Information Security Policy

This Policy pursues the adoption, implementation and continued operation of actions aimed at preserving the basic components of information security:

• Confidentiality: Ensure that only duly authorized persons have access to data and systems.
• Integrity: Ensure the accuracy of information and systems against alteration, loss, or destruction, whether accidental or intentional.
• Availability: Ensure that information and systems can be used in the manner and time required.
• Resilience: Ensure the organization's ability to withstand and recover from disasters and disruptions, which involves continuous learning from critical situations that enable recovery from them under reinforced conditions.
• The Policy applies to all phases of the information lifecycle: generation, distribution, storage, processing, transportation, access, and destruction, and to the systems that process it: analysis, design, development, implementation, operation, and maintenance.
• Information security is the responsibility of all staff. ECIX TECHTherefore, this Policy must be known, understood, and adopted by all levels of the organization. The Policy must be reliably communicated throughout the organization, both to its own staff and to external collaborating companies, and be available to interested parties.
• Relationships with third-party collaborators must always be covered by the corresponding service provision contracts, including clauses guaranteeing the use and processing of information.

1.1 APPLICATION OF THE SECURITY POLICY

In order to apply the principles outlined in this policy, the definition, development, implementation, and maintenance of Strategic Security Plans is required. The development of Strategic Security Plans must be accompanied by formal risk analysis and management processes that allow for the implementation of appropriate solutions.

At the operational level, ECIX TECH It will develop its own security procedures, standards, and guides to ensure the integrity, confidentiality, availability, and resilience of the information.

The necessary security management processes in line with the ISO 27001 standard and the National Security Scheme will be implemented to ensure effective and efficient monitoring of security actions, as well as review and improvement processes of security projects and defined countermeasures.

1.2 LEGAL COMPLIANCE

Due to the nature and purpose of the business of ECIX TECH Compliance with higher-ranking standards (laws, regulations and legal provisions) must be observed, which will take precedence when applicable over the guidelines of this information security policy:

• General and/or deontological standards of ECIX TECH.
• Spanish regulations governing this activity.
• Spanish standards originating from supranational organizations of which Spain is a member.
• Community and/or non-Community regulations, depending on the areas of service provision by ECIX TECH.

1.3 CLASSIFICATION AND PROCESSING OF INFORMATION

All information must be classified according to its importance to the organization and must be treated accordingly, in accordance with the regulations on the classification and processing of information.

1.4 TRAINING AND AWARENESS RAISING

The most effective way to improve safety is through ongoing training and its incorporation into the workplace.

The training plans will include specific information security courses tailored to the target area: management, technicians, administrators, and system users. Security awareness campaigns will also be conducted for all staff and suppliers using the most effective means.

1.5 AUDIT

Information systems will be periodically audited internally and externally to verify the proper functioning of security plans, determine compliance levels, and recommend corrective measures, thereby achieving continuous improvement.

Update date: August 7, 2024.