INFORMATION SECURITY MANAGEMENT SYSTEM POLICY OF UBCAB HOLDING LLC

/ Document No: ISMS-DOC-02-1 /

Date: September 22, 2025

1. INTRODUCTION

   1. “UBCAB HOLDING” LLC (hereinafter referred to as the “Company”) is a leading fintech and technology holding company in Mongolia, comprising multiple subsidiaries operating in ride-hailing, delivery, 24/7 customer service, logistics, fintech payment solutions, vehicle leasing, and software development.

      In its daily operations, the Company processes highly sensitive information, including financial systems, personal data of users and drivers/couriers, location data, fintech platform data, and customer interaction records. Therefore, ensuring information security is of critical importance to maintaining business continuity, service quality, and customer trust.

      By implementing the international ISO/IEC 27001:2022 standard, “UBCAB HOLDING” LLC establishes a comprehensive system to protect the confidentiality, integrity, and availability of information assets based on risk management principles and adopts an integrated security approach across all business sectors. This is particularly important in areas such as ride-hailing, protection of user data and location data in delivery services, PCI DSS compliance for payment data in fintech services, and secure operations in software development and cloud services.

   2. In recent years, new requirements have emerged in Mongolia’s legal and regulatory environment regarding information security and personal data protection. The Cybersecurity Law adopted in 2021, the Personal Data Protection Law effective from 2022, as well as regulations issued by the Financial Regulatory Commission and the Bank of Mongolia on information technology and financial service security, require companies to adhere to a high level of information security standards.

      Accordingly, “UBCAB HOLDING” LLC and its subsidiaries declare through this policy that they will not only implement an ISMS compliant with ISO/IEC 27001, but also comply with industry-specific standards and regulations, including taxi service standards, financial regulatory requirements, PCI DSS for payment systems, and AML/KYC requirements at both domestic and international levels.

   3. This Information Security Policy defines the key principles and requirements to be followed within the Information Security Management System (ISMS), tailored to the operational characteristics of “UBCAB HOLDING” LLC and all its subsidiaries.

      The policy serves as a foundational document that ensures leadership commitment and direction in information security and defines ISMS objectives and goals. Furthermore, through this policy, the Company establishes requirements for:

      • Protection of personal data and location data of users and drivers in ride-hailing and delivery services, as well as confidentiality of customer interaction data;
      • Reliability of payment systems and protection of card data in fintech services;
      • Implementation of secure development practices in software development and system integration projects, as well as protection of contractual data in vehicle leasing and B2B services.

2. SCOPE

   1. This policy shall apply to “UBCAB HOLDING” LLC and all its subsidiaries. The provisions of this policy shall fully apply to information security activities across all organizational structures, units, and affiliated entities of the Company. Specifically, the policy shall be implemented within the following scope:

      • All information assets owned or controlled by the Group’s parent company and its subsidiaries are included. This includes all types of information such as databases, user data, driver/courier location data, financial systems, servers, devices, software, cloud environments, documents, and the Company’s business secrets.
      • All employees of the Company, as well as contractors, temporary staff, consultants, outsourcing service providers, suppliers, fintech and banking partners, cloud service providers, and any other parties with authorized access to information systems and data are required to comply with this policy.
      • The requirements of this policy apply to all environments and locations where information processing takes place. This includes the Company’s head office, branch offices, data centers, cloud environments, call centers, BPO environments, driver/courier mobile applications, and remote working environments.
      • All information created, collected, processed, or transmitted within the scope of the Company’s products and services falls under the protection of this policy. This includes:
        • Customer personal, financial, and interaction data and records;
        • Location and income data of drivers and delivery personnel;
        • Payment transaction data and fintech service data;
        • The Company’s financial reports and contractual information.

   2. The implementation of this policy shall be ensured across the entire Group, including software development, system code, and technical solutions. Where necessary, each subsidiary may develop and implement internal procedures and guidelines tailored to its operational specifics.

      In such cases, these procedures and guidelines must be fully aligned with this policy and shall be governed under the unified framework of the Information Security Management System (ISMS) of “UBCAB HOLDING” LLC.

3. OBJECTIVE

   1. The objective of this policy is to ensure an appropriate level of protection for the information assets of “UBCAB HOLDING” LLC and all its subsidiaries, thereby:

      • Supporting business continuity;
      • Safeguarding the information security of customers, drivers, delivery personnel, and partner organizations;
      • Ensuring the reliability of fintech payment systems;
      • Securing software development and system integration projects;
      • Protecting client data within BPO services;
      • Ultimately maintaining the Company’s reputation and ensuring legal and regulatory compliance.

   2. Through this Information Security Policy, the Company’s top management demonstrates its leadership and commitment to information security management and uses this policy as a foundational document for defining ISMS objectives.

   3. This policy establishes information security objectives and principles aligned with the ISO/IEC 27001:2022 standard and serves as the basis for developing supporting policies, procedures, and guidelines. Within this framework, the Organization sets the following objectives:

      • Confidentiality, Integrity, and Availability (CIA): To protect information assets generated within ride-hailing, delivery, fintech, software development, and call center operations;
      • Legal and Regulatory Compliance: To fully comply with applicable laws, regulations, and contractual obligations, including the Personal Data Protection Law, Cybersecurity Law, PCI DSS, and AML/KYC requirements;
      • Risk Management: To conduct information security risk assessments annually and as needed, and to implement mitigation measures for high and critical risks;
      • Employee Awareness and Culture: To provide regular information security training to all employees and foster a culture where policies are applied in daily operations;
      • Continuous Improvement: To continuously improve the ISMS based on the PDCA cycle and address risks related to emerging technologies (such as AI, EV fleets, e-wallets, and cloud services) through appropriate controls.

   4. In order to achieve these objectives, this policy defines the scope and measures for establishing and maintaining the Information Security Management System across the Organization, including:

      • Implementing a unified ISMS across all subsidiaries;
      • Developing sub-policies and procedures tailored to specific business operations (e.g., ride-hailing, fintech, BPO);
      • Regularly conducting risk assessments, internal audits, and management reviews;
      • Implementing control measures such as incident management protocols, business continuity planning, and third-party audits.

4. TERMS AND DEFINITIONS

   1. The following terms used in this policy shall be understood as defined below:

      • Information Security – The preservation of the confidentiality, integrity, and availability of information.
        • Confidentiality ensures that information is accessible only to authorized individuals;
        • Integrity ensures that information remains accurate and is not altered without authorization;
        • Availability ensures that information is accessible and usable when required.
      • Information Security Management System (ISMS) – A comprehensive system that integrates policies, procedures, processes, and resources to manage and control information security within an organization. It is a management framework aligned with ISO/IEC 27001 requirements and based on continual improvement.
      • Information Asset – Any information and the supporting infrastructure and resources under the organization’s control or within its processing scope. This includes both electronic and physical information, databases, software, hardware, network devices, storage media, and documents.
      • Confidential Information – Information classified as sensitive for individuals or organizations, where unauthorized disclosure may result in harm. This includes customer personal data, financial information, payment card data, and internal confidential documents protected by law or contractual agreements.
      • Personal Data – Any information related to an individual that can directly or indirectly identify that person (e.g., name, registration number, contact details, financial information, home address, travel information, etc.). This definition aligns with “personal data” as defined in the Law on Personal Data Protection of Mongolia.
      • Risk – The combination of the likelihood of an event or circumstance that may negatively impact information security and the severity of its consequences. Risk level is determined by the probability of occurrence and the impact.
      • Information Security Incident – An event that has caused or may cause a negative impact on information security (confidentiality, integrity, availability), resulting in potential or actual damage. Examples include data breaches, unauthorized access, malware attacks, and system disruptions.
      • Control Measures – All policies, procedures, technologies, methods, and organizational practices implemented to ensure information security. Examples include password policies, firewalls, encryption methods, and access restrictions.

5. POLICY PRINCIPLES

   1. “UBCAB HOLDING” LLC and its subsidiaries shall adhere to the following fundamental principles to ensure information security:

      • Principle of Legal and Regulatory Compliance:
        The Organization shall fully comply with all applicable laws, regulations, and rules issued by regulatory authorities related to information security. This includes, but is not limited to, the Law on Personal Data Protection of Mongolia, the Cybersecurity Law, and other relevant legal acts. The Organization shall also strictly fulfill information security obligations and requirements stipulated in contracts and agreements with third parties.

      • Principle of Accountability (Information Asset Ownership):
        All information assets owned by the Organization shall have clearly defined owners. Asset owners are responsible for defining acceptable use, access levels, and implementing appropriate protection measures. Information assets shall be classified, and corresponding protection requirements shall be applied based on their classification (e.g., confidentiality levels).

      • Principle of Need-to-Know:
        Access to information shall be granted only to authorized personnel based on business necessity. Users shall be provided with the minimum level of access required to perform their duties, and privileges shall be managed and reviewed in a controlled manner. Technical and organizational measures shall be continuously improved to prevent unauthorized access.

      • Principle of Information Classification and Labeling:
        The Organization shall classify all information assets according to defined classification levels and apply appropriate protection and handling procedures. Information shall be labeled (e.g., public, internal use, confidential, highly confidential), and specific rules for storage, transmission, and disposal shall be established for each classification level. Employees are responsible for handling information in accordance with its classification.

      • Principle of Integrity Protection:
        The Organization shall take all necessary measures to ensure the accuracy and completeness of information. Backup, validation, and control mechanisms shall be implemented to ensure that information remains reliable and unaltered without authorization. All changes to data and systems shall be authorized, recorded, and traceable, with defined recovery procedures in place.
      • Principle of Confidentiality Protection:
        Technical controls (e.g., encryption, password policies, multi-factor authentication) and organizational controls (e.g., physical security, access restrictions) shall be implemented to protect information from unauthorized access, disclosure, and loss. All access to confidential information shall be logged and monitored.
      • Principle of Risk Management:
        The Organization shall regularly assess information security risks and implement appropriate mitigation and control measures for identified risks. Risk assessments shall be conducted at least annually or whenever significant changes occur in information systems. Risk treatment measures shall align with the Organization’s risk tolerance levels, and residual risks shall be reported to and approved by top management.
      • Principle of Continuous Improvement:
        The Organization shall continuously evaluate and improve the ISMS based on the Plan-Do-Check-Act (PDCA) cycle. The implementation of information security objectives and controls shall be regularly monitored and reviewed by management. Identified weaknesses and non-conformities shall be promptly addressed through corrective and improvement actions to ensure ongoing enhancement of the ISMS.
   2. The above principles shall be applied at all levels of the Organization and shall guide all decisions and activities related to information security.

6. CONTROL DOMAINS

   1. In order to implement this Information Security Policy, control measures shall be planned and implemented across the following key domains. These control domains are aligned with the control objectives set out in ISO/IEC 27001:2022 Annex A and tailored to the characteristics of the fintech industry.
   2. Access Control

      1. Access to the Company’s information and system resources shall be granted only to authorized employees and users. Access rights shall be granted, modified, and revoked in accordance with formal procedures, ensuring that each user is provided only with the minimum level of access necessary to perform their duties.

         User account management, password policies, multi-factor authentication (e.g., 2FA), and network access controls shall be implemented to ensure that only authorized individuals can access information. Access rights shall be recorded, periodically reviewed, and unnecessary privileges revoked. Particular attention shall be given to administrative and privileged accounts, and their usage shall be logged and monitored.

   3. Cryptography

      1. Cryptographic techniques shall be widely used to ensure the confidentiality and integrity of information. Sensitive data (e.g., customer personal data, payment card data) and data transmitted between systems shall be protected using approved cryptographic algorithms (e.g., AES, RSA).

         Secure protocols such as TLS/SSL shall be used for data transmission, and data shall be encrypted during storage. Cryptographic keys shall be securely managed throughout their lifecycle (generation, distribution, storage, archival, and destruction). Procedures shall be established for detecting, recovering from, and auditing key-related incidents.

   4. Asset Management

      1. All information assets (including data, software, hardware, and documents) shall be inventoried, classified, and assigned to responsible owners. An asset register shall be maintained, and asset owners shall be responsible for the proper use and protection of their assigned assets.

         Information assets shall be classified based on their value, sensitivity, and risk level, and appropriate protection measures shall be applied. Mechanisms shall be in place to monitor asset integrity, usage, and location, and all changes to assets (creation, transfer, disposal) shall be recorded and managed in accordance with established procedures.

   5. Human Resource Security

      1. Information security requirements shall be integrated into recruitment and termination processes. Background checks may be conducted where appropriate. Job descriptions shall include information security responsibilities, and employees shall acknowledge compliance with policies as part of their employment contracts. Regular information security training shall be provided.

      2. When an employee’s role changes or employment is terminated, the following measures shall be implemented:

         • Immediate revocation or adjustment of access rights;
         • Return and documentation of all Company assets and information;
         • Transfer or reset of access credentials (e.g., passwords, keys);
         • Risk assessment and additional controls where necessary;
         • Monitoring of system usage, where legally permissible.
   6. Physical and Environmental Security

      1. Physical protection of facilities housing information systems and storage devices shall be ensured at a high level. Controls (e.g., security personnel, CCTV) shall prevent unauthorized physical access.

         Critical areas such as server rooms shall be restricted to authorized personnel, and visitor access shall be controlled and logged. Environmental protections (e.g., fire detection systems) shall be implemented to prevent damage. Portable devices shall be protected using measures such as encryption, tracking, and remote wipe capabilities.

   7. Operations and Network Security

      1. Best practices for IT operations shall be followed. Systems shall be securely configured, and anti-malware protection shall be implemented and regularly updated.

         Multi-layered network security solutions (e.g., firewalls, IDS/IPS, VPN) shall be used to prevent unauthorized access. Logs and event data shall be continuously collected and analyzed to detect threats.

      2. Change management procedures shall be strictly followed. All system changes shall be approved and tested prior to implementation. Security risk assessments shall be conducted for major changes, and testing shall be performed in isolated environments before deployment.

      3. Logs shall be centrally stored, retained, and made available for investigation in the event of security incidents.

   8. Third-Party and Supplier Security

      1. Information security requirements shall be included in contracts with third parties (e.g., banks, cloud providers, vendors). Due diligence shall be conducted during vendor selection, and certifications such as ISO 27001 may be required.

         Contracts shall include confidentiality obligations and incident reporting requirements. Supplier performance and security compliance shall be periodically reviewed, and corrective actions shall be required for non-compliance.

   9. Information Security Incident Management

      1. A structured incident management process shall be established, including:

         • Detection and Classification: Employees must report suspicious events immediately; incidents shall be analyzed and classified;
         • Response: Appropriate teams shall respond to contain and mitigate impacts;
         • Notification: Significant incidents shall be reported to management and regulators within legal timeframes (e.g., 72 hours for personal data breaches);
         • Analysis and Remediation: Root cause analysis and corrective actions shall be implemented;
         • Documentation and Lessons Learned: Incidents shall be recorded, reviewed, and used for improvement.

      2. This process ensures rapid response and supports business continuity while maintaining organizational readiness.

   10. Business Continuity and Disaster Recovery

       1. Information security is integral to business continuity. The Organization shall develop and maintain Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP), including regular testing.

          Critical systems shall be backed up regularly, with defined recovery objectives (RTO, RPO). Plans shall include roles, communication, alternate locations, and resource requirements, and shall be reviewed annually.

   11. Information Security Compliance

       1. The Organization shall ensure compliance with all applicable legal, regulatory, and contractual requirements, including:

          • Compliance with Mongolian laws (e.g., Personal Data Protection Law, Cybersecurity Law) and international standards (e.g., PCI DSS, GDPR where applicable);
          • Readiness for regulatory audits and timely reporting;
          • Mandatory reporting of security incidents (e.g., within 72 hours);
          • Respect for software licensing and intellectual property rights;
          • Enforcement of disciplinary measures for policy violations.

7. ROLES AND RESPONSIBILITIES

   1. In order to ensure the successful implementation of the Information Security Policy, clear roles and responsibilities shall be assigned at all levels of the Organization. The key roles and responsibilities are defined as follows:

      1. Management Board and Executive Management:

         The executive management team shall approve the Information Security Policy and support its implementation. The Management Board shall prioritize information security across the Organization, provide necessary resources (human, financial, and technological), and lead the implementation of the policy.

         They shall regularly review the achievement of ISMS objectives, monitor the overall risk posture, review internal audit results, and make decisions on improvements.

      2. Information Security Committee:

         The Organization shall establish an internal Information Security Committee consisting of representatives from multiple departments. This committee shall provide guidance and oversight for the implementation of information security policies and strategies.

         Where appropriate, it may operate in coordination with the risk management committee. The committee shall review information security requirements, assess risks, and coordinate policy implementation across all major departments and subsidiaries.

      3. Information Security Manager (CISO):

         At the Group level, the Chief Information Security Officer (CISO) shall be responsible for the day-to-day management of the ISMS and the implementation of this policy.

         The CISO’s responsibilities include developing information security strategies and plans, conducting risk assessments, advising employees, overseeing internal audits and monitoring activities, and reporting to management. The CISO shall regularly report on policy implementation, incidents, and risks, and propose improvements to management.

      4. Information Asset Owners (Business Unit Management):

         Managers of business units and subsidiaries shall be responsible for implementing and enforcing this policy within their respective processes and information systems.

         They shall assign ownership for each information asset under their responsibility and ensure that appropriate security controls are implemented. They shall also ensure that information security assessments and risk evaluations are conducted when initiating new projects, products, or changes.

      5. IT Department and System Administrators:

         IT personnel and system/network administrators shall implement technical controls in accordance with this policy.

         They shall manage user access, system configurations, network security, backups, and daily operations in compliance with security procedures. System administrators shall ensure secure configurations of systems under their responsibility and promptly report and remediate any vulnerabilities or incidents.

      6. Employees and System Users:

         All employees, as well as contractors and partner personnel with access to information systems, are responsible for complying with this policy.

         Each employee shall follow information security procedures and properly use and protect information according to its classification and confidentiality requirements. Employees shall immediately report any suspected or actual security incidents to the relevant unit (IT service or Information Security Manager).

         They are also responsible for safeguarding their passwords, credentials, and devices, and must not disclose Company information to unauthorized parties.

      7. Internal Audit and Compliance:

         The internal audit function and compliance personnel shall monitor adherence to this policy and related procedures to ensure compliance with laws, regulations, and standards.

         They shall conduct regular and ad hoc audits, assess policy implementation, and report findings. Identified issues shall be categorized (e.g., major or minor non-conformities), and responsible units shall be required to implement corrective actions within defined timelines. Internal audit provides independent assurance and drives continuous improvement of the ISMS.

      8. External Parties and Partners:

         Third parties that may impact information security (such as suppliers, outsourcing providers, and business partners) shall comply with information security requirements as defined in contractual agreements.

         Compliance with these requirements shall be monitored jointly by business units and the Information Security Manager. Where necessary, improvement actions (e.g., additional controls, independent audits) shall be required.

8. POLICY IMPLEMENTATION, MONITORING, AND AUDIT

   1. During the implementation of this policy, it is essential to continuously monitor, improve, and ensure compliance with related internal procedures, processes, and technical measures. The principles and approaches for monitoring and auditing the implementation of this policy are as follows:

      1. Policy Communication and Training:

         The approved Information Security Policy shall be communicated to all employees and relevant third parties (e.g., via internal networks, email, and briefing sessions). All employees must understand the content of this policy and be capable of implementing it in their daily work.

         New employees shall receive training on information security policies and procedures upon onboarding, and all employees shall participate in regular refresher training (annually or as required). Through such training, employees’ awareness and understanding of information security shall be enhanced, fostering a culture of compliance.

      2. Monitoring and Measurement:

         The implementation of the Information Security Policy shall be regularly monitored, measured, and evaluated. Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) shall be defined, such as:

         • Percentage of employees completing information security training;
         • Number of identified vulnerabilities;
         • Number of incidents and resolution rates;
         • Number of findings from internal and external audits.

         Monitoring shall be conducted using automated tools (e.g., log management systems, risk management tools), and results shall be reported regularly. If abnormal trends are detected, root cause analysis shall be performed and appropriate corrective actions implemented.

      3. Internal Audit:

         Planned internal audits shall be conducted annually to assess compliance with the Information Security Policy and all related controls.

         Internal audits shall be performed by independent and qualified personnel (internal audit unit or external specialists) in accordance with ISO/IEC 27001 requirements. Audit findings shall be documented, and corrective action plans shall be developed and implemented by responsible units. Follow-up reviews shall ensure effective remediation.

         Audit results shall be reported to top management, who shall determine whether updates to policies or procedures are required.

      4. External Audit and Certification:

         Where the Organization seeks ISO/IEC 27001 certification, it shall undergo certification audits by accredited external audit bodies. If compliance is confirmed, ISO/IEC 27001 certification shall be granted.

         To maintain certification, periodic surveillance audits shall be conducted by external auditors. Recommendations and findings from external audits shall be promptly addressed to continuously improve the ISMS.

      5. Policy Review and Update:

         This policy shall be reviewed and updated regularly (at least annually) to reflect organizational changes, new legal requirements, and technological developments.

         Updated versions of the policy shall be prepared by the Information Security Manager, reviewed by the Information Security Committee, and approved by top management. The updated policy shall be promptly communicated to all employees to ensure continued compliance.

      6. Violations and DisciplinaryActions:

         In the event of violations of this Information Security Policy, appropriate actions shall be taken against the responsible employees or units.

         Depending on the nature and severity of the violation, disciplinary measures may include formal warnings, mandatory retraining, or termination of employment in serious cases. This ensures a strong culture of compliance and accountability across all levels of the Organization.

   2. This policy shall take effect from the date of approval and shall serve as the primary document governing information security across “UBCAB HOLDING” LLC and all its subsidiaries.

9. USER DATA PRIVACY AND DIGITAL SERVICE SECURITY

   1. Legal Compliance and Regulation

      The Organization shall comply with the relevant laws and regulatory requirements of Mongolia when ensuring user data privacy and digital service security. These include:

      1. The Law on Personal Data Protection of Mongolia – lawful collection, processing, storage, transfer, and deletion of personal data;

      2. The Law on Cybersecurity of Mongolia – protection of digital services and information systems against cyber threats;

      3. Other applicable laws and regulations (such as the Law on State and Organizational Secrets and requirements of sector regulators).

         Requirements arising from these laws shall be incorporated into the Organization’s risk assessments, control measures, internal procedures, training, and audit activities.

   2. User Data Privacy

      The Organization shall protect users’ personal and financial information in accordance with the following principles:

      1. Access to data shall be limited to authorized personnel on a need-to-know basis;
      2. Technical and organizational controls shall be implemented to prevent unauthorized access, disclosure, and data loss;
      3. All access, modification, and transfer of data shall be logged and monitored (logs and audit trails);
      4. Any transfer of data to third parties shall be governed by contracts, NDAs, and information security requirements.
   3. Digital Service Security

      Applications, websites, and other digital service channels shall meet the following requirements:

      1. Protection against cyber threats (such as DDoS attacks, malware, phishing, and API attacks);
      2. Implementation of secure development practices, change management, testing, and monitoring;
      3. Establishment of mechanisms to detect, report, and respond to information security incidents.
   4. Responsibilities of Stakeholders and Third Parties

      The information security and privacy requirements set out in this policy shall be adhered to by the following parties:

      1. All employees under employment contracts with the Organization;
      2. Contractors and outsourced service providers;
      3. Suppliers and other third parties.

      Where necessary, these requirements shall be communicated through training, briefings, and contractual obligations.

   5. Collection, Processing, and Use of User Data

      The Organization shall collect, process, and use user data in the following cases:

      1. With the consent of the data subject;
      2. On legal grounds as provided by law;
      3. When the data has been made publicly available in accordance with the law;
      4. For preparing anonymized datasets for open data or statistical purposes.

      If data has not been collected, processed, or used in accordance with legal grounds and procedures, it shall be deleted upon the request of the data subject.

10. Public Disclosure and Transparency

    The Organization shall strive to make its key policies and principles regarding user data privacy and digital service security publicly available through the following channels:

    1. The Organization’s official website;
    2. Mobile or web applications;
    3. Other official digital channels.

    Such transparency aims to enhance user trust and ensure legal compliance.