Information Security Policy

1. Definition
The use of the term “Company” is in reference to the following organization: Atieva USA inc.
d/b/a Lucid Motors, Inc. and its affiliates.

2. Introduction
The Company recognizes the need for its employees, contractors, vendors and visitors
("Persons") to have access to certain Company information in order to carry out their work and
recognizes the role of information security in enabling this.

This Policy Document encompasses all aspects of security surrounding Company Confidential
Information and must be distributed to all Company employees, partners, contractors, vendors
and visitors ("Persons"). All such Persons must read this document in its entirety and sign
the Acknowledgement Form confirming they have read and understand this policy fully.
This document will be reviewed and updated by Information Security Committee on an annual
basis or when relevant to include newly developed security standards into the policy and
distribute it all Persons as applicable.

Any questions regarding this policy should be directed to the Security

Committee or infosec@lucidmotors.com.

3. Purpose
This information security policy defines the framework within which information security will
be managed across the Company and demonstrates management direction and support for
information security throughout the organization. This policy is the primary policy under which
all other technical and security related policies reside. Section 12 provides a list of all other
policies and procedures that support this policy

The aim of this policy is to

▪ establish and maintain the security and confidentiality of information, information

systems, applications and networks owned or operated by the Company.
▪ establish a general approach to information security
▪ detect and forestall the compromise of information security such as misuse of data,
networks, computer systems and applications.
▪ protect the reputation of the Company with respect to its ethical and legal responsibilities.
4. Scope
The scope of information security includes the protection of the confidentiality, integrity and
availability of information and applies to all Company Persons with access to protected
information in any form.

The technology and information assets of the company are made up of the following
components:

• Computer Hardware, Laptops, desktops, servers, storage systems, Email, websites,

application servers, external hard drives etc.
• System Software including: operating systems, database management systems, backup
and restore software, communications protocols, etc..
• Application Software: used by the various departments within the Company. This
includes custom written software applications, and commercial software packages
including SaaS (Software as a Service) applications.
• Communications Network hardware and software including: routers, routing tables,
hubs, modems, multiplexers, switches, firewalls, private lines, and associated network
management software and tools.
• Data: All data contained, stored or processed within Lucid hardware and software, or
SaaS/hosted services consumed by Lucid or its workers. This includes but is not limited
to documents, databases, config files, reference material and other.

5. Acceptable Use Policy

The Committee's intentions for publishing an Acceptable Use Policy are not to impose
restrictions that are contrary to the Company’s established culture of openness, trust and
integrity. Committee is committed to protecting Persons and the Company from illegal or
damaging actions by individuals, either knowingly or unknowingly. The Company will maintain
an approved list of technologies and devices and personnel with access to such devices as
detailed in Acceptable Use Policy.

6. Information Security Policy

The Company Persons handle sensitive information as part of their assigned responsibilities.
Sensitive Information must have adequate safeguards in place to protect them, to protect privacy,
to ensure regulative compliance and to guard the future of the organization. The Company
commits to respecting the privacy of all its Persons and customers and to protecting any data
about partners and outside parties. To this end, the Committee is committed to maintaining a
secure environment in which to process information so that we can meet these promises.
Persons handling Company data should:

▪ Handle Company Persons and customer information in a manner that fits with their
sensitivity;
 ▪ Limit personal use of the Company information and telecommunication systems and
ensure it doesn’t interfere with your job performance;
▪ Do not use e-mail, internet and other Company resources to engage in any action that is
offensive, threatening, discriminatory, defamatory, slanderous, pornographic, obscene,
harassing or illegal;
▪ Do not disclose personnel information without explicit authorization from Senior
Management of Human Resources;
▪ Keep passwords and accounts secure;
▪ Request approval from IT prior to establishing any new software or hardware, third party
connections, etc.;
▪ Do not install unauthorized software or hardware, including modems and wireless access
unless you have explicit Committee approval;
▪ Always leave desks clear of sensitive data and lock computer screens when unattended;
▪ Information security incidents must be reported, without delay, to the individual
responsible for incident response locally according to the Data Breach Response Policy .

The Company reserves the right to monitor, access, review, audit, copy, store, or delete any
electronic communications, equipment, systems and network traffic for any purpose.

All Company Persons have a responsibility for ensuring the company’s systems and data are
protected from unauthorized access, improper use, theft and distraction. If you are unclear about
any of the policies detailed herein you should seek advice and guidance by contacting the
Security Committee or infosec@lucidmotors.com.

7. Disciplinary Action
Violation of the standards, policies and procedures presented in this document by any Persons
will result in disciplinary action, from warnings or reprimands up to and including termination of
employment. Claims of ignorance, good intentions or using poor judgment will not be used as
excuses for non compliance.

8. Protect Stored Data

All sensitive information stored and handled by the Company and Persons must be securely
protected against unauthorized use at all times. Any sensitive data that is no longer required by
the Company for business reasons must be discarded in a secure and irrecoverable manner.

9. Information Classification
The following table provides a summary of the information classification levels that have been
adopted by Lucid Motors and which underpin the principles of information security defined in
the Information Security Policy. These classification levels incorporate regulatory guidelines and
are designed to cover both primary and secondary research data.

9.1 Confidential
 9.1.1 - Confidential information has significant value for the Company, and unauthorized
disclosure or dissemination could result in severe damage to the Company.

9.1.2 - Only those who explicitly need access must be granted it, and only to the least degree
in order to do their work (the ‘need to know’ and ‘least privilege’ principles).

9.1.3 - When held outside the Company, on mobile devices such as laptops, tablets or
phones, or in transit, ‘Confidential’ information must be protected behind an explicit logon
and by AES 256-bit encryption at the device, drive or file level, or by other controls that
provide equivalent protection. examples- IP, sensitive personal data information ("SPI"),
financials, ....".need to know" technical and specifications.

9.2 Restricted

9.2.1 - Restricted information is open to groups of Persons within the Company. It is subject
to controls on access, such as only allowing valid logons from groups of authorized Persons
but it does not have the
stricter controls required by ‘Confidential’ information.
9.2.2 - Restricted information must be held in such a manner that prevents unauthorized
access i.e. on a system that requires a valid and appropriate user to log in before access is
granted.

9.2.3 - Examples of information falling into this category are names, email addresses, phone
numbers, photos. Information you may want to share with coworkers, but not the general
public at large, would fall into this
category. If information does not fit into the ‘Confidential’ or ‘Public’ categories, then it is
‘Restricted’ information.

9.2.4 - Public disclosure or dissemination of this information shall not occur,, and may incur
fines and negative publicity for the company.

9.3 Public
9.3.1 Public’ information can be disclosed or disseminated without any restrictions on
content, audience or time of publication. Disclosure or dissemination of the information
must not violate any applicable laws or regulations, such as privacy rules. Modification
must be restricted to individuals who have been explicitly approved by information owners
to modify that information, and who have successfully authenticated themselves to the
appropriate computer system.

10. Protect Data in Transit

All sensitive data must be protected securely if it is to be transported physically or electronically.
Written business justification and authorization must be obtained from the Committee for
transporting any sensitive data outside the Company. Information provided to third
party business partners must be controlled and governed by officially executed, non-disclosure
agreements.
The modes of electronically or physically transported data must be controlled by the IT
department.
Physical transportation of media containing sensitive data to another location must be authorized
by management, logged and inventoried before leaving the premises. Only secure courier
services may be used for the transportation of such media. The status of the shipment should be
monitored until it has been delivered to its new location.

11. System and Password Policy

All Persons with access to the Company systems, are responsible for taking the appropriate steps,
as outlined in the Password Protection Policy, to select and secure their passwords.

12. Related Policies and Processes

• Acceptable Use Policy
• Data Breach Response Policy
• Email Policy
• Password Protection Policy

13. Definitions and Terms

Persons - Persons means any employees, contractors, vendors, guests or service providers that
have access to information or email systems.

Lucid Motors - Lucid Motors means Atieva USA inc. and its affiliates.