Data Privacy and Security

As Aromsa, we have created our data security and privacy policy based on the pillars of confidentiality, integrity and accessibility.

• Confidentiality means that information needs to be accessible only by authorized persons.
• Integrity means that information assets should be complete and accurate and protected against unauthorized modification.
• Accessibility means that information assets should be available to authorized users when needed.

We manage our data security and information privacy processes in strict adherence to our organizational policies and principles. We plan, implement and develop our Information Security Management System (ISMS) in accordance with the requirements of the globally recognized ISO/IEC 27001:2022 Information Security Management System standard.

Our Information Security Management System (ISMS) is a part of our overall management system which is based on a business risk approach to establish, implement, operate, monitor, review, maintain and improve information security. Information security, which involves protecting the confidentiality, integrity and availability of information, also includes other features such as accuracy, accountability, non-repudiation and reliability.

We are committed to follow a continuous improvement approach in the Information Security Management System, to comply with all legal regulations regarding information security, and to fulfil the requirements of information security standards.

At Aromsa, we establish the information security policy, define security roles and make all relevant updates with the support of our Company’s Senior Management and the coordination of all business units. When necessary, we seek the opinions of internal and external third-party experts. We correctly classify our information assets, perform asset valuations, and calculate the value of assets to develop appropriate levels of control.

We have established the Aromsa Information Security Committee to evaluate the performance of the information security system by analysing the status of information security objectives, data breaches, emergencies, risks and opportunities. The Committee is chaired by the Information Security Manager and meets every 6 months.

During the reporting period, a total of 907 hours of information security awareness training was provided to all our employees (319 hours in 2022, 347 hours in 2023, and 241 hours in 2024) in order to spread information security awareness across the organization. No non-compliances were reported in third-party audits conducted during the reporting period.

During the reporting period, we completed the necessary preparations for the transition to the ISO 27001:2022 edition. In 2024, 17 employees received training on how to conduct internal audits and on the transition to the 2022 edition of the ISO 27001 Information Security Standard, which led to an increase in the number of internal auditors.

In 2025, an audit was carried out as preparation for the new edition and the transition was completed.

PROCESSING AND PROTECTION OF PERSONAL DATA

As Aromsa, we attach great importance to the confidentiality and security of personal data in accordance with the Personal Data Protection Law No. 6698 (PDPL) and related legislation.

Data about our employees, customers, suppliers and any other person whose personal data we collect and get as part of our activities are processed and protected in accordance with the principles of lawfulness, honesty and transparency, and in compliance with the Constitution of the Republic of Türkiye, the Personal Data Protection Law and other applicable legislation. These processes are recorded and monitored with the Personal Data Inventory that we have prepared.

Aromsa Personal Data Protection Policy is available at the Company’s website.

In order to comply with the changes introduced in the PDPL, a development and compliance project was initiated in 2025 with the assistance of a consultant.

CYBER SECURITY

With digitalization, cybersecurity has become a critical issue for companies. As Aromsa, we carry out information security activities such as protecting information and information assets, assessing risks by identifying threats to confidentiality, integrity and accessibility, and keeping an inventory of assets by classifying them (top secret, confidential, internal, general). In addition, we are implementing practices that will increase the awareness of our employees and third parties about cyber attacks. We carry out all these activities in accordance with the ISO/IEC 27001:2022 Information Security Management System. We implement all the control measures listed in Annex A to the ISO 27001 standard and take the ISO 27001 standard as reference for guidance.

We conduct penetration and social engineering tests at certain intervals every year to continuously improve the Information Security Management System. During the reporting period, we established a Disaster Recovery Centre in Ankara.

We have completed the installation of SIEM (Security Information and Event Management), a security software program that collects data generated by all users, servers, network devices and firewalls to monitor and analyse security-related events in the infrastructure. Additionally, we increased the reliability of our DDoS (Denial of Service Attack) attack prevention systems by deploying more effective software.

We regularly receive Pentest services against information security threats. We also use Vulnerability Scanning Software for the automatic detection of vulnerabilities in Aromsa computer systems, networks, applications or infrastructure. Thanks to the current software, we identify potential security risks in our system and ensure they are reported to prevent malicious attackers from exploiting these vulnerabilities.