Security, Data Protection and Management Systems Policy

Scope

This policy applies to:

All information managed by the Company, regardless of format, including digital, physical, or oral information.
All employees, contractors, suppliers, and third parties who have access to the Company’s systems, networks, data, and/or facilities.
The processes, systems, and applications that interact with the services, as well as the Company’s IT processes.

Mission and objectives of the organization

The mission of the Company is:

To foster an environment where every employee feels valued, inspired, and empowered to reach their full potential, contributing to Hard2bit’s success and sustainable growth. To provide services, technological solutions, and management capabilities that help and enable our customers to proactively prevent and resolve challenges related to information security and other areas of IT governance.

In line with the Company’s mission, the following main objectives have been defined. These objectives constitute the reference framework for the development and alignment of the specific objectives of its management systems:

Information Security

To protect the availability, integrity, confidentiality, authenticity, and traceability of the Company’s information and that of its interested parties, as well as legal compliance, ensuring that assets and services are protected against incidents and vulnerabilities, promoting a secure and trustworthy environment for all interested parties, and continuously improving the management system.

IT Service Management

To plan, implement, deliver, support, and continuously improve IT services and the associated management system, complying with relevant policies, rules, standards, legal, regulatory, and contractual requirements, with the aim of meeting and exceeding customer expectations.

Quality

To deliver what we promise, doing it right the first time, within the agreed timeframes, continuously improving, and creating a memorable experience for our customers.

Business Continuity

To establish and maintain effective plans that ensure the Company’s ability to operate during and after disruptive incidents, minimizing the impact on operations and preserving stakeholder confidence.

Environmental Management

To reduce the environmental impact of activities through the implementation of sustainable and responsible practices, ensuring compliance with applicable environmental legislation and other commitments undertaken by the organization.

Likewise, the Company is committed to implementing and maintaining the continuous improvement cycle for management systems and services (Plan, Do, Check, Act - PDCA), ensuring their effectiveness through strategic planning, controlled execution of activities, monitoring and evaluation of results, and the adoption of corrective and continuous improvement measures.

Regulatory framework under which security activities are carried out

Responsibilities related to information security, taking into account the nature of the Company’s activities, are developed under the following regulatory framework:

Regulatory framework
Regulation (EU) 2016/679 (General Data Protection Regulation).
Organic Law 3/2018 on Personal Data Protection and guarantee of digital rights (LOPDGDD).
Spanish Intellectual Property Law, approved by Royal Legislative Decree 1/1996 of 12 April, and subsequent amendments.
Law 24/2015 of 24 July on Patents.
Law 17/2001 of 7 December on Trademarks.
Regulation (EU) 2024/1689 on Artificial Intelligence.
Law 34/2002 on Information Society Services and Electronic Commerce.
Regulation (EU) 2024/2847 on Cyber Resilience (CRA), regarding horizontal cybersecurity requirements for products with digital elements.
Article 5.2 of Order TAS/2307/2007.
Spanish Workers’ Statute (Article 34.9 of Royal Legislative Decree 2/2015).
Organic Law 3/2018 of 5 December (entry into force: 7 December 2018).
Spanish Commercial Code (Article 30).
General Tax Law (Law 58/2003 of 17 December).
Royal Decree 486/1997 of 14 April establishing minimum health and safety provisions in workplaces.
Resolution of 27 March 2018 of the Secretariat of State for Public Function, approving the Security Audit Technical Instruction for Information Systems.

Roles and functions, defining for each one their duties and responsibilities, as well as the procedure for their appointment and renewal

The following structure ensures the systematic integration of the Company’s business strategy in relation to information security:

Source: Spanish National Cryptologic Centre (CCN).

The positions designated to occupy the security structure roles are:

Role	Assigned position
Head of entity	CEO
Security, data protection, and crisis committee	CEO / Information Owner / Service Owner / Data Protection Officer
Information Owner	CEO
Service Owner	Service group owners
Security Officer	Operations Director
System Owner	Owner of Service Group 2
Owner of other systems	CEO
System administrator	Owner of Service Group 3
Data Protection Officer	Operations Director

The management and supervision of information security are covered by the following roles and assigned positions:

Role	Scope of responsibility
Entity Management	Ultimate responsibility for the development of the entity’s competencies, including information security. Defining strategic courses of action. Leading the organization’s activity. Managing internal and external relations. Approving the Information Security Policy and the Data Protection Policy. Providing adequate resources to achieve the proposed security objectives.
System security administrator	Acting as delegate of the System Owner or Security Officer. Maintaining the updated list of authorized users. Configuring the operating system, applications, workstations, servers, and network components of the system.
Data Protection Officer	Complying with Article 37 GDPR and carrying out the tasks set out in Article 39 GDPR. Advising the Controller or Processor on risk analyses and data protection impact assessments. Issuing opinions regarding data protection requirements in the information system where personal data are processed. Considering the size and resources of the Company, it may be acceptable to appoint as Data Protection Officer the person who performs the functions of Security Officer, provided that the GDPR training and qualification requirements are met and the necessary independence and absence of conflicts of interest are guaranteed.
Information Owner	Determining the security requirements of the information processed according to ENS parameters and the Company’s management systems. Carrying out security category assessments and subsequent modifications where applicable. Receiving information on incidents and the actions taken to resolve them. Determining the criteria for assigning and modifying the security level required for each information asset.
Service Owner	Determining the requirements of the services provided. Carrying out security category assessments and subsequent modifications where applicable. Being informed of incidents and of the actions taken to resolve them.
Security Officer	Determining the decisions required to satisfy the security requirements of information and services. Formalizing and approving the measures selected in the Statement of Applicability. Analyzing first-, second-, or third-party audit reports and presenting conclusions to the System Owner and the Committee. Determining the system security category based on the assessments made by the Information Owner and Service Owner. Explicitly approving changes involving high-level risk before implementation. Gathering the data protection requirements set by the controller or processor with advice from the DPO. Knowing the AI system before implementation in order to assess security risks and carry out the necessary supervisory actions. Acting as Secretary of the Security Committee.
Outsourced Security Officer	Performing Point of Contact (POC) functions or delegating them to a person in direct communication with that area. Channeling and supervising compliance with the security requirements of the service provided or solution supplied. Ultimate responsibility remains with the recipient entity of the services.
System Owner (Information Security)	Developing the specific way in which security is implemented in the system and supervising its daily operation. Adopting appropriate corrective measures derived from audit reports. In high-category systems, and depending on the seriousness of the deficiencies found, temporarily suspending the processing of information, the provision of services, or the total operation of the system until proper remediation or mitigation is achieved.
Owner of other Management Systems	Operating the business continuity, quality, and environmental management systems.
Physical Security Officer	Adopting the security measures within their remit, as determined by the Information Security Officer, and informing the latter of their level of implementation, effectiveness, and incidents. When holding the appropriate qualifications or training, performing the functions of Security Officer and Liaison in organizations that are also considered Critical Infrastructures.
Personnel Management Officer	Implementing the security measures within their remit, as determined by the Information Security Officer, and informing the latter of their level of implementation, effectiveness, and incidents.

With regard to the appointment and renewal of roles, Senior Management shall evaluate the candidates and decide on their appointment or continuity on a biennial basis, taking into account performance criteria, suitability for the organization’s strategic needs, changes in the regulatory and technological context, as well as the evolution of identified risks and opportunities.

This assessment shall also:

Verify the competence and continuous qualification of the persons involved.
Ensure that assigned roles maintain independence, impartiality, and the absence of conflicts of interest.
Guarantee alignment with the requirements established by applicable standards and regulations, such as ENS, ISO/IEC 27001, GDPR, and other management system standards and criteria established by the Company.
Formally document the decisions adopted, ensuring traceability and effective communication to all interested parties.

The Company shall process personal data under its responsibility in compliance with the following data protection and information security principles

Lawfulness, fairness, and transparency

Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subjects.

Lawful basis for processing

Personal data shall only be processed where the processing is supported by one of the lawful bases set out in Articles 6 and 9 of the GDPR.

Purpose limitation

Personal data shall be used only for specific, explicit, and legitimate purposes and shall not be processed in a manner incompatible with those purposes.

Data minimization

It shall be ensured that personal data are adequate, relevant, and limited to what is strictly necessary for the purposes of the processing.

Accuracy

Personal data shall be accurate and, where necessary, kept up to date. Reasonable steps shall be taken to erase or rectify without delay any inaccurate data in relation to the purposes for which they are processed.

Storage limitation

Data shall be stored only for as long as necessary for the purposes that justified the processing, while respecting applicable legal retention periods.

Integrity and confidentiality

Personal data shall be protected against unauthorized access, unlawful processing, loss, accidental destruction, or damage through the application of appropriate technical and organizational measures. In addition, all personnel involved in the processing shall be subject to a duty of confidentiality, including after the end of their relationship with the Company.

Accountability

The Company shall be responsible for ensuring compliance with these principles, adopting technical and organizational measures that demonstrate its commitment and compliance with the GDPR.

Respect for data subject rights

Procedures shall be implemented to ensure that affected persons may exercise, where appropriate, their rights of access, rectification, erasure, objection, restriction of processing, and portability of their personal data.

Data protection by design and by default

Data protection and information security shall be integrated from the earliest stages of any project, ensuring compliance with GDPR requirements and the protection of data subjects’ rights.

Record of processing activities

An updated record of processing activities under the Company’s responsibility shall be maintained in compliance with Article 30 GDPR.

Security breach management

The Company shall adopt the necessary measures to notify the Spanish Data Protection Agency of any personal data breach, following the established procedure and in accordance with Article 33 GDPR. Likewise, in the cases provided for in Article 34 GDPR, affected data subjects shall be informed of security breaches that may compromise their personal data.

Structure and composition of the committee or committees for the management and coordination of security, detailing their scope of responsibility and relationship with other elements of the organization

The structure and composition of the Security, Data Protection and Crisis Committee are as follows:

Committee	Responsibility
Security, Crisis and Data Protection Committee	It shall be composed of all those persons within the entity who participate in the responsibility, definition, or implementation of the security of the information processed or the services provided, including the Head of the entity or delegated person, who shall chair the Committee, the Information Owner, Service Owner, Security Officer, System Owner, Data Protection Officer, and representatives from other affected areas of the organization. Aligning all organizational activities related to security, with particular attention to physical and asset security, information security, compliance, and contingency plans. Acting as the legally responsible body. Specifying needs and requirements. As it is not a purely technical committee, it may obtain from internal or external technical personnel the information necessary for decision-making or advice, and arrange specialized training on the subject. It may also rely on specialized working groups, whether internal, external, or mixed.

Committee

Responsibility

Security, Crisis and Data Protection Committee

It shall be composed of all those persons within the entity who participate in the responsibility, definition, or implementation of the security of the information processed or the services provided, including the Head of the entity or delegated person, who shall chair the Committee, the Information Owner, Service Owner, Security Officer, System Owner, Data Protection Officer, and representatives from other affected areas of the organization.
Aligning all organizational activities related to security, with particular attention to physical and asset security, information security, compliance, and contingency plans.
Acting as the legally responsible body.
Specifying needs and requirements.
As it is not a purely technical committee, it may obtain from internal or external technical personnel the information necessary for decision-making or advice, and arrange specialized training on the subject. It may also rely on specialized working groups, whether internal, external, or mixed.

Guidelines for the structuring of system security documentation, its management, and access

The structuring of the Company’s documentation is organized at the following levels:

Likewise, the Company has a SharePoint-based document management system governed by the policies and procedures established in the document “PE01 – Preparation, storage, and document control” regarding the drafting, approval, retention, structure, and access to documents belonging to the Company’s management systems. Among other matters, this ensures the registration of watermarks in physical and digital documentation in order to promote the proper use of the information handled.

Risks arising from the processing of personal data

Responsibility for monitoring risks lies with their owners, without prejudice to the fact that this function may be delegated on a day-to-day basis. For the purposes of the management system, the risk owners are:

The Information Owner is the owner of risks relating to information.
The Service Owner is the owner of risks relating to services.

The most relevant risks in relation to the processing of personal data are described below:

Unauthorized access: risk that unauthorized persons access sensitive information.
Unauthorized disclosure: leakage or improper exposure of personal information.
Regulatory non-compliance: legal or reputational sanctions for failure to comply with regulations such as the GDPR.
Privacy risks: infringement of the rights and freedoms of data subjects, such as misuse of data or loss of confidentiality.

To control these risks, the Company shall carry out continuous monitoring and periodic reassessments of the implemented measures and the overall state of security, in accordance with the following principles:

Risk management

Coordinated activities shall be performed to identify and assess associated risks, in order to manage them and reduce them to acceptable levels. This shall be achieved through the implementation of appropriate security measures. These actions shall be carried out annually or whenever significant changes occur in information systems or in the processing of personal data.

Proportionality

Protection, detection, and recovery measures shall be applied in proportion to the identified risks, considering the criticality and value of the information, the personal data processing activities, and the affected services.

Verification process

A regular mechanism shall be established to verify, assess, and analyze the effectiveness of the implemented technical and organizational measures in order to maintain security.

People-centered security

Mechanisms shall be adopted to ensure that all persons with access to information assets and personal data understand their responsibilities, minimizing risks arising from misuse.

Physical security

Information assets shall be located in protected areas equipped with physical access controls appropriate to their criticality. These assets shall be protected against physical or environmental risks through suitable measures.

Communications and operations management

Procedures shall be implemented to ensure secure and efficient management of information and communication technologies, ensuring the adequate protection of information transmitted over networks according to its sensitivity and criticality.

Access control

Access to information assets shall be limited to authorized users, processes, and systems through appropriate identification, authentication, and authorization mechanisms. In addition, access logs shall be maintained to ensure traceability and allow audits of their use.

Security throughout the life cycle of information systems

Security shall be a key aspect in all phases of the development, acquisition, and maintenance of information systems, ensuring protection by default.

Security incident management

Mechanisms shall be established to identify, record, resolve, and notify security incidents in accordance with applicable regulations.

Protection

A system for detection of and response to malicious code shall be established.

Business continuity

Measures shall be implemented to ensure the availability of information systems and the continuity of critical business processes, in line with the service levels required by users.

Regulatory compliance

Necessary measures shall be adopted to ensure compliance with current legal regulations on information security and personal data protection, as well as the framework based on Spanish and European standards. To this end, the Company has a procedure for identifying applicable legislation and permanently updating a register where references to such updated standards are maintained.

Incident notification

Procedures shall be implemented to ensure the notification of incidents to the competent authorities in accordance with the applicable regulations.

Security audits

An annual audit shall be carried out to assess the effectiveness of technical and organizational measures, ensuring the protection of systems and processing activities. In addition, extraordinary audits shall be performed whenever substantial modifications are introduced into systems that may affect security measures. These audits shall be supervised by the Information Security Officer and the Data Protection Officer.

Continuous improvement

Security incidents and non-conformities that occur, together with the corrective actions taken, shall be recorded. These records shall be used for the continuous improvement of system security.

Relationship with suppliers

All suppliers who handle or have access to Company information must:

Comply with applicable security regulations and standards.
Sign confidentiality agreements and contracts including security clauses.
Participate in periodic security assessments carried out by the Company.
Immediately notify any security incident that may affect the Company’s information.

Dispute resolution mechanism

Any incident, dispute, or non-compliance relating to information security must be immediately reported to the Security Officer.
All conflicts shall be documented in an incident register, detailing the nature of the conflict, the parties involved, and the date of detection.
The Security Officer, with the support of the Security, Data Protection and Crisis Committee, shall assess the situation, determining associated risks and possible impacts on information security.
A graduated approach shall be adopted:
- Level 1: direct internal resolution between the parties involved, mediated by the Security Officer.
- Level 2: intervention by the Security, Data Protection and Crisis Committee to mediate and propose formal solutions.
- Level 3: escalation to the organization’s management or to external bodies as appropriate, including legal measures if necessary.
Following resolution, follow-up actions shall be carried out to ensure the implementation of corrective and preventive measures, thereby avoiding recurrence.
The mechanism shall be reviewed annually or whenever significant changes occur in the organization, applicable regulations, or relevant security incidents.

Exceptions and consequences

Exceptions

Any exception to this policy must be approved in writing by the Company’s Information Security Committee. Requests for exception must include a detailed justification, as well as the compensating measures to be implemented.

Consequences

Failure to comply with this policy may result in:

Internal disciplinary actions.
Legal action in the event of serious negligence or intentional non-compliance.
Review of contractual relationships with third parties.

Policy approval

The Company’s senior management endorses this integrated policy and undertakes to provide the resources necessary to effectively implement and maintain all measures required to comply with associated legal requirements, stakeholder requirements, and the normative requirements of the management systems.

This policy shall be reviewed annually to ensure that it remains relevant and effective in achieving the intended objectives.