Information Security Policy

---

1. APPROVAL AND ENTRY INTO FORCE

This Information Security Policy is effective from the date of signature and until it is replaced by a new Policy.

2. MISSION OF THE ORGANIZATION

Biyectiva's mission is to provide advanced Artificial Intelligence, computer vision, and process automation solutions for critical and strategic sectors, transforming technological complexity into operational efficiency.

As a multidisciplinary entity, we are committed to delivering high-quality services based on continuous improvement and technical excellence (ISO 9001), guaranteeing at all times the integrity, confidentiality, and availability of the managed information.

Our activity is oriented towards ensuring the technological sovereignty of our clients, strictly complying with the current legal framework and the standards of the National Security Scheme (ENS) to protect both our own assets and those of the organizations that trust our technology.

3. SCOPE

This policy applies to all ICT systems of the entity and to all members of the organization involved in Services and Projects destined for the public sector that require the application of ENS, without exceptions.

4. OBJECTIVES

For all the reasons stated above, Management establishes the following information security objectives:

• Provide a framework to increase strength or resilience capacity to deliver an effective response.
• Ensure the fast and efficient recovery of services against any physical disaster or contingency that could occur and put the continuity of operations at risk.
• Prevent information security incidents to the extent that it is technically and economically viable, as well as mitigate the information security risks generated by our activities.
• Guarantee the confidentiality, integrity, availability, authenticity, and traceability of information.

5. REGULATORY FRAMEWORK

One of the objectives must be to comply with applicable legal requirements and with any other requirements we subscribe to, in addition to the commitments acquired with clients, as well as their continuous updating.

To this end, the legal and regulatory framework in which we develop our activities is:

• REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights.
• Royal Legislative Decree 1/1996, of April 12, Intellectual Property Law.
• Law 2/2019, of March 1, which modifies the revised text of the Intellectual Property Law, approved by Royal Legislative Decree 1/1996, of April 12, and by which Directive 2014/26/EU of the European Parliament and of the Council, of February 26, 2014, and Directive (EU) 2017/1564 of the European Parliament and of the Council, of September 13, 2017, are incorporated into the Spanish legal system.
• Royal Decree 311/2022, of May 3, which regulates the National Security Scheme.
• Law 34/2002 of July 11 on Information Society Services and Electronic Commerce (LSSI).
• Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations.
• Law 40/2015, of October 1, on the Legal Regime of the Public Sector.

6. DEVELOPMENT

To achieve these objectives, it is necessary to:

• Continuously improve our information security system.
• Identify potential threats, as well as the impact on business operations that such threats, if materialized, may cause.
• Preserve the interests of its main stakeholders (clients, shareholders, employees, and suppliers), reputation, brand, and value-creation activities.
• Work jointly with our suppliers and subcontractors in order to improve the provision of IT services, service continuity, and information security, resulting in greater efficiency of our activity.
• Evaluate and guarantee the technical competence of the staff, as well as ensure their proper motivation for their participation in the continuous improvement of our processes, providing appropriate training and internal communication so they develop good practices defined in the system.
• Guarantee the correct state of the facilities and appropriate equipment, so that they correspond to the company's activity, objectives, and goals.
• Guarantee a continuous analysis of all relevant processes, establishing the pertinent improvements in each case, based on the results obtained and the established objectives.

Structure our management system so that it is easy to understand. Our management system has the following structure:

The management of our system is entrusted to the Head of Computer Systems, and the system will be available in our information system in a repository, which can be accessed according to the access profiles granted based on our current access management procedure.

The documentation related to system security is structured in folders within the company's file server, divided into subfolders named by standard points and operating frameworks, which collect the different procedures, records, and evidence, with restricted access for company personnel, preventing unauthorized external personnel from accessing.

The security documentation is structured into:

• Security Policy.
• Security Regulations: documents describing the use of equipment, services, and facilities. They describe what is considered improper use, the responsibility of the staff regarding compliance or violation of the regulations, rights, duties, and disciplinary measures in accordance with current legislation.
• Specific Documents: security documentation developed according to the applicable CCN-STIC guides.
• Security Procedures: documents detailing how to operate the system elements.

This policy is complemented by the rest of the policies, procedures, and documents in force to develop our management system.

7. SECURITY ORGANIZATION

The essential responsibility falls upon the General Management of the organization, as it is responsible for organizing roles and responsibilities and providing appropriate resources to achieve the objectives of the ENS.

Managers are also responsible for setting a good example by following the established security rules.

These principles are assumed by Management, which provides the necessary means and endows its employees with sufficient resources for their compliance, expressing and making them publicly known through this Integrated Management Systems Policy.

The defined security roles or functions are:

This definition of duties and responsibilities is completed in the job profiles and in the system documents Register of managers, roles, and responsibilities.

CONFLICT RESOLUTION

Differences in criteria that could lead to a conflict will be addressed within the Security Committee, and the criteria of the General Management will prevail in any case.

8. SECURITY COMMITTEE

The procedure for its appointment and renewal will be ratification in the security committee.

The committee for security management and coordination is the body with the highest responsibility within the information security management system, so all the most important decisions related to security are agreed upon by this committee.

The members of the information security committee are:

• SECURITY OFFICER
• SYSTEM OWNER
• SERVICE OWNER
• INFORMATION OWNER

These members are appointed by the committee, which is the only body that can name, renew, and dismiss them.

The security committee is an autonomous, executive body with autonomy for decision-making and does not have to subordinate its activity to any other element of our company.

The organization of Information Security is developed in the document complementary to this Security Organization Policy.

This policy is complemented by the rest of the policies, procedures, and documents in force to develop our management system.

9. RISK MANAGEMENT

All systems subject to this Policy must perform a risk analysis, evaluating the threats and risks to which they are exposed.

This analysis is reviewed regularly:

• at least once a year;
• when the handled information changes;
• when the services provided change;
• when a serious security incident occurs;
• when serious vulnerabilities are reported.

For the harmonization of risk analyses, the ICT Security Committee will establish a baseline valuation for the different types of information handled and the different services provided.

The ICT Security Committee will boost the availability of resources to meet the security needs of the different systems, promoting horizontal investments.

For carrying out the risk analysis, the risk analysis methodology developed in the Risk Analysis procedure will be taken into account.

10. PERSONNEL MANAGEMENT

All members of BIYECTIVA have the obligation to know and comply with this Information Security Policy and the Security Regulations, it being the responsibility of the ICT Security Committee to provide the necessary means so that the information reaches those affected.

All members of BIYECTIVA will attend an ICT security awareness session at least once a year.

A continuous awareness program will be established to serve all members of BIYECTIVA, particularly newly hired personnel.

Persons with responsibility for the use, operation, or administration of ICT systems will receive training for the secure handling of systems to the extent that they need it to perform their work.

Training will be mandatory before assuming a responsibility, whether it is their first assignment or a change of job position or responsibilities within it.

11. PROFESSIONALISM AND SECURITY OF HUMAN RESOURCES

This Policy applies to all BIYECTIVA personnel and external personnel performing tasks within the company.

HR will include information security functions in employees' job descriptions, inform all contracted personnel of their obligations regarding compliance with the Information Security Policy, manage Confidentiality Commitments with staff, and coordinate user training tasks regarding this Policy.

The Security Management Officer (RGS) [CISO] is responsible for monitoring, documenting, and analyzing reported security incidents, as well as communicating with the Information Security Committee and information owners.

The Information Security Committee will be responsible for implementing the necessary means and channels for the Security Management Officer (RGS) [CISO] to handle reports of incidents and system anomalies.

The Committee will also be aware of, supervise the investigation, monitor the evolution of information, and promote the resolution of information security incidents.

The Security Management Officer (RGS) [CISO] will participate in the preparation of the Confidentiality Commitment to be signed by employees and third parties performing roles in BIYECTIVA, in advising on the sanctions to be applied for non-compliance with this Policy, and in handling information security incidents.

All BIYECTIVA personnel are responsible for reporting info security weaknesses and incidents detected in a timely manner.

Professionalism of human resources:

• Determine the necessary competence of personnel to carry out work affecting Information Security.
• Ensure that people are competent on the basis of appropriate education, training, or experience.
• Demonstrate through documented information that the competence of personnel in matters of Information Security is necessary.

The objectives of controlling personnel security are:

• Reduce the risks of human error, commission of irregularities, improper use of facilities and resources, and unauthorized handling of information.
• Explain security responsibilities during the personnel recruitment stage, include them in the agreements to be signed, and verify compliance during the execution of the employee's tasks.
• Ensure that users are aware of information security threats and concerns and are trained to support the organization's Information Security Policy in the course of their normal duties.
• Establish confidentiality commitments with all personnel and users outside the information processing facilities.
• Establish the necessary tools and mechanisms to promote the communication of existing security weaknesses, as well as incidents, in order to minimize their effects and prevent their reoccurrence.

12. AUTHORIZATION AND ACCESS CONTROL TO INFORMATION SYSTEMS

The control of access to information systems aims to:

• Prevent unauthorized access to information systems, databases, and information services.
• Implement user access security through authentication and authorization techniques.
• Control security in the connection between BIYECTIVA's network and other public or private networks.
• Review critical events and activities carried out by users in the systems.
• Raise awareness about responsibility for the use of passwords and equipment.
• Guarantee information security when laptops and personal computers are used for remote work.

13. PROTECTION OF FACILITIES

The objectives of this policy regarding the protection of facilities are:

• Prevent unauthorized access, damage, and interference to BIYECTIVA's headquarters, facilities, and information.
• Protect BIYECTIVA's critical information processing equipment, placing it in protected areas and guarded by a defined security perimeter, with appropriate security measures and access controls.
• Likewise, consider its protection during transfer and when remaining outside protected areas, due to maintenance or other reasons.
• Control environmental factors that could impair the proper functioning of the computer equipment hosting BIYECTIVA's information.
• Implement measures to protect the information handled by staff in offices, within the normal framework of their usual tasks.
• Provide protection proportional to the identified risks.

This Policy applies to all physical resources related to BIYECTIVA's information systems: facilities, equipment, cabling, files, storage media, etc.

The Security Management Officer (RGS) [CISO], together with the Information Owners as appropriate, will define physical and environmental security measures for the protection of critical assets, based on a risk analysis, and will supervise their application.

They will also verify compliance with physical and environmental security provisions.

The managers of the different departments will define the levels of physical access of BIYECTIVA personnel to restricted areas under their responsibility.

Information Owners will formally authorize off-site work involving their business information to BIYECTIVA employees when they deem it appropriate.

All BIYECTIVA personnel are responsible for complying with the clean screen and desk policy, for the protection of information related to daily work in the offices.

14. ACQUISITION OF PRODUCTS

The different departments must ensure that ICT security is an integral part of each stage of the system life cycle, from conception to decommissioning, including development or acquisition decisions and exploitation activities.

Security requirements and funding needs must be identified and included in planning, in requests for proposals, and in bidding specifications for ICT projects.

On the other hand, information security will be taken into account in the acquisition and maintenance of information systems, limiting and managing change.

The development and acquisition policy for information systems is developed in the document: Systems Acquisition, Development, and Maintenance Policy.

15. SECURITY BY DEFAULT

BIYECTIVA considers it strategic for the entity that processes integrate information security as part of their life cycle.

Information systems and services must include security by default from their creation to their retirement, including security in development and/or acquisition decisions and in all exploitation activities, establishing security as an integral and transversal process.

16. SYSTEM INTEGRITY AND UPDATING

BIYECTIVA is committed to ensuring system integrity through a change management process that allows the control of updates to physical or logical elements via prior authorization before their installation in the system.

Such evaluation will be carried out mainly by the systems management, which will evaluate the impact on system security before making changes and will control, in a documented manner, those changes evaluated as important or with implications for system security.

Through periodic security reviews, the security status of the systems will be evaluated in relation to manufacturer specifications, vulnerabilities, and updates affecting them, reacting with diligence to manage risk in view of their security status.

17. PROTECTION OF STORED AND IN-TRANSIT INFORMATION

BIYECTIVA establishes protection measures for the Security of Information stored or in transit through insecure environments.

Laptops, personal digital assistants (PDAs), peripheral devices, information media, and communications over open networks or with weak encryption will be considered insecure environments.

18. PREVENTION OF INTERCONNECTED INFORMATION SYSTEMS

BIYECTIVA establishes protection measures for Information Security, especially to protect the perimeter, in particular, if it connects to public networks, especially if they are used entirely or mainly for the provision of publicly available electronic communications services.

In any case, the risks arising from the interconnection of the system, through networks, with other systems will be analyzed, and their point of union will be controlled.

Publicly available electronic connections.

19. BUSINESS CONTINUITY

BIYECTIVA, with the objective of guaranteeing the continuity of activities, establishes measures so that systems have backup copies and establishes the necessary mechanisms to guarantee the continuity of operations in the event of a loss of usual working means.

20. CONTINUOUS IMPROVEMENT OF THE SECURITY PROCESS

BIYECTIVA establishes a continuous improvement process for information security, applying the criteria and methodology established in international standards such as ISO 9001.

Signed:
The Management