1581 of 2012.
10. Insert in the Database the legend "information under judicial discussion" once notified by the competent authority on judicial processes related to the quality or details of the Personal Data.
11. Insert in the Database the legend "claim in process" and the reason for it, in a term not greater than two (2) business days from receipt of the completed claim.
12. Refrain from circulating information that is being controversial by the Owner and whose blocking has been ordered by the Superintendence of Industry and Commerce.
13. Allow access to information only to people who can have access to it.
14. Inform the Superintendency of Industry and Commerce when there are violations of the codes of security and there are risks in the management of the owners' information.
15. Designate an area that assumes the function of protection of Personal Data, which will process the requests from the owners, for the exercise of the rights to what does it mean the Law 1581 of 2012 and Decree 1377 of 2013.
16. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

Article 11. DUTIES OF THOSE IN CHARGE.

1. Guarantee the owner, at all times, the full and effective exercise of the right of habeas data.
2. Keep the information under the security conditions necessary to prevent its manipulation, lost, unauthorized or fraudulent consultation, use or access.
3. Carry out timely updating, rectification or deletion of the data in the terms of the present law.
4. Update the information reported by the Treatment Managers within five (5) days business days counted from receipt.
5. Process the queries and claims made by the owners in the terms indicated in the Present law.
6. Adopt an internal manual of policies and procedures to ensure adequate compliance of the law and, especially, for the attention of queries and claims by the owners.
7. Record in the database the legend "claim in process" in the manner in which it is regulated by the present law.
8. Insert in the database the legend "information under judicial discussion" once notified by the the competent authority on judicial processes related to the quality of personal data.
9. Refrain from circulating information that is being controversial by the Owner and whose blocking has been ordered by the Superintendence of Industry and Commerce.
10. Allow access to information only to people who can have access to it.
11. Inform the Superintendency of Industry and Commerce when there are violations of the codes of security and there are risks in the management of the owners' information.
12. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

SCRUMMERS; as responsible for the processing of personal data, you may contract or delegate to one person legal or natural as Manager and responsible for data processing personal. Said delegation or contracting must be reflected by means of a written document in which the instructions and responsibilities to be performed by the Manager.

ARTICLE 12. RIGHT OF ACCESS. The power of disposition or decision that the owner has over the information which concerns you, necessarily entails the right to access and consult if your personal information is being the object of treatment, as well as the scope, conditions and generalities of said treatment. This way, SCRUMMERS must guarantee the owner their right of access in three ways:

1. The first implies that the owner can know the effective existence of the treatment to which they are subdued your personal information.
2. The second, that the owner may have access to their Personal Data that is in the possession of the responsible keeper.
3. The third supposes the right to know the essential circumstances of the treatment, which is translates into the duty of SCRUMMERS to inform the owner about the type of Personal Data processed and each and every of the purposes that justify the treatment.

PARAGRAPH: SCRUMMERS will guarantee the right of access when, after proof of the identity of the owner or quality of its representative, the detail of the Data is made available to it, free of charge. through the means enabled for that purpose.

ARTICLE 13. RECTIFICATION AND UPDATING OF DATA. The Owner of the data has the right to request the updating or rectifying your Personal Data. SCRUMMERS has the obligation to rectify and to update At the request of the owner, the information of the latter that turns out to be incomplete or inaccurate, in accordance with the procedure indicated in this Policy. In the requests for rectification and updating of Personal Data the owner must indicate the corrections to be made, for which in some cases it will be requested the documentation supporting your request.

SCRUMMERS is fully free to enable mechanisms that facilitate the exercise of this right, provided they benefit the owner. Consequently, electronic or other means may be enabled if consider relevant.

SCRUMMERS may establish forms, systems and other simplified methods, which must be informed and made available to interested parties on the website.

Each time SCRUMMERS makes a new tool available to facilitate the exercise of your rights by part of the owners of information or modify the existing ones, it will inform you through its website.

ARTICLE 14. DELETION OF DATA. The owner has the right, at any time, to request SCRUMMERS the deletion (removal) of your Personal Data when:

1. You want your data to be removed from the SCRUMMERS Databases.
2. Consider that they are not being treated in accordance with the principles, duties and obligations provided for in Law 1581 of 2012 and Decree 1377 of 2013.
3. They have ceased to be necessary or relevant for the purpose for which they were collected.
4. The period necessary for the fulfillment of the purposes for which they were collected has been exceeded.

The deletion implies the total or partial elimination of the personal information in accordance with what was requested. By the owner in the records, files, Databases or treatments carried out by SCRUMMERS. It is important to take into account that the right of cancellation is not absolute and the person in charge can deny the exercise of the same when:

1. The owner has a legal or contractual duty to remain in the Database.
2. The deletion of data hinders judicial or administrative actions linked to obligations of prosecutors, the investigation and prosecution of crimes or the updating of administrative sanctions.
3. The data is necessary to protect the legally protected interests of the owner; to do an action based on the public interest, or to comply with an obligation legally acquired by the headline.

In the event that the cancellation of Personal Data is appropriate, SCRUMMERS must carry out an operational deletion in such a way that the deletion does not allow the recovery of the information.

ARTICLE 15. REVOCATION OF THE AUTHORIZATION. The owners of the Personal Data can revoke the consent to the processing of your Personal Data at any time, as long as it does not prevent it from legal or contractual provision. It should be noted that there are two ways in which the revocation of consent can be given. The first, can be on all the consented purposes, this is, that SCRUMMERS must completely stop processing the owner's Data; the second, it can occur on types of certain processing, such as for advertising purposes or market research. With the second modality, that is, the partial revocation of consent, other purposes of the treatment by the responsible keeper, in accordance with the authorization granted, can carry out and with which the user agreed upon.

Due to the foregoing, it will be necessary for the owner, when submitting the request for revocation, to indicate if the revocation you intend to make is total or partial. In the second hypothesis, it should be indicated with which treatment the owner is not satisfied.

There will be cases in which the consent, due to its necessary nature in the relationship between the Owner and the person responsible ot the contract compliance, by legal provision may not be revoked.

The mechanisms or procedures that SCRUMMERS establishes to deal with requests for revocation of the consent granted may not exceed the deadlines established to attend to the claims as stipulated. Points out in article 15 of Law 1581 of 2012

PROCEDURES FOR THE EXERCISE OF RIGHTS

ARTICLE 16. CONSULTATIONS. In accordance with the provisions of article 14 of Law 1581 of 2012 and the Article 21 of Decree 1377 of 2013, the owners or their successors in title may consult the information personal of the owner that rests in any Database. Consequently, SCRUMMERS will guarantee the right of consultation, supplying the owners, all the information contained in the individual record or that is linked to the identification of the owner.

ARTICLE 17. CLAIMS. In accordance with the provisions of article 15 of Law 1581 of 2012, the owner or their heirs who consider that the information contained in a Database should be subject to rectification, update or deletion, or when they notice the alleged breach of the duties contained in Law 1581 of 2012, Decree 1377 of 2013 or any other applicable regulation, may file a claim with the Data Controller, which will be processed under the following rules:

1. The rights of rectification, update or deletion may be exercised by:

1. The owner or his successors in title, after proof of identity, or through instruments emails that allow you to identify yourself.
2. By the representative and/or proxy of the owner, prior accreditation of the representation or seizure.
3. By stipulation in favor of another or for another.
4. The rights of children or adolescents will be exercised by the people who are empowered to represent them.
5. When the request is made by a person other than the owner, and it is not proven that the same acts on representation of the former, shall be deemed not presented.

1. The request for rectification, updating or deletion must be submitted through the means enabled by SCRUMMERS indicated in the Privacy Notice and contain, at a minimum, the information indicated in article 15 of Law 1581 of 2012 and in article 9 of Decree 1377 of 2013, and others regulations that replace or complement:

1. The name and address of the owner or any other means to receive the response.
2. Documents proving the identity or personality of your representative.
3. The clear and precise description of the Personal Data with respect to which the owner seeks to exercise any of the rights.
4. The description of the facts that give rise to the claim, the address and documents that you want to assert the user.
5. Where appropriate, other elements or documents that facilitate the location of the Personal Data.

CHAPTER V

POLICY AND END OF TREATMENT

ARTICLE 18 POLICY. SCRUMMERS has as a general guideline to comply with the current provisions that form part of the Personal Data Protection Regime.

The specific policies related to the Processing of Personal Data are the following:

1. SCRUMMERS will obtain the authorization from all the owners for the Treatment of their Data Personal, in the manner provided in the Privacy Policy and Treatment of Personal Data.
2. SCRUMMERS will maintain proof of the authorization granted by the owners and, by virtue of said authorization, will give you the treatment corresponding to the Personal Data, which will never have a different purpose for which they were initially collected and authorized.
3. All Processing of Personal Data carried out by SCRUMMERS will be carried out in accordance with the Authorization granted by the owner.
4. The treatment of the information will be carried out by virtue of the purposes mentioned in the authorization delivered by the owner.
5. Personal Data should only be processed by the Database Administrator, who will be able to coordinate with third parties the Treatment of the Database.
6. All Personal Data that is not Public Data will be treated as confidential for an indefinite period and will assume that the data provided by the owner is true, complete, accurate, updated and verifiable, until both the owner himself does not request its correction.
7. The owner of the information, by himself or through interposed persons, may consult his Data personal at all times in the terms provided in this Policy.
8. The owner of the information, by himself or through interposed persons, may consult his Data personal at all times in the terms provided in this Policy.
9. SCRUMMERS will collect and process Personal Data of Boys, Girls and Adolescents, when it comes to Data Personal of a public nature and compliance with the provisions of article 7 of Law 1581 from 2013 and article 12 of Decree 1377 of 2013.
10. Personal Data will be processed in application of all possible security measures, in order to from that unauthorized persons do not have access to them.
11. SCRUMMERS will ensure that the transfer and transmission of Personal Data is to Third Parties and entities authorized, that have the security levels and standards in accordance with the Law and, in the case of in charge of the treatment, share their Privacy Policy and Treatment of Personal Data and that maintain the confidentiality of the information in accordance with current regulations, even when there is finished his contractual relationship.
12. SCRUMMERS will transfer the Personal Data of the owners, only to the people and for the purposes for those that were authorized by the Owner of the information.
13. SCRUMMERS undertakes to keep the authorized entities and Managers informed of all the changes requested by the Owner of the information, so that the data is always kept updated.
14. SCRUMMERS Databases are registered in the National Registry of Databases.
15. SCRUMMERS, with the help of the Database Administrator, will implement procedures aimed at guarantee compliance with this Policy.
16. SCRUMMERS will publish the Privacy Notice prior to the collection of Personal Data.

ARTICLE 19. PURPOSE OF TREATMENT: SCRUMMERS collects, stores, uses, circulates, Transmits and Transfers Data Personal data of your customers, suppliers, employees, potential customers, potential employees and potential providers for purposes of control, security, establishment of commercial or legal relations, judicial processes, requirements of administrative authorities and for future references, inside and outside Colombia.

Similarly, the SCRUMMERS databases may include and integrate data transmitted and/or transferred to this by the authorized entities and/or by third parties.

Personal Data will be processed for the purpose of:

1. Comply with the legal and/or contractual obligations of the authorized entities, due to the development of its civil and commercial activity.
2. Manage data related to human resources, selection processes, organizational analysis, development and management of performance reports of employment contracts, relationship management labor, processing, management, payroll and compliance with legal obligations.
3. Carry out the Customer or Supplier Due Diligence process, which consists of the set of procedures for the identification and acceptance of customers and suppliers.
4. Achieve efficient communication with the owner of the information, through any means of contact, related to our products, services, promotions, alliances, studies, contests, events, content, advertising and marketing campaigns, benefits, conditions or applicable policies, channels from attention, social networks, as well as those of authorized entities.
5. Provide our services and/or products.
6. Report changes to our products or services or regarding new ones that are related with the contract(s) or acquired(s).
7. Comply with obligations contracted with our clients, suppliers and employees.
8. Evaluate the quality of the service.
9. Deliver and offer the owner in a general or segmented manner, information, content and/or advertising, SCRUMMERS, the authorized entities and/or third parties, and qualify the propensity and/or affinity to products or services of SCRUMMERS and/or authorized entities and/or third parties to carry out segmentations or user profiling.
10. Prepare and report statistical information, satisfaction surveys, studies and market analysis or from consumption, including the possibility of contacting you for said purposes by SCRUMMERS and/or The authorized entities.
11. The information may be anonymized in order to prepare statistics, studies and analysis of marketing or of consumption that may be used by the authorized entities and/or third parties, who may have discretionary of all the information.
12. Identify, collect and associate with the data, information on the owner's browsing preferences on the portals of SCRUMMERS and/or authorized entities, as well as georeferencing data and/or specific location generated by mobile devices, to improve the user experience, to know his browsing profile, deliver information and/or segmented advertising about products and/or services own or of third parties, qualify the propensity and/or affinity to products or services of SCRUMMERS and/or of the entities authorized and/or third party. For further details, see the Browsing Data Policy- “Cookies”.
13. Transmit them, inside or outside of Colombia (regardless of the country of destination), to third parties acting What in charge of the treatment and that provide SCRUMMERS and/or authorized entities, technological services, logistics, administrative, distribution, contact center e-mail marketing and/or any other service required by SCRUMMERS and/or authorized entities, for the development of the activities contemplated on the purposes set forth in this Privacy Notice and always subject to the Treatment Policies and SCRUMMERS Personal Data Procedure.

Consequently, the owner understands and accepts that by means of this authorization he grants those in charge of the treatment, authorization to access your Personal Data to the extent that they require it.

1. Transfer them, inside or outside Colombia (regardless of the country of destination), to the entities authorized and / or third parties, for the development of commercial, labor activities and those contemplated in the purposes described in this Privacy Notice.
2. Transfer and/or transmit them within or outside of Colombia (regardless of the country of destination), to the) company that in the future may manage and/or acquire, totally or partially, SCRUMMERS and/or one of the authorized entities or any of their business units or assets.
3. Collection and delivery of information to public or private, national or foreign authorities with jurisdiction over SCRUMMERS and/or authorized entities, or over their activities, products and/or services, when required to comply with its legal or regulatory duties, including within these, those referring to the prevention of tax evasion, money laundering and financing of terrorism or other similar purposes.
4. Profiling of databases or generating basic and demographic profiles with the data personal, as well as completeness of contact data through the crossing of SCRUMMERS databases, the entities authorized and/or third parties such as the National Registry of Civil Status and its allies technological certificates, commercial or credit information operators, entities that are part of the Social Security System, companies providing public services, with a view to enriching the bases data from SCRUMMERS and/or authorized entities.
5. Profiling of databases or generating basic and demographic profiles with the Data personal, as well as completeness of contact data through the crossing of databases of SCRUMMERS, The authorized entities and/or third parties such as the National Registry of Civil Status and its allies certified technological operators, commercial or credit information operators, entities that are part of the Comprehensive Social Security System, companies providing public services, with a view to enriching the SCRUMMERS and/or authorized entities databases.
6. Contact customers, employees and/or suppliers (and/or their respective officials) for the shipment of information or any other purpose that results in the development or execution of relationships contractual, commercial and legal to take place.
7. For purposes of security, prevention, investigation and prosecution of fraud.
8. In relation to the Data considered as Sensitive, in the terms of Law 1581 of 2012, the owner is not required to authorize your treatment. Regarding Personal Data of Boys, Girls and Teenagers, when they are collected, they will be treated in accordance with the provisions of article 7 of Law 1581 of 2013 and the Article 12 of Decree 1377 of 2013, and according to the purposes established in the Privacy Notice in it that may be applicable.

CHAPTER VI INFORMATION SECURITY

ARTICLE 20. SECURITY MEASURES. In development of the security principle established in Law 1581 of 2012, SCRUMMERS will adopt the technical, human and administrative measures that are necessary to grant safety parts of the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

The Database Administrator will ensure the security of the Databases and will monitor the proper application of the Privacy Policy.

ARTICLE 24. IMPLEMENTATION OF SECURITY MEASURES. SCRUMMERS will maintain protocols for

Security of obligatory fulfillment for the personnel with access to the data of personal character and to the information systems.

The procedure must consider, at a minimum, the following aspects:

1. Training of personnel entering the Company about the Data Processing Policy personal and the mechanisms and security protocols for the Treatment of these.
2. Cope of application of the procedure with detailed specification of the protected resources.
3. Measures, norms, procedures, rules and standards aimed at guaranteeing the level of security required in Law 1581 of 2012 and Decree 1377 of 2013.
4. Functions and obligations of the personnel.
5. Structure of the Personal Data Bases and description of the information systems that treat them.
6. Procedure for notification, management and response to incidents.
7. Data backup and recovery procedures.
8. Periodic controls that must be carried out to verify compliance with the provisions of the security procedure implemented.
9. Measures to adopt when a support or document is transported, discarded or reused.
10. The procedure must be kept up to date at all times and must be reviewed whenever to produce relevant changes in the information system or in its organization.
11. The content of the procedure must be adapted at all times to the provisions in force regarding from security of the Personal Data.