Petrolina (Holdings) Public Ltd operates critical energy infrastructure and manages sensitive commercial, operational, and personal data across its entire value chain. We recognise that information security is fundamental to the trust our customers, partners, and regulators place in us, and to the safe and uninterrupted delivery of our services.

To this end, Petrolina has established and maintains an Information Security Management System (ISMS) aligned with the requirements of ISO/IEC 27001 and applicable legal and regulatory obligations, including GDPR and NIS2.

Our commitments:

• Protect the confidentiality, integrity, and availability of all information assets, including operational data, customer records, and financial information
• Ensure that access to information is granted strictly on a need-to-know and least-privilege basis, commensurate with each individual's role and responsibilities
• Comply with all applicable legal, regulatory, and contractual obligations relating to information security and data protection
• Conduct regular risk assessments to systematically identify, evaluate, and treat information security risks across our operations and supply chain
• Foster a security-aware culture by providing ongoing training and awareness initiatives so that every employee understands their role in protecting our information assets
• Assign clear roles, responsibilities, and authorities to ensure effective governance and oversight of information security across the organisation
• Establish and maintain incident response and business continuity capabilities to ensure rapid detection, response, and recovery from security incidents
• Continuously monitor, measure, and improve the effectiveness of our ISMS through regular reviews, internal audits, and corrective actions
• Ensure that our third-party suppliers and partners meet appropriate information security standards consistent with our own requirements

This statement applies to all Petrolina employees, contractors, and third parties acting on our behalf. It is reviewed annually and whenever significant changes to our business or risk environment occur.