CONFIDENTIALITY AND DATA PROTECTION POLICY

1. Introduction

Seven Insurance Brokers (“the Company”) is committed to safeguarding the confidentiality, integrity, and security of all personal and sensitive data
entrusted to it by clients, employees, and third parties. This Confidentiality and Data Protection Policy outlines the Company’s obligations and standards for handling, storing, and processing personal data in compliance with Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE Data Protection Law), Central Bank of the UAE (CBUAE) Regulations, and the Dubai Health Authority (DHA) and Department of Health (DoH) Data Protection Requirements. This policy applies to all employees, contractors, consultants, and third parties who have access to confidential information through their association with the Company.

2. Scope

This policy governs all personal and confidential data processed by the
Company, including but not limited to:
a. Client Information: Personal identification details, contact information, insurance policies, claims history, and financial transactions.
b. Health Information: Any health-related data collected in connection with insurance policies and claims, in compliance with DHA and DoH regulations.
c. d. e. f. Employee Information: Personal records, payroll details, background checks, and performance evaluations. Company Proprietary Information: Business strategies, financial statements, trade secrets, and contractual agreements. Third-Party Data: Any data shared by business partners, vendors, or service providers under confidentiality agreements. Regulatory and Compliance Data: Reports, filings, and communications with CBUAE, DHA, DoH, and other regulatory authorities.

3. Principles of Confidentiality and Data Protection

The Company adheres to the following core principles in handling personal
and confidential data:
a. Lawfulness and Transparency: Data shall be processed fairly, transparently, and lawfully under applicable CBUAE, DHA, DoH, and UAE data protection laws.
b. Purpose Limitation: Data is collected for specific, explicit, and legitimate purposes and shall not be further processed in an incompatible manner.
c. Data Minimisation: The Company collects and processes only the necessary personal data required for business purposes.
d. Accuracy: Personal data must be kept accurate and up to date. Any identified inaccuracies shall be rectified or erased without delay.
e. Storage Limitation: Personal data shall not be retained for longer than necessary. Health Information shall be stored for a minimum of 25 years, per DHA and DoH requirements.
f. Integrity and Confidentiality: Personal data shall be processed in a manner that ensures security against unauthorised access, loss, destruction, or damage.
g. Accountability: The Company is responsible for demonstrating compliance with data protection laws and implementing appropriate
security measures.

4. Data Protection Measures The Company implements the following technical and organisational measures to protect personal data:

4.1 Access Controls
a. Data access is granted strictly on a need-to-know basis.
b. Employees must use unique user IDs and strong passwords to access sensitive systems.
c. Multi-factor authentication (MFA) is implemented for access to core systems.
d. Physical access to data storage areas is restricted and monitored.
4.2 Encryption and Secure Storage
a. All personal data is encrypted both in transit and at rest.
b. Secure data storage solutions are used for physical and digital records.
c. Health-related data shall be stored within the UAE.
4.3 Data Transfer and Cross-Border Processing
a. Personal and health Information shall not be stored or transferred outside the UAE unless expressly authorised by DHA or DoH.
b. Any permitted cross-border transfer shall be secure and comply with UAE data protection laws.
4.4 Data Retention and Disposal
a. Client, employee, and regulatory data shall be retained only for as long as necessary for business, legal, or regulatory purposes.
b. Health Information is retained for at least 25 years from the last recorded procedure, per DHA and DoH.
c. Secure disposal methods, including shredding, and permanent deletion, shall be used to prevent data breaches.
4.5 Incident Response and Data Breach Management
The Company has an Incident Response Plan to address data breaches or unauthorised access incidents. Data breaches shall be reported in accordance with applicable regulatory timelines: immediate reporting for major incidents and for minor breaches within 72 hours of becoming aware of the breach (CBUAE), within 24 hours of initial knowledge of the breach for DHA and DoH-related health data.
The Company shall notify affected individuals and take corrective action to mitigate risks.

5. Employee Responsibilities

All employees must:
a. Maintain strict confidentiality of client, employee, and company data.
b. Attend mandatory data protection training on handling sensitive information.
c. Follow secure communication protocols (e.g., avoiding the use of personal emails or unsecured file-sharing methods).
d. Immediately report any suspected data breach or policy violation to the Compliance Officer or Data Protection Officer.
e. Refrain from discussing confidential matters in public or unauthorised areas. Non-disclosure agreements or clauses shall be incorporated into employment contracts for employees handling sensitive data. Additionally, post- employment confidentiality clauses shall be enforced to ensure non- disclosure obligations remain in effect after an employee’s exit.

6. Third-Party Compliance

The Company shall only engage third-party service providers who comply with UAE data protection laws and sign a Data Processing Agreement (DPA) before accessing any personal data. Vendors, partners, and contractors must undergo periodic audits to ensure adherence to CBUAE, DHA, DoH, and UAE PDPL requirements.

7. Compliance Monitoring and Enforcement

The Compliance and Data Protection Officers shall monitor compliance with this policy and conduct Privacy Impact Assessments (PIAs) before initiating high-risk data processing activities. The Company shall conduct regular audits, risk assessments, penetration testing, and third-party compliance reviews to detect vulnerabilities. Violations of this policy may result in disciplinary
action, termination of employment, or legal consequences.

8. Regulatory Engagement and Reporting

The Company maintains a cooperative relationship with CBUAE, DHA, DoH, and other regulators to ensure ongoing compliance. All regulatory reporting requirements shall be met within prescribed timeframes. The Company shall proactively engage regulators on emerging compliance
matters and industry developments.

9. Training and Awareness

All employees must complete mandatory data protection training annually, with additional training provided for those handling health, financial, or other sensitive data. Ongoing awareness programs shall reinforce secure data handling practices, non-disclosure obligations, and regulatory compliance.

10.Review and Updates

This policy shall be reviewed annually or as required to comply with CBUAE, DHA, DoH, and UAE Data Protection Law. Any updates shall be communicated to all employees and relevant stakeholders. This Policy will be reviewed annually or more frequently if necessary. Updates or changes to the Policy will be communicated to all relevant personnel to ensure continued adherence guidelines.

Seven Insurance Brokers LLC