Information security policy of the Trevian Asset Management Oy

INFORMATION SECURITY POLICY OF THE TREVIAN ASSET MANAGEMENT OY

Trevian Asset Management Oy is Finland’s leading real estate asset and investment management company. We comply with all applicable laws and regulations. Responsibility is one of our five key values and a natural part of our daily lives and business. Security policy is an integral part of our corporate responsibility thinking.

In our daily operations, we process important and sensitive information regarding our customers. Our customers trust us to protect their data, and to be worthy of that trust, ensuring data security is one of the cornerstones of our business.

Our information security policy defines the principles and methods by which we ensure a suitable level of both information security and data protection, the lawful processing of personal data, risk management, handling of incidents, responsible operations and the implementation of quality services. We develop our information security policies and procedures in accordance with the ISO / IEC 27001 standard.

Objectives

With information security, we strive to ensure the confidentiality, integrity, availability and quality of our information and information systems, and to implement built-in and default data protection in all situations. Our operations comply with the laws and regulations established for data protection and security.

We implement and develop our information security using risk-appropriate and cost-effective solutions. Security measures also manage the risks associated with the introduction of new practices and technologies.

Security organization and responsibilities

The CEO and management team of Trevian Asset Management Oy are primarily responsible for the implementation of information security and the creation of the necessary environment for it. The management team appoints an information security officer who is responsible for the development and maintenance of the information security management system. The management team defines the organization responsible for information security and its responsibilities.

Security work is included in every job and is an ongoing process. We require that each of our employees and partners adhere to this policy, code of conduct and contractual obligations in their operations and are responsible for the security of the information they manage. Each of our employees is required to report any misconduct to our security officer or their supervisor. Our personnel are bound by professional secrecy about the information they handle in the course of their work, and a duty of confidentiality is recorded in employment contracts.

The main responsibility for the information security of a particular information or service lies with its owner. The provider of an IT system or service is responsible for the information security of that service, compliance with information security requirements, and the continuous monitoring and development of information security.

It is the responsibility of each data controller to report any security breaches or suspected misconduct or breaches of security in accordance with the applicable guidelines.

Means of implementing security

Maintaining and developing information security is an ongoing process in which we use administrative, physical and IT solutions. We assess the likelihood and impact of the risks associated with data processing on the quality of our operations and strive to manage those risks through appropriate controls. We have a security management system in place and are committed to continually improving it and evaluating its suitability, adequacy and effectiveness.

We monitor the implementation of our information security on a risk basis, also considering new threats to the operating environment. We continually evaluate our technical security and conduct regular security audits of key environments.

Our information security officer is authorized by the CEO and is thus independently responsible for conducting security-related surveys and initiating problem investigations. Monitoring and reporting on security at a general level is the responsibility of each of our employees. The owners of our processes and operations have an obligation to actively monitor and develop their responsibilities. We train our staff regularly and maintain security awareness through various measures.

Operating models have been defined for handling and reporting possible security breaches. Violation of our security policy and guidelines is considered a security breach. We have defined procedures for dealing with violations and our personnel process provides for appropriate sanctions. If necessary, we co-operate with various authorities and we are in contact with the National Cyber Security Centre, Finnish Transport, and Communications Agency Traficom.

Update and approval

We review our security policy at regular intervals. In the event of changes in the relevant regulations or organizational activities, we will update the content as necessary. It is the responsibility of our designated security officer to evaluate the matter and update its content.

The Board of Directors of Trevian Asset Management Oy has approved the information security policy on August 19, 2021.