SELLAI LLC

SafeLaw Service (safelaw.ai)

TIN 312530703, Nukus, Republic of Karakalpakstan, Uzbekistan

INFORMATION SECURITY POLICY

Document ISP-01

Version 1.0

Effective date: 15 May 2026

Compliance: PCI DSS v4.0.1, SAQ A

Master language: Russian. In case of any discrepancy between the English translation and the Russian master, the Russian version shall prevail.

1. Purpose and Objectives

This Information Security Policy (the «Policy») establishes the principles, requirements and directions of SELLAI LLC (TIN 312530703, hereinafter the «Company») in the area of information security, including the protection of payment cardholder data (Cardholder Data, «CHD») processed in connection with the operation of the SafeLaw service (safelaw.ai).

The key objectives of the Policy are:

to ensure the confidentiality, integrity and availability of the Company's information assets;
to protect payment cardholder data in accordance with PCI DSS v4.0.1 (self-assessment level SAQ A);
to comply with the legislation of the Republic of Uzbekistan, including Law No. ZRU-547 «On Personal Data» dated 02 July 2019;
to establish a uniform set of information security rules for all employees, contractors and third parties of the Company;
to reduce operational, financial and reputational risks associated with the processing of information.

2. Scope

The Policy is mandatory for:

all permanent and temporary employees of the Company;
all contractors, consultants and other third parties with access to the Company's information assets;
all information systems processing user data of the SafeLaw service, including systems hosted by third-party service providers (TPSP).

The Policy applies to all forms of information handling: electronic, paper and verbal.

3. Definitions

PAN (Primary Account Number) — the primary account number of a payment card (12–19 digits).

CHD (Cardholder Data) — cardholder data: PAN, cardholder name, expiration date, service code.

SAD (Sensitive Authentication Data) — sensitive authentication data: CVV/CVC, PIN, magnetic-stripe data.

CDE (Cardholder Data Environment) — the cardholder data environment. The Company's CDE is minimised: PAN and SAD are never transmitted to or stored on the Company's servers and are processed exclusively by the acquiring bank's payment gateway (TPSP).

TPSP (Third-Party Service Provider) — a service provider with access to payment data or capable of affecting the security of the Company's CDE.

PCI DSS — Payment Card Industry Data Security Standard.

SAQ A — Self-Assessment Questionnaire A, the PCI DSS compliance self-assessment for merchants who fully outsource CHD processing.

MFA (Multi-Factor Authentication) — multi-factor authentication.

Information asset — any information and its carriers that are of value to the Company.

Information security incident — one or more unwanted or unforeseen information security events with a significant probability of compromising business operations and threatening information security.

4. Information Security Principles

The Company's information security activities are based on the following principles:

4.1. Confidentiality

Restricted information is made available only to persons who need it to perform their official duties (the «need-to-know» principle).

4.2. Integrity

Information assets are protected against unauthorised modification, distortion or destruction. Version control, action logging and integrity verification mechanisms are applied.

4.3. Availability

Information systems and data are available to authorised users when required for the performance of their duties. Backup, fault tolerance and business continuity arrangements are in place.

4.4. Data Minimisation

The Company does not collect, store or process payment cardholder data (PAN, SAD) on its own infrastructure. Payment processing is fully outsourced to a PCI DSS-compliant TPSP — Ipak Yuli Bank — via a redirect flow.

4.5. Security by Default

New systems, applications and services are designed and deployed with security controls enabled by default.

5. Protection of Payment Cardholder Data

5.1. Minimised-CDE Architecture

The Company has implemented an architecture with minimised CDE:

the user initiates the payment on safelaw.ai;
the website performs an HTTP 302 redirect of the user to a payment page hosted on the acquiring bank's infrastructure (Ipak Yuli Bank);
the card number, expiry date, CVV and other payment credentials are entered solely on the acquiring bank's side;
once the operation has been completed (success/failure), the user is returned to safelaw.ai with a transaction identifier; PAN and SAD are not transmitted to the Company's servers.

This architecture meets the eligibility criteria for SAQ A under PCI DSS v4.0.1 r1 (January 2025).

5.2. Prohibition on Storing and Processing CHD

The following is strictly prohibited:

storing PAN, CVV/CVC, PIN codes, magnetic-stripe data or related information in any of the Company's systems, databases, logs, backups or other storage;
accepting payment credentials via email, messengers, telephone, paper or any other channel bypassing the acquiring bank's payment gateway;
creating screenshots of payment pages containing users' payment credentials;
developing or deploying mechanisms that could result in PAN or SAD entering the Company's infrastructure without a prior PCI DSS scoping review (SAQ A-EP or SAQ D).

5.3. Masking and Tokenisation

Where information about a payment operation is displayed in the Company's systems (e.g., in the user's personal account or internal reports), only the last 4 digits of the PAN may be shown. All other digits of the PAN must be masked.

5.4. Data Transmission

All data transmission channels between the Company and users, and between the Company and TPSPs, are protected by TLS version 1.2 or higher. Transmission of unencrypted data is prohibited.

6. Access Management

6.1. Identification and Authentication

Each user of the Company's information systems is assigned a unique identifier. The use of shared, group or anonymous accounts is prohibited.

6.2. Password Policy

minimum password length — 12 characters;
the password must contain characters from at least two categories (letters and digits);
passwords are changed at least every 90 days, or the security posture of the account is dynamically analysed instead;
on first sign-in the user must change the password issued by the administrator;
storing passwords in plaintext is prohibited; strong hashing algorithms (bcrypt, Argon2 or equivalent) are used.

6.3. Multi-Factor Authentication (MFA)

Multi-factor authentication is mandatory for:

access to administrative consoles and the Company's servers;
access to Google Workspace, Cloudflare, Namecheap, source code repositories and other critical services;
remote access to corporate resources;
access to the acquiring bank's online office and other payment services.

6.4. Least Privilege Principle

Access rights are granted based on business need. Privileged accounts (administrator, root, owner) are used solely for the relevant tasks and not for routine work.

6.5. Account Management

accounts are created upon a written request from a manager based on business need;
access rights are reviewed at least every six months;
when an employee leaves or a contractor's engagement ends, accounts are disabled on the same day;
inactive accounts are disabled after 90 days of non-use.

7. Cryptographic Protection

TLS 1.2 or TLS 1.3 with strong cipher suites is used for data in transit;
bcrypt, Argon2 or PBKDF2 is used for password hashing;
cryptographic keys are stored separately from the data they protect; access to keys is limited to authorised persons;
modern TLS certificates from trusted Certificate Authorities are used and renewed before expiration.

8. Vulnerability Management

operating systems and software on servers are updated at least monthly; critical security updates are applied within 30 days of release;
a Web Application Firewall (Cloudflare WAF) is used to protect public web resources;
vulnerability scans of public web services are performed at least quarterly;
critical vulnerabilities are remediated promptly.

9. Physical Security

The Company's information systems are hosted in the data centre of the hosting provider (Netcup GmbH, Germany), which is responsible for the corresponding physical security controls (access control, video surveillance, fire protection, redundant power). The Company does not operate its own server hardware.

Employee workstations must be protected from unauthorised access: screens are locked when the workstation is unattended and paper documents are stored securely.

10. Incident Management

All information security incidents are handled in accordance with the separate Information Security Incident Response Plan (IRP-01). Employees must immediately report any suspected incident to safelawinfo@gmail.com

11. Third-Party Service Provider Management

Engagements with service providers (TPSPs) with access to the Company's data or affecting the security of the CDE are governed by the separate Third-Party Service Provider Management Policy (TPSP-01).

The Company's key TPSPs are: Ipak Yuli Bank (payment acquirer), Cloudflare, Inc. (WAF/CDN), Netcup GmbH (hosting), Google LLC (Workspace, Vertex AI), Anthropic PBC (Claude API), OpenAI, OpCo, LLC (GPT API), Namecheap, Inc. (domain registrar).

12. Training and Awareness

all employees complete information security induction training upon hiring;
refresher training is provided at least once a year;
employees with access to sensitive data complete additional topic-specific training;
training covers password security, phishing, social engineering, safe use of email and incident handling.

13. Regulatory Compliance

The Company complies with applicable legislation of the Republic of Uzbekistan, in particular:

Law No. ZRU-547 «On Personal Data» dated 02 July 2019;
Law No. 530-I «On Information» dated 11 December 2003;
Law No. ZRU-792 «On Electronic Commerce» dated 22 May 2022;
Central Bank of the Republic of Uzbekistan requirements on the protection of payment information;
PCI DSS v4.0.1 requirements applicable to merchants at the SAQ A level.

14. Roles and Responsibilities

14.1. Director of the Company

Holds overall accountability for the Company's information security, approves this Policy and related documents and allocates resources for their implementation.

14.2. Information Security Officer

Appointed by an order of the Director. Coordinates information security activities, organises training, leads incident investigations and monitors PCI DSS compliance. Pending such appointment, the function is performed by the Director.

14.3. All Employees

comply with this Policy and related documents;
promptly report suspected information security incidents;
use the Company's information assets only for business purposes;
safeguard credentials and do not share them with third parties.

15. Policy Violations

A violation of this Policy may result in liability under the labour legislation of the Republic of Uzbekistan, the terms of the employment or civil contract, and, where the law so provides, in administrative and criminal liability.

16. Review and Update

This Policy is reviewed at least once every 12 months and also upon significant changes to business processes, the information infrastructure, the regulatory framework or following major information security incidents. Compliance with this requirement is the responsibility of the Information Security Officer.

17. Document Information

Version

Date

Changes

Approved by

1.0

15 May 2026

Initial approval of the document

R. Jumamuratov

Document Approval

This document is approved by the Director of SELLAI LLC and becomes effective from the signing date. All personnel, contractors, and other persons with access to SELLAI LLC information assets are required to acquaint themselves with this document.

Director of SELLAI LLC:

_________________________ / R. Jumamuratov

(signature) (name)

Date: «_____» _____________ 2026

Company seal.