Constance Hotels Services Limited | Annual Report 2025

123 ANNUAL REPORT 2025

Advanced Security Architecture

– Cybersecurity and Trust: ensuring that digital infrastructure protects the confidentiality, integrity, and availability of data

7.3. Data Protection

In addition, employee awareness training is facilitated through online training modules and regular communications via the Company’s intranet. A mandatory ‘’Regulatory Compliance’’ training programme was also conducted by the Compliance Department to reinforce regulatory obligations across all properties. In line with privacy-by-design principles, the CO/DPO supported the IT team in carrying out a Data Protection Impact Assessment (DPIA) for an E-registration project to assess and mitigate potential data protection risks. In 2025, the DPSC met twice to review the data protection reports and to assess implemented and initiated organisational and technical measures related to data protection With the implementation of ISO 27001, new data security related measures were implemented, including strengthened data and network security controls, improved patch management processes, formalised data classification protocols, enhanced data loss prevention mechanisms, and reinforced safeguards relating to the use of Artificial Intelligence (AI). Furthermore, ongoing collaboration with Fraud watch supports continuous monitoring of potential digital threats and enables prompt response actions, thereby safeguarding the Company’s brand and digital presence. 7.4. Information, Information Technology (IT) And Information Security (IS) Technology, cybersecurity, and digital innovation play a central role in supporting the Company’s mission to deliver exceptional guest experiences, while ensuring the resilience and security of its operations across the Indian Ocean. The hospitality sector is undergoing rapid transformation driven by digital innovation, data analytics, and artificial intelligence. In response to this evolving landscape, the Company continues to invest in modern digital platforms, cybersecurity capabilities, and intelligent automation that enhance both guest engagement and operational efficiency. The Company ensures that data protection responsibilities are duly communicated through its Charters, Codes, and Policies.

The Company maintains a multi-layered cybersecurity architecture integrating network security platforms, endpoint protection systems, and advanced threat intelligence tools. – Security infrastructure deployed across the Company includes: – Next-generation firewalls protecting network traffic across properties – Endpoint detection and response systems monitoring user devices – Email security and anti-phishing protection – Threat intelligence feeds enabling proactive threat detection – Security monitoring through centralised logging and analytics platforms These technologies provide continuous visibility across the Company’s digital environment and enable rapid detection of potential cyber threats. Network protection mechanisms actively inspect traffic to identify suspicious activity and prevent unauthorised access. Throughout the year, these security controls blocked significant volumes of malicious activity, including malware attempts, malicious links, and command-and-control communications. The Company’s firewall infrastructure operates in high-availability configurations across properties, ensuring both strong protection and uninterrupted business operations. Network Security Monitoring

Over the past year, the Company has strengthened its cybersecurity posture, expanded its digital capabilities, and accelerated its adoption of artificial intelligence across several operational areas. These initiatives reinforce its commitment to innovation while maintaining appropriate levels of governance and security. Technology is no longer simply an operational enabler; it has become a strategic pillar supporting the long-term growth and resilience of the Company.

The Company is highly conscious of its responsibility to protect personal data processed across the organisation. To properly discharge these responsibilities, a Data Protection Steering Committee (DPSC) was established in 2019, chaired by a Board Director. The DPSC is a sub-committee of the Corporate Governance Committee and has the overall responsibility for establishing, overseeing, revising, and monitoring the Company’s privacy strategy, governance programmes, and related initiatives, in line with the Mauritius Data Protection Act 2017 (DPA 2017) and the European Union’s General Data Protection Regulations (EU GDPR). The DPSC ensures that adequate resources are available to meet the Company’s objectives. The Compliance Officer (CO) / Data Protection Officer (DPO) monitors and facilitates the implementation of the privacy strategy and governance programme in the organisation. The CO/DPO works in collaboration with the Chief Information Officer (CIO), who oversees the security of all personal data processed electronically throughout the organisation. Data Protection Champions (DPCs) have been designated in each property to assist their respective General Managers in discharging their data protection responsibilities and to liaise with the CO/DPO on data protection matters. Quarterly data protection surveys and data inventory updates provide a basis for assessing the need for any new organisational and technical measures. The CO/DPO ensures that appropriate data processing agreements are signed with third-party processors. Following the introduction of the Tourist Fee effective 1 October 2025, the CO/DPO engaged with the Data Protection Office to seek clarification on data protection implications relating to identity verification requirements. Guidance was obtained to ensure that any collection and retention of personal data is limited to what is legally required and subject to appropriate safeguards. Regular employee training and awareness initiatives are organised to maintain a strong privacy culture across the organisation, emphasising each employee’s responsibility to protect information and comply with legal requirements in their daily operations. A phishing incident involving guest data was identified in November 2025 and managed in accordance with CHSL’s Data Protection framework, in close collaboration with the IT function. Regulatory notifications were submitted within statutory timelines, affected data subjects were informed, and remedial measures were implemented. During the year under review, a two-day Data Protection training session was held at the Head Office in collaboration with BDO. The programme consisted of interactive quizzes, group discussions, and practical case studies to enhance understanding of real-world data protection scenarios.

Information Security

Information Security Governance

Strong governance structures ensure that cybersecurity initiatives remain aligned with the Company’s broader risk management framework. The IT Steering Committee, composed of executive leadership and technology stakeholders, provides oversight of technology investments and digital initiatives. The Committee reviews key cybersecurity metrics, digital transformation programmes, and technology risks on a regular basis. – Updated IT Code of Practice – Comprehensive Information Security Policy – Identity and access management procedures – Structured employee onboarding and offboarding processes – Formal change management controls These governance frameworks ensure that cybersecurity responsibilities are clearly defined and embedded across the organisation. In addition, the Company continues to strengthen its internal information security policies, including:

Privileged Access Security

To further reduce cybersecurity risks, the Company introduced a Privileged Access Management (PAM) platform to control and monitor administrative access to critical systems.

This platform provides:

– Controlled access to sensitive systems – Detailed session monitoring and audit trails – Just-in-time access for administrators and vendors – Enhanced oversight of privileged activities

Cybersecurity and Digital Trust

The protection of guest information and operational systems remains a critical priority. As the Company continues to expand its digital capabilities, robust cybersecurity controls ensure that innovation is supported by strong safeguards. During the year under review, several initiatives were implemented to strengthen the Company’s cybersecurity posture.

These controls strengthen accountability and significantly reduce the risks associated with privileged system access.

The Company’s technology strategy is guided by three core principles:

– Digital Excellence: enhancing guest experiences through data driven personalisation and seamless digital interactions – Operational Efficiency: leveraging automation and analytics to optimise internal processes and decision-making