All “HITO S.A.P.I. de C.V.” employees involved in the processing of personal data used by the organization, are committed to its security in the master servicing, primary servicing, asset valuation, human resources and legal processes through the implementation of a PDSMS that allows for:

• Compliance with all principles established in Article 6 of the Law: lawfulness, consent, information, quality, purpose, loyalty, proportionality, and responsibility, in accordance with the provisions of the Law, its Regulations and other applicable rules or legislation.
  
  
• To treat and collect personal data in a lawful manner, in accordance with the provisions established by the Law and other applicable regulations (lawfulness principle).
  
  
• To make processing of personal data subject to the consent of the holder, barring exceptions provided by the Law (consent principle).
  
  
• To inform data holders on the information that is collected from them and for what purposes, through the privacy notice (information principle).
  
  
• Ensuring that processed personal data is correct and up to date (quality principle).
  
  
• Deleting personal data when it is no longer necessary for the fulfillment of the purposes set forth in the privacy notice and for which they were obtained (quality principle).
  
  
• Treating personal data strictly during the necessary time for legal, regulatory, or legitimate organizational purposes (quality principle).
  
  
• Limiting personal data processing to the fulfillment of the purposes set forth in the privacy notice (purpose principle).
  
  
• To not obtain personal data through fraudulent means (loyalty principle).
  
  
• Respecting the holder’s reasonable expectation of privacy (principle of loyalty).
  
  
• Using as little personal data as possible, and only that which is necessary, adequate, and relevant in relation to the purposes set forth in the privacy notice (principle of proportionality).
  
  
• Ensuring compliance within these principles and implementing necessary measures for their application (responsibility principle).
  
  
• To establish and maintain security measures (security duty).
  
  
• Safeguard personal data confidentiality (confidentiality duty).
  
  
• Identifying personal data flow and life cycle: through what means it is collected, in what processes of the organization it is being used, with whom it is shared, and when and by what means it is deleted.
  
  
• Maintaining an updated inventory of personal data or its categories managed by the organization.
  
  
• Respecting the rights of the holders in relation to their personal data.
  
  
• Applying the exceptions contemplated in the regulations on personal data protection.
  
  
• Compliance with the current personal data management policy.
  
  
• Defining stakeholders and members of the organization with specific responsibilities and accountability for the PDSMS.