ERAM · Compliance · Information Security

Information Security.

How ERAM Real Estate protects the confidentiality, integrity and availability of information entrusted to it — and how we respond to personal data breaches.

Effective date: 1 May 2026 · Last updated: 12 May 2026 · Owner: Information Security Lead (reporting to senior management) · Review cycle: Annual; post-incident

1. Purpose

This policy sets out the principles by which ERAM Real Estate Sh.P.K. protects the confidentiality, integrity and availability of the information entrusted to it — investor and customer personal and financial data, project documents, financial records, and operational systems including the ERAM Investors Portal.

2. Scope

This policy applies to all information assets owned, processed, transmitted or stored by ERAM, regardless of format (electronic, paper, verbal). It binds every director, officer, employee, contractor and third-party service provider with access to ERAM's information.

3. Standards

ERAM's information-security programme is designed in alignment with the principles of the ISO/IEC 27001 family of standards and applicable provisions of the Kosovo Law on Personal Data Protection and the EU General Data Protection Regulation.

4. Control areas

  • Access control — role-based access, multi-factor authentication for administrative accounts, principle of least privilege, joiners-movers-leavers process;
  • Encryption — encryption in transit (TLS 1.3 or higher) and at rest for personal and financial data;
  • Network security — perimeter and segmentation controls, monitoring, vulnerability management;
  • Endpoint security — managed devices, anti-malware, patching;
  • Application security — secure software-development lifecycle, dependency management, penetration testing of the Investors Portal at least annually;
  • Third-party risk — security due diligence on every supplier with material access to ERAM's systems or data;
  • Backup and recovery — regular tested backups, business-continuity and disaster-recovery procedures;
  • Logging and monitoring — security logging of significant events, retention and review;
  • Awareness — security training for staff on appointment and at least annually.

5. Personal data breach

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Upon detection of a personal data breach, ERAM will:

  1. Contain the breach and preserve evidence;
  2. Assess the nature, scope, and likely consequences;
  3. Notify the Information and Privacy Agency of Kosovo within the timeline required by law (currently 72 hours of becoming aware, where the breach is notifiable);
  4. Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms;
  5. Investigate root cause and apply corrective measures;
  6. Document the breach and the response in the internal breach register.

6. Reporting suspected incidents

Every director, officer, employee and contractor is obliged to report a suspected information-security incident or personal-data breach without delay to [email protected]. Where the matter is sensitive, the Whistleblowing channel is also available.

7. Governance and review

Accountability for information security rests with senior management, with operational responsibility designated to a named individual. The policy is reviewed at least annually and after any material incident.

Contact

Questions regarding this policy, or to report a concern: [email protected]. Confidential reports may also be made via our Whistleblowing channel.

ERAM Real Estate Sh.P.K. · Business no. (NUI) 812052025 · Registered 13/06/2023 · Rruga Agim Ramadani, Nr. 2, 10000 Prishtina, Kosovo