Integrated Policy for Quality and Information Security

1 Premise

This policy outlines Kelyon’s commitment to achieving excellence in the quality of products and services offered, as well as in the protection of business information and customer data.

Kelyon’s objectives comply with the international standards ISO 9001, ISO 13485 (), ISO 27001 (Information Security) and align with applicable regulatory requirements, including those set by and the NZ Medicines and Medical Devices Safety Authority (MEDSAFE).

These frameworks are integrated into a structured and proactive management system designed to ensure continuous improvement, effective risk management and full regulatory compliance.

2 Quality Objectives

Kelyon has set the following objectives:

• Customer satisfaction: Understand customer needs and provide products and services that meet their requirements, exceeding their expectations where possible.
• Regulatory compliance:
  • Ensure compliance with applicable TGA (AU) and MEDSAFE (NZ) regulations, including conformity to the Essential Principles for medical devices, technical documentation, quality management systems, and post-market obligations.
  • Ensuring compliance with EU Regulation 2017/745 (MDR) and Regulation (EU) 2017/746 (IVDR) including conformity to the General Safety and performance requirements, technical documentation, quality management systems, and post-market obligations.
• Process optimization: Monitor and measure the performance of business processes through performance indicators, implementing corrective and preventive actions when necessary.
• Training and competencies: Ensure that all employees have the necessary skills and resources to perform their work in accordance with quality standards. Training plans are reviewed and updated regularly according to business needs and evolving technologies.

3 Information Security Objectives

Kelyon ensures that all information, whether related to customers, partners, or internal matters, is:

• Confidential: Protection against unauthorized access, ensuring that only authorized individuals have access to sensitive information.
• Integrity: The information must be accurate and complete, preserving the data from unauthorized modification, corruption, or deletion.
• Available: Ensure that information and systems are accessible when needed, minimizing downtime or service interruptions.

Kelyon also sets the following objectives:

• Regulatory compliance: Ensure compliance with the ISO 27001 standard by obtaining and maintaining certification by an accredited body and align security processes with TGA and MEDSAFE requirements for data integrity and protection, especially for systems supporting medical devices and related services.
• Proactive cybersecurity management: Implement structured processes to properly prevent, detect, and manage any security incidents, including cyberattacks, data breaches, and other threats.

4 Guiding principles of the Policy

The guiding principles of Kelyon’s Integrated Policy for Quality and Information Security are:

• Continuous improvement: Implement a Plan-Do-Check-Act (PDCA) cycle to ensure that information quality and security processes are constantly monitored, evaluated, and improved.
• Risk management: Regularly assess risks related to information quality and security, developing mitigation plans to minimize negative impacts. This includes periodic vulnerability assessments and penetration testing on computer systems.
• Effective communication: Establish internal and external communication channels that promote transparency and timely dissemination of relevant information. Employees are constantly informed about policy updates, security measures and regulatory change.
• Roles and responsibilities: Clearly define the responsibilities of all staff regarding quality management and information security. The Management is responsible for supervising the implementation, effectiveness of the integrated management system and ensuring regulatory compliance.

To achieve the set objectives, Kelyon ensures that:

• All employees and external collaborators receive continuous training and awareness-raising, aimed at developing the skills necessary to ensure the quality of processes, the protection of information and applicable regulations.
• Advanced tools and technologies are used for monitoring, protecting and backing up company information, with a focus on the security of computer systems, the prevention of unauthorized access and protection against cyber threats.
• The selection and management of suppliers are carried out according to strict criteria, ensuring they also comply with the quality, information security and applicable regulatory standards.
• The Integrated Management System is subject to regular audits (internal audits) to assess compliance with established requirements and identify improvement opportunities.

• Management conducts an annual or more frequent review of the integrated management system, as needed, evaluating performance, regulatory and contextual changes, as well as feedback from customers and stakeholders.
• Timely corrective actions and complaint are implemented, in response to the results of audits and reviews, to address non-conformities and preventive actions to avoid recurrence of issue.
• This policy is communicated to all personnel, through training sessions and continuous dissemination via company channels, and is made available to interested parties, including customers and partners, through the company website and other official communication methods.