Personal data protection and information security policy

1. Mission and objectives of the Information Security Policy

The fundamental objective of the establishment of the Information Security Policy by Bosonit is the definition of a solid foundation on which both internal employees and third parties can carry out their work activities in the environments offered by the organization in a safe and reliable manner.

Through this policy, Bosonit demonstrates its ongoing awareness of information security, committing itself to ensuring the protection of the services offered by the organization, as well as all the information inherent to them, reducing the risks to which they are subjected to an acceptable level.

To this end, the strategic alignment of information security management with international standards and existing legislative regulations in this area is sought.

In order to achieve the above, Bosonit establishes the following general objectives in the area of information security:

1. - To contribute, through security management, to the fulfillment of the mission and objectives established by Bosonit.
2. To have the necessary control measures in place to guarantee compliance with the legal requirements that are applicable as a consequence of the activity carried out, especially in relation to the protection of personal data and the provision of services through electronic or telematic means.
3. To ensure the confidentiality, integrity, availability, authenticity, traceability and accessibility of information.
4. Ensure the continued provision of services, both preventively and reactively in the face of security incidents.
5. Protect Bosonit's information assets, as well as the technology that supports them, against any threat, whether intentional or accidental, internal or external, in order to ensure their confidentiality, integrity and availability.

This Security Policy ensures a continuous and clear commitment from Bosonit to the dissemination and consolidation of a culture of security.

2. Scope

This Security Policy shall apply to all Bosonit information and the systems that support it. For these purposes, Bosonit is understood to be:

• Bosonit S.L. with offices at Avda. Gran Vía, 18 Mezzanine and 1st Floor.

Extending the scope of the systems provided by Bosonit to the following organizations:

1. Elliot Cloud S.L. with office at Portales, 71.
2. Graphenus Big Data Solutions S.L. with Office at Avda. Gran Vía 18, 9th Floor.
3. DocExploit S.L. with office at Portales, 71.
4. Appolow S.L. with office at Portales, 71.
5. Bitkeeper Solutions S.L. with office at Portales, 71

All the companies named above will be referred to as “the companies”.

3. Regulatory Framework

The legislation on information security that should be used as a reference is updated continuously and is reflected in the “Annex: Applicable Legislation”, it can also be reviewed on the CCN website in the section dedicated to the National Security Scheme on regulations and regulatory framework.

4. Organization of security

The security of the companies' information will be managed by an Information Security Committee, made up of the following roles:

Company Information Security Committee

The Information Security Committee is the body that centralizes the management of information security in the organization.

When justified by complexity, the physical separation of its elements or the number of users of the electronic information, or of the systems that handle it, delegated Security Committees may be created, functionally dependent on the main Information Security Committee, which will be responsible in their area for the actions delegated to them.

The Information Manager

The Information Manager shall be the person with sufficient competence to decide on the purpose, content and use of said information and shall determine, within the established framework that regulates the National Security Scheme in the field of Electronic Administration, the security requirements of the information processed. To this end:

a. Determine the security levels of the information processed, assessing the impacts of incidents affecting information security, in accordance with the framework regulating the National Security Scheme. b. Carry out, together with the Service Managers and the Security Manager, the mandatory risk analyses, and select the safeguards to be implemented.

c. They will accept the residual risks with respect to the information calculated in the risk analysis.

d. They will carry out the monitoring and control of the risks, with the participation of the Security Manager.

The Service Manager(s)

The person/s responsible for the service/s shall be the person with sufficient competence to decide on the purpose and provision of said service and shall determine the security requirements of the services provided within the established framework that regulates the National Security Scheme in the field of Electronic Administration. To this end:

a. Together with the Information and Security Officers, they shall carry out the mandatory risk analyses and select the safeguards to be implemented.

b. They shall accept the residual risks with respect to the information calculated in the risk analysis.

c. They shall monitor and control the risks, with the participation of the Security Officer.

d. In agreement with the Head of Information and the Head of Security, they shall suspend the provision of an electronic service or the handling of certain information if informed of serious security deficiencies.

The Head of Security

The Head of Security shall be the person who shall determine the decisions to satisfy the security requirements of the information and the services. They shall have the following functions:

a. Assume the functions included within the framework that regulates the National Security Scheme in the field of Electronic Administration.

b. Propose to the Head of Service the determination of security levels in each security dimension whenever requested.

c. Carry out or promote periodic audits to verify compliance with information security obligations.

d. Monitor and control the security status of information systems.

e. Propose security standards and procedures to the Security Committee.

When justified by the complexity, physical separation of its elements or the number of users of the information in electronic form, or of the systems that handle it, “delegated security officers” may be appointed

delegated security officers” may be appointed, reporting functionally to the main officer, who will be responsible in their area for the actions delegated to them.

The Systems Manager

The Systems Manager16 will be appointed by the management of the organization and their position will be included in the Information Security Policy of the organization. They will have the following functions:

a. Develop, operate and maintain the information system throughout its life cycle, including its specifications, installation and verification of its correct functioning.

b. Define the topology and management of the information system, establishing the criteria for its use and the services available in it.

c. Ensure that security measures are properly integrated into the overall security framework.

The System Manager may propose the suspension of the processing of certain information or the provision of a particular service if he or she detects serious security deficiencies that could affect the fulfillment of the established requirements. The final decision, which will be made by the management of the entity, must be agreed upon with those responsible for the information and services affected and the Security Manager.

In certain information systems which, due to their complexity, distribution, physical separation of their elements or number of users, require additional personnel to carry out the functions of System Manager, each organization may designate as many Delegate System Managers as it deems necessary. The designation corresponds to the System Manager, who delegates functions, not responsibility.

The Delegate System Managers will be responsible, within their area of competence, for all those actions delegated by the System Manager related to the operation, maintenance, installation and verification of the correct functioning of the information system. It is common for these figures to be in charge of information subsystems of a certain size or of information systems that provide horizontal services.

Each Delegate System Manager will maintain a direct functional dependency on the System Manager, to whom they will report.

The Management System Manager

The Management System Manager is responsible for:

• Preparing the Information Security Policy for approval by Management.
• Formally approving ISMS policies, regulations, procedures and standards.
• Carrying out the risk analysis and assessment process on assets.
• Monitoring the main residual risks assumed by the Organization and recommending possible actions regarding them.
• Define and update policies, rules, procedures and standards defined in the ISMS and promote their use.
• Advise on the application of the methodology for the maintenance of contingency and business continuity plans.
• Promote the continuous improvement of the information security management system.
• Coordinate the efforts of the different areas in terms of information security, to ensure that the efforts are consistent, aligned with the approved risk management strategy, and avoid duplication.
• Formally approve ISMS policies, rules, procedures and standards.
• Monitor the performance of security incident management processes and recommend possible actions regarding them. In particular, ensure the coordination of the different security areas in the management of information security incidents.
• Ensure compliance with legal, regulatory and sectoral regulations.
• Coordinate the continuity plans of the different areas to ensure seamless action in the event that they need to be activated.
• Opening, documenting and studying non-conformities, corrective actions and preventive actions.
• Coordinating the continuity plans of the different areas to ensure seamless action in the event that they need to be activated.
• Monitor the indicators.

The Management Representative

Has maximum responsibility for the company's Security, covering, among other aspects, Information Security, ensuring the company's commitment to security and its proper implementation, management and maintenance.

All these roles will be designated in the documents establishing the Information Security Committee.

5. Awareness and Training

In the eagerness of companies to ensure the correct implementation of a Security Management System, they are committed to maintaining the level of awareness and training of both their internal employees and their collaborators/external collaborators in the area of information security, thus avoiding the security risks inherent to their lack of knowledge.

6. Risk Management Methodology

All systems subject to this Policy must undergo risk analysis and management, evaluating the assets, threats and vulnerabilities to which they are exposed and proposing appropriate countermeasures to mitigate the risks. Although continuous monitoring of changes made to the systems is required, this analysis will be repeated:

• At least once a year (through formal review and approval).
• When the information handled changes
• When the services provided change
• When a serious security incident occurs
• When serious vulnerabilities are reported

For the harmonization of risk analyses, a baseline assessment will be established for the different types of information handled and the different services provided.

7. Classification of information

Companies shall classify and inventory information assets according to their nature. The level of protection and the measures to be applied shall be based on the result of this classification.

8. Personal data

When a system affected by the National Security Scheme handles personal data, the provisions of European Regulation 679/2016 on data protection and Organic Law 3/2018, of December 5, on the Protection of Personal Data and its implementing regulations shall apply, without prejudice to the requirements established in the regulatory framework of the National Security Scheme in the field of Electronic Administration.

All information systems will comply with the security levels required by personal data protection regulations.

9. Conflict resolution

In the event of a conflict between the different managers that make up the organizational structure of the Information Security Policy, it will be resolved by Bosonit Management, and the highest demands derived from the protection of personal data will prevail.

10. Relations with third parties

When Bosonit provides services or transfers information to third parties, they will be made participants in this Information Security Policy and in the derived rules and instructions.

Likewise, when Bosonit uses third-party services or transfers information to third parties, they will also be made participants in this Information Security Policy and in the security regulations and instructions pertaining to said services or information. Third parties will be subject to the obligations and security measures established in said regulations and instructions, and may develop their own operating procedures to comply with them. Specific procedures for incident detection and resolution will be established. It will be ensured that third-party personnel are adequately aware of information security, at least to the same level as that established in this Information Security Policy.

Specifically, third parties must guarantee compliance with the information security policy based on auditable standards that allow verification of compliance with these policies. Likewise, it will be guaranteed by means of an audit or certificate of destruction/deletion that the third party will cancel and eliminate the data belonging to Bosonit at the end of the contract.

When some aspect of the Information Security Policy cannot be satisfied by a third party, a report will be required from the Information Security Manager specifying the risks incurred and how to deal with them. Approval of this report by the Information Manager and the affected Services will be required before proceeding.

11. Staff obligations

All personnel with responsibility for the use, operation or administration of information and communications technology systems have the obligation to know and comply with this Information Security Policy and the derived security regulations, regardless of the type of legal relationship that binds them to the companies.

All persons will receive training in the safe handling of the systems to the extent that they need it to carry out their work.

The Security Policy will be accessible to all personnel who provide their services in the bodies and entities referred to in the section on 'Scope'.

With the aim of promoting a 'Culture of Security', the Information Security Committee will promote a continuous awareness program to train all personnel.

Failure to comply with the Security Policy and its implementing regulations will result in the establishment of preventive and corrective measures aimed at safeguarding and protecting networks and information systems, without prejudice to the corresponding requirement for disciplinary responsibility.

12. Review of the policy

In relation to the revisions that may be made to the wording of the text that constitutes the information security policy, two types of activities will be distinguished:

• Periodic systematic reviews: These should be carried out when incidents are detected or changes in the legal framework that may question the validity of the Policy. The review of the Information Security Policy should guarantee that it is aligned with the strategy, mission and vision of the companies in terms of information security and that it ensures compliance with the established control objectives.

Periodic reviews should be carried out at least annually.

• Unplanned reviews: These reviews should be carried out in response to any security event or incident that could significantly increase the current level of risk or have an impact on the security of company information.

13. Instruments for the development of the Security Policy

A regulatory framework for information security is established, structured at different levels so that the objectives set out in this document are specifically developed.

The security policy will structure its regulatory framework at the following levels:

1. The present Information Security Policy, which establishes the global protection requirements and criteria.
2. The security standards that define what needs to be protected and the desired security requirements. The set of all security standards must cover the protection of all the organization's information system environments. They establish a set of expectations and requirements that must be met in order to satisfy and fulfill each of the security objectives established in the policy. They are proposed by the Security Manager and approved by the Information Security Committee.
3. The security procedures describe in concrete terms how to protect what is defined in the standards and the people or groups responsible for implementing, maintaining and monitoring their level of compliance. These are documents that specify how to carry out the usual tasks, who should do each task and how to identify and report abnormal behavior.

Their approval will depend on their scope of application, which may be in a specific area or in a particular information system.

In addition, guidelines with recommendations and good practices may be established.

As far as possible, all this documentation will be managed according to the current procedure for the Control of documents and records in companies, which will aim to establish the criteria for the control of the documentation and security records used in the Information Security Management System and which extends to all the documentation that supports compliance with the National Security Scheme.

14. Information security management

14.1 Objectives and measurement

The general objectives for the information security management system are as follows:

to create a better market image and reduce the damage caused by potential incidents; the goals are in line with the commercial objectives, with the strategy and the business plans of the organization. The person in charge of the technical office of information security is responsible for reviewing these general objectives of the ISMS and for establishing new ones.

The objectives for individual security controls or groups of controls are proposed by the head of the technical information security office and are approved by the security committee in the Statement of Applicability.

All objectives must be reviewed at least once a year.

BOSONIT will measure compliance with all objectives. The head of the technical information security office is responsible for defining the method for measuring compliance with the objectives; measurement will be carried out at least once a year and the head of the technical information security office will analyze and evaluate the results and report them to the security committee as material for review by the Management.

14.2 Information security requirements

This Policy, and the entire ISMS, must comply with the legal and regulatory requirements that are important for the organization in the field of information security, as well as with contractual obligations.

A list of contractual and legal requirements is detailed in the List of legal, regulatory and contractual obligations.

14.3 Information security controls

The process of choosing controls (protection) is defined in the risk assessment and treatment methodology.

The selected controls and their implementation status are detailed in the Statement of Applicability.

14.4 Responsibilities

The responsibilities for the ISMS are as follows:

• The security committee is responsible for ensuring that the ISMS is implemented and maintained in accordance with this Policy and for ensuring that all necessary resources are available.
• The person in charge of the technical office for information security is responsible for the operational coordination of the ISMS, as well as for reporting on its performance.
• Senior management must review the ISMS at least once a year or whenever a significant change occurs; and minutes of these meetings must be taken. The purpose of management reviews is to establish the suitability, adequacy and effectiveness of the ISMS.
• The human resources department, in collaboration with the head of the technical information security office, will implement training and awareness programs for employees on information security.
• The protection of the integrity, availability and confidentiality of assets is the responsibility of the owner of each asset.
• All security incidents or weaknesses must be reported to the head of the technical information security office.
• The security committee will define what information related to information security will be communicated to which interested party (both internal and external), by whom and when.
• The human resources department is responsible for adopting and implementing the Training and Awareness Plan, which corresponds to all persons who have a role in information security management.

14.5 Communication of the Policy

The human resources department must ensure that all BOSONIT employees, as well as the corresponding external participants, are familiar with this Policy.

15. Support for the implementation of the ISMS

The security committee hereby declares that the implementation and continuous improvement of the ISMS will be supported by adequate resources to achieve all the objectives established in this Policy, as well as to comply with all the identified requirements.

16. Validity and document management

This document is valid until 31/12/2025.

The owner of this document is the head of the information security technical office, who must verify, and if necessary update, the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria must be taken into account:

• The number of employees and external participants who have a role in the ISMS but are not familiar with this document.
• Non-compliance of the ISMS with laws and regulations, contractual obligations and other internal documents of the organization.
• Ineffective implementation and maintenance of the ISMS.
• Ambiguous responsibilities for the implementation of the ISMS.