DATA PROCESSING

START

Introduction

Resuelve Consultoría de Impacto Social S.A.S. ('Resuelve'), registered in Colombia under NIT 901393843-6, presents this Comprehensive Data Processing Policy, whose purpose is to ensure responsible and secure information management, protect data subjects’ fundamental rights and support compliance with legal and contractual obligations.

This document brings together the practices and protocols required for data processing in both digital environments and in-person operations, covering general information as well as sensitive data that requires special protection.

SCOPE

Scope and objectives

This policy is mandatory for all collection, processing, storage, analysis, transmission and deletion of personal and sensitive data handled by Resuelve in its projects and operations.

Its objectives include ensuring the integrity, confidentiality and availability of information; establishing control and monitoring mechanisms that support compliance with legal standards and international good practices; and protecting information belonging to vulnerable groups, such as minors and social organizations in risk contexts, through additional verification and security protocols.

PRINCIPLES

Principles and regulatory framework

Data processing is governed by the principles of lawfulness, transparency, purpose limitation, proportionality, minimization, security and accountability.

It complies with Law 1581 of 2012, Decree 1377 of 2013 and other related Colombian rules. When processing involves data subjects in the European Union or the European Economic Area, including Germany, the GDPR and relevant complementary German rules apply.

Resuelve commits to following these principles and regulatory frameworks, ensuring comprehensive protection of information in each of its processes.

COLLECTION

Collection and processing

Resuelve obtains personal data through active methods, such as forms, surveys and direct requests, and passive methods, through interactions on digital platforms, social networks and other public sources.

Data is processed solely and exclusively for specific and legitimate purposes, duly communicated to the data subject at the time of collection.

Strict measures are adopted to ensure that only the information necessary to fulfill the stated purpose is collected, avoiding excessive or irrelevant collection.

CONSENT

Consent and protection

For the processing of sensitive data, such as data from minors, vulnerable groups, threatened organizations and other groups operating in delicate contexts or requiring additional protection, Resuelve implements additional verification procedures.

As an essential requirement, we validate, obtain and/or facilitate informed and/or express consent and, in the case of minors, consent from parents or guardians.

Data subjects receive clear and detailed information about the purpose of processing, how their data is used and potential associated risks, always safeguarding their rights.

RETENTION

Retention and destruction

Data will be retained only for the time strictly necessary to fulfill the purpose for which it was collected and to comply with legal and contractual obligations.

Resuelve establishes differentiated periods depending on the nature and sensitivity of the information.

Once the purpose has been achieved or the established period has expired, data will be securely and definitively deleted using methods that ensure irreversible destruction and minimize any risk of unauthorized recovery in the future.

TRANSFER

Transfer to third parties

Data will be transferred to third parties only when the data subject has given express consent or when required by law.

In subcontracting or collaboration situations, contractual agreements will be formalized requiring third parties to implement security and confidentiality measures equivalent to those of Resuelve.

Each transfer will be duly documented, ensuring traceability and accountability, and will take place after a rigorous assessment of the receiving entity.

SECURITY

Security and confidentiality

Resuelve implements technical and organizational controls such as data encryption, multifactor authentication and physical and digital access restrictions through specialized third-party platforms currently including Google Cloud, Google Drive and Google Workspace.

Incident response protocols include immediate notification to clients and competent authorities in accordance with applicable law.

These measures are reviewed and updated continuously to respond effectively to new threats and vulnerabilities.

RIGHTS

Rights and exercise

Data subjects have fundamental rights such as access, rectification, deletion, portability and objection to the processing of their information.

Resuelve provides direct and effective communication channels so data subjects can exercise these rights within the periods established by law.

Each request will be handled with maximum transparency and diligence, ensuring a timely response suited to the applicant’s needs.

MONITORING

Monitoring and updates

In addition to updates by third parties operating Resuelve’s data storage platforms, internal periodic assessments are carried out to verify compliance with this policy and the effectiveness of the measures implemented.

These assessments make it possible to identify areas for improvement and adjust processes as regulations, technologies and emerging risks evolve.

The policy is updated every two years, and any significant change is communicated in a timely manner to clients, data subjects and interested third parties.

RESPONSIBILITY

Responsibility and contact

For any query, request or complaint related to data processing, Resuelve has appointed a person responsible for specialized communication and data protection.

This person acts as the contact point to ensure timely attention to data subjects’ concerns and to coordinate responses to incidents or information requests.

Resuelve commits to acting with transparency and rigor in all activities related to security and information management.