Information Security Policy

1. Introduction

Information has become one of the main assets of our organization, and that is why caring for and protecting it becomes an absolute priority.

It is part of our strategy, from now on, to maintain information security as a critical and fundamental element. This challenge is multiplied in demand and importance if we apply it to an environment as specific and critical as ours, where the secure treatment and management of information is imposed as a necessity to compete and improve in the future.

NEOSISTEC AND NAVILENS PROJECTS CORP. (hereinafter NEOSISTEC Y NAVILENS PROJECT CORPS. ) depends on ICT systems (Information and Communication Technologies) to achieve its objectives. These systems must be managed diligently, taking the appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity ,confidentiality, authenticity and traceability of the information processed or the services provided.

The objective of information security is to ensure the quality of information and the continuous delivery of services by acting proactively, monitoring daily activity, and responding promptly to incidents.

ICT systems must be protected against rapidly evolving threats that have the potential to affect the availability, integrity, confidentiality, authenticity, traceability, intended use, and value of information and services. To defend against these threats, a strategy is required that adapts to changing environmental conditions to guarantee the continuous provision of services. This implies that departments must implement the minimum security measures required by the National Security Framework (ENS), such as the international standard ISO 27001, as well as continuously monitor service performance levels, track and analyze reported vulnerabilities, and prepare an effective incident response to ensure service continuity.

Different departments must ensure that ICT security is an integral part of every stage of the system's lifecycle—from its conception to decommissioning—including development or acquisition decisions and operational activities. Security requirements and funding needs must be identified and included in planning, requests for proposals, and ICT project tender documents.

Departments must be prepared to prevent, detect, respond to, and recover from incidents, in accordance with Article 7 of the ENS.

Departments must avoid, or at least prevent as much as possible, that information or services are compromised by security incidents. For this, the departments must implement the minimum security measures determined by the ENS, as well as any additional control identified through a threat and risk assessment. These controls, and the security roles and responsibilities of all personnel, must be clearly defined and documented. To guarantee compliance with the policy, the departments must:

· Authorize the systems before going into operation. · Regularly assess security, including assessments of changes in configuration performed routinely. · Request periodic review by third parties in order to obtain an independent evaluation.

1.2 Detection

Since services can quickly degrade due to incidents, ranging from a simple slowdown to a stoppage, services must continuously monitor operation to detect anomalies in service delivery levels and act accordingly as set out in Article 9 of the ENS. Monitoring is especially relevant when lines of defense are established in accordance with Article 8 of the ENS. Detection, analysis and reporting mechanisms will be established that reach those responsible regularly when there is a significant deviation from the parameters that have been pre-established as normal.

1.3 Response

Departments must:

Establish mechanisms to respond effectively to security incidents.
Designate point of contact for communications regarding incidents detected in other departments or other bodies.
Establish protocols for the exchange of information related to the incident. This includes two-way communications with Emergency Response Teams (CERTs).

1.4 Recovery

To ensure the availability of critical services, departments should develop IT systems continuity plans as part of their overall plan for business continuity and recovery activities.

2. Purpose and scope

The purpose of this High Level Policy is to define the objective, direction, principles and basic rules for information security management.

This Policy applies to the entire Information Security Management System (ISMS) and to all employees of NEOSISTEC Y NAVILENS PROJECTS CORP. And extensible to third parties that carry out information processing owned by NEOSISTEC and NAVILENS PROJECTS CORP.

The Security Policy applies to the entire company and its information assets:

To all departments, both their managers and employees.

To contractors, customers or any other third party that has access to the organization's information or systems.

To databases, electronic and paper files, treatments, equipment, supports, programs and systems.

Information generated, processed and stored, regardless of its support and format, used in operational or administrative tasks.

To the information transferred within an established legal framework, which will be considered as its own for the sole purpose of its protection.

All systems used to administer and manage the information, whether owned, leased or licensed by the company.

3. References and regulatory framework

The management of NEOSISTEC AND NAVILENS PROJECT CORPS. ensures that documentation of external origin that is of interest to the operation of the company is known to those employees of the company who need it and is kept up to date and available at all times.

For this purpose, the means defined in this document and the procedures that develop it are used.

As regards the standards applied to formalize the different safety procedures established, the criteria of the following international standards have been followed:

Information technology. Security techniques. Information Security Management Systems (ISMS). Requirements. UNE-ISO/IEC 27001
Information Technology. Security techniques. Code of Good Practices for Information Security Management. UNE-ISO/IEC 27002
Requirements of interested parties

Additionally, the register "SGSI84_RE07_ Registro Normativa aplicable" has been created to provide all the information, links of interest and information related to the Regulations applied. An extract of the general applicable regulations is set out below:

Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), on the protection of personal data and the free movement of such data, establishing principles such as lawfulness, transparency, data minimization, security, and proactive responsibility.
Organic Law 3/2018, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), which complements the GDPR and incorporates rights such as digital disconnection and protection against the use of biometric data.
Law 34/2002, on Information Society Services and Electronic Commerce (LSSI-CE), regulating digital services, the use of cookies, and electronic commercial communications.
Law 31/1995, on the Prevention of Occupational Risks, establishing the legal framework for worker health and safety.
Royal Decree 39/1997, approving the Regulation on Prevention Services, regulating the organization and operation of prevention services.
Order TIN/2504/2010, which develops the Regulation on Prevention Services regarding the accreditation of specialized entities and auditing activities.
Law 10/2010, on the prevention of money laundering and terrorist financing, establishing obligations for due diligence, training, reporting, and internal control.
Royal Decree 304/2014, approving the implementing regulation of Law 10/2010, detailing the required procedures, controls, and measures.
Royal Legislative Decree 2/2015, approving the revised text of the Workers' Statute, regulating labor rights and obligations.
Royal Decree-Law 28/2020, on remote work, regulating teleworking and its conditions.
Royal Legislative Decree 8/2015, approving the revised text of the General Social Security Law, covering contributions and entitlements.
Order ESS/86/2015, developing rules for Social Security contributions, protection in cases of business closure, the Wage Guarantee Fund, and vocational training.
Labor Reform of 2021, introducing changes in temporary hiring, subcontracting, collective bargaining, and job stability.
Right to digital disconnection, legally recognized as the worker's right not to engage with devices outside working hours.
Royal Legislative Decree 1/1996, approving the revised text of the Intellectual Property Law, regulating copyright and the protection of original works.
Law 17/2001, on Trademarks, regulating the registration and protection of distinctive signs in the market.
Organic Law 10/1995, of the Criminal Code, especially applicable to cybercrime, disclosure of secrets, system damage, and corporate criminal liability.
Commercial Code, regulating commercial acts, accounting obligations, and business relations.
Law 1/2010, on Capital Companies, regulating the incorporation, operation, and dissolution of commercial companies.
Law 3/2004, on measures to combat late payment in commercial transactions, setting payment terms and prevention measures.
Spanish Constitution of 1978, especially Article 18, which protects honor, personal and family privacy, and self-image, as well as personal data protection.
Law 14/2011, on Science, Technology, and Innovation, promoting research, technological development, and innovation.
Law 38/2003, General Law on Subsidies, and its Regulation approved by Royal Decree 887/2006, regulating the legal regime of public aid and subsidies, justification obligations, and control measures.
Royal Decree-Law 12/2018, on the security of networks and information systems, not applicable to the company under its current scope.

Data protection regulations

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation- GDPR).
Organic Law 3/2018, of December 5, 2018, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).

Normativa laboral

Royal Legislative Decree 2/2015, of October 23, which approves the Revised Text of the Workers' Statute Law.
Royal Legislative Decree 8/2015, of October 30, which approves the Revised Text of the General Social Security Law.
Law 31/1995, of November 8, 1995, on Occupational Risk Prevention.
Order ESS/86/2015, of January 30, which develops the legal rules on Social Security contributions, unemployment, protection for termination of activity, Wage Guarantee Fund and vocational training, contained in Law 36/2014, on General State Budgets for 2015.

General regulations

Spanish Constitution of 1978.
Organic Law 10/1995, of November 23, 1995, of the Penal Code (in accordance with articles 196 to 201 and art. 31 bis).
Organic Law 10/1995, of November 23, 1995, of the Penal Code (in force until July 1, 2015).
Commercial Code.
Law 1/2010, of the Capital Companies Law.
Law 3/2004, measures to combat late payment in commercial transactions. Other applicable regulations
Law 14/2011 on Science, Technology and Innovation.
Law 38/2003 and Regulation (RD 887/2006) on General Subsidies.
Law 34/2002, of July 11, 2002, on Information Society Services and Electronic Commerce (LSSICE).
Royal Legislative Decree 1/1996, of April 12, 1996, approving the Revised Text of the Intellectual Property Law and Law 23/2006, of July 7, 2006, amending the above.
Royal Legislative Decree 1/1996, of April 12, 1996, approving the revised text of the Intellectual Property Law, regularizing, clarifying and harmonizing the legal provisions in force on the matter.

4. Security Organization

4.1 Committees: roles and responsibilities

A security committee is formed, whose members and e-mails are reserved from this publication for security reasons. However, it will be communicated on the intranet, and can be shared with interested parties on demand.

There is a mailing list called comiteseguridad@navilens.com to respond to any internal/external need in information security.

Each person responsible for his area may modify and adapt documents or procedures that fall within his competence without the express approval of the rest of the committee, provided that these modifications do not significantly alter the functioning of the ISMS. In any case, the committee must be informed of these modifications.

The roles and responsibilities of the Security Committee are listed below.

Coordination of Information Security (IS), ensuring compliance with the Information Security Policy, approving methodologies, procedures and technical instructions on information security protection, and establishing a culture of awareness of Information Security throughout the organization.
Adopt or propose the adoption of the necessary measures to ensure that personnel are aware of the security regulations that affect the performance of their duties and of the consequences that may be incurred in the event of non-compliance.
It shall update the ISMS documentation and adapt it to the regulations in force.
It will be the consultative body for establishing new measures related to information security and data protection.
Adopt or propose the adoption to the Management, of corrective measures as a consequence of the deficiencies detected in an audit process and as well as those approved by the Management.
Supervise compliance with the procedures established to authorize the use of mobile devices and teleworking.
Supervise that a list of personnel with access to personal data, a list of personnel authorized to grant, cancel or alter access rights, in accordance with established criteria, and a list of personnel with authorized access to places where media and documents are stored, are maintained in accordance with established procedures.
Promote information and advise the organization and the personnel employed in the processing of the obligations incumbent on them in terms of data protection and IS.
Supervise compliance with the provisions of the applicable regulations, including the assignment of responsibilities, awareness and training of personnel involved in processing operations, and the corresponding audits.
Supervise the correct maintenance and updating of the Records of Processing Activities and other documentary supports for compliance with the GDPR legislation.

4.2 Roles: functions and responsibilities

Executive Management

Participates in setting objectives and metrics. Approves policies. Approves the ISMS management reviews. Validates the conclusions of system audits.
Executive management establishes the organizational chart, which includes more functions and roles than those specified here. This policy details those responsible for information security.

Security Officer

Promotes the security of handled information and the electronic services provided by information systems, with the authority and responsibility to ensure that the Information Security Management System complies with the National Security Framework (ENS).
Oversees compliance with this Policy, its derived rules and procedures, and the security configuration of systems.
Establishes appropriate and effective security measures to meet the security requirements defined by the Service and Information Owners, always following Annex II of the ENS and declaring the applicability of such measures.
Promotes awareness and training activities related to security within their area of responsibility.
Coordinates and monitors the implementation of ENS compliance projects, in collaboration with the System Owner.
Conducts, in collaboration with the System Owner, required risk analyses, selects safeguards to be implemented, and reviews the risk management process. Also, jointly with the System Owner, accepts the residual risks identified in the risk analysis.
Promotes periodic audits to verify compliance with information security obligations and analyzes audit reports, preparing conclusions to be presented to the System Owner for appropriate corrective measures.
Coordinates the Security Management process, in collaboration with the System Owner.
Determines the system category as per the procedure described in Annex I of the ENS and defines the applicable security measures according to Annex II of the ENS.
Verifies that the security measures are adequate for the protection of information and services.

System Owner

Develops, operates, and maintains the Information System throughout its life cycle, including specifications, installation, and verification of its proper functioning.
Ensures that specific security measures are properly integrated within the general security framework.
Conducts tests and drills on security operating procedures and existing continuity plans.
Implements necessary measures to ensure system security throughout its life cycle, in coordination with the Security Officer.
Conducts, in collaboration with the Security Officer, required risk analyses, selects safeguards, and reviews the risk management process. Also, jointly with the Security Officer, accepts residual risks identified in the analysis.
Prepares third-level security documentation (STIC Operational Procedures and STIC Technical Instructions) in collaboration with the Security Officer.
Applies security operating procedures.
Ensures established security controls are strictly followed and that approved procedures for managing the information system are applied.
Oversees hardware and software installations, modifications, and upgrades to ensure security is not compromised and align with the appropriate authorizations.
Monitors the security status of the system using security event management tools and technical audit mechanisms.
Informs the respective Officers of any anomaly, compromise, or vulnerability related to security.
Participates in the investigation and resolution of security incidents, from detection to resolution.

Data Protection Officer

Informs and advises the Information Owner and their employees about their obligations under the GDPR and other data protection regulations.
Monitors compliance with this Regulation, other Union or Member State data protection provisions, and the policies of the Controller or Processor concerning personal data protection, including responsibility assignments, staff awareness and training, and audits.
Provides requested advice regarding data protection impact assessments and monitors their implementation under Article 35.
Cooperates with the supervisory authority.
Acts as the contact point for the supervisory authority for matters relating to processing, including prior consultations under Article 36, and consults on any other relevant matters when necessary.

Service Owner

Defines the security requirements for the service, including those related to interoperability, accessibility, and availability.
Determines the service's security levels in agreement with the Security Officer and System Owner.
Maintains the security of the information handled and services provided by the information systems within their scope of responsibility.

Information Owner

Ensures the appropriate use and protection of information.
Establishes security requirements for the information.
Determines security levels for the information, assessing the consequences of potential negative impacts.

Users and Employees

Comply with the information security policy and its related standards, procedures, and instructions.
Protect and safeguard company information, avoiding disclosure, external transmission, unauthorized modification or deletion, and misuse regardless of the medium or channel through which it is accessed or known.
Understand and apply the Information Security Policy, the Acceptable Use Policies for Information Systems, and all other applicable policies, rules, procedures, and security measures.

4.3 Designation procedures

The Information Security Officer shall be appointed by Management on the proposal of the Security Committee. The appointment will be reviewed every 2 years or when the position becomes vacant. The Department responsible for a service that is provided electronically in accordance with Law 11/2007 shall designate the System Manager, specifying his/her functions and responsibilities within the framework established by this Policy.

4.4 Information security policy

The Information Security Committee is in charge of building and maintaining the Information Security Policy, although the Management of NEOSISTEC Y NAVILENS PROJECTS CORP. is responsible for the approval and publication of this Policy, as well as for distributing it to all employees and affected third parties.

Any change or evolution that affects or could affect the content of the Information Security Policy will be registered in a new signature of the approval document. In this way, the commitment of these entities to information security is confirmed.

Periodically, and in any case not exceeding a period of one year, the validity and reasonableness of this policy will be reviewed and the required improvements, adaptations or modifications will be carried out according to the applicable organizational, technical or regulatory changes.

4.5. Security Policy Distribution

The distribution of the security policy will be distributed in the following ways depending on the target stakeholder group depending on the group of interest to which it is directed:

Personnel and managers of the company NaviLens. The distribution of the security policy will be made by e-mail. To assure that it is received an acknowledgement of receipt of the corresponding document will be signed.

Clients, partners, suppliers and other groups of interest: the security policy will be included as a section of the web page of the company (www.navilens.com), where they will be able to consult it at any moment.

5. Sanctions

Any premeditated or negligent violation of the security policies and rules and that supposes a potential damage, consummated or not to NEOSISTEC AND NAVILENS PROJECTS CORP. will be sanctioned according to the mechanisms enabled in the Company's agreement and in the legal, contractual and corporate regulations in force.

All actions in which the security of NEOSISTEC Y NAVILENS PROJECTS CORP. is compromised and that are not foreseen in this policy, must be reviewed by the Executive Management and by the responsible for Information Security to issue a resolution subject to the criteria of the company and the legislation in force.

Disciplinary actions in response to non-compliance with the Information Security Policy are the responsibility of the Executive Management of NEOSISTEC AND NAVILENS PROJECTS CORP.

NAVILENS PROJECTS CORP. and the governing bodies according to the applicable legislation.

There is a complaints channel and an incident management protocol available to employees through which any member of the company can report a possible incident or breach to the safety committee or the person responsible for security.

This infraction and the corresponding sanction will be communicated to the offender by a member of management by e-mail with a request for confirmation of receipt.

6. Mission

In response to a new technological environment where the convergence between computing and communications are facilitating a new paradigm of productivity for companies, NEOSISTEC Y NAVILENS PROJECTS CORP. is highly committed to maintaining the Promotion of research projects, technological development and innovation, in a quality environment, where the development of good practices in Information Security is essential to achieve the objectives of availability, integrity, confidentiality, authenticity, traceability and legality of all information managed. As a consequence of the above, NEOSISTEC AND NAVILENS PROJECTS CORP., defines the following application principles to be taken into account within the framework of the Information Security Management System (ISMS):

The Management of NEOSISTEC AND NAVILENS PROJECTS CORP. understands its duty to ensure information security as an essential element for the proper performance of the organization's services, and, therefore, supports the following objectives and principles:

To implement the value of Information Security throughout the Organization.
To contribute, each and every person of NEOSISTEC and NAVILENS PROJECTS CORP. to the protection of Information Security.
To preserve the availability, integrity, confidentiality, authenticity, and traceability and resilience of the information, in order to ensure compliance with legal requirements, regulations, and our customers, regarding information security, and specifically with regard to personal data:
1. The data will be processed in a lawful, fair and transparent manner in relation to the data subject (Lawfulness, fairness and transparency).
2. The data will be collected for specified, explicit and legitimate purposes and will not be further processed in a way incompatible with those purposes (Purpose limitation).
3. The data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (Data minimization).
4. Data shall be accurate and, where necessary, kept up to date; all reasonable steps shall be taken to ensure that personal data which are inaccurate in relation to the purposes for which they are processed are promptly deleted or rectified (Accuracy).
5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be kept for longer periods provided that they are processed exclusively for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Limitation of the retention period).
6. Processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, through the implementation of appropriate technical or organizational measures (Integrity and confidentiality).
To protect the information assets of NEOSISTEC AND NAVILENS PROJECTS CORP. from threats, whether internal or external, deliberate or accidental, in order to ensure the continuity of the service offered to our customers and the security of the information.
Establish an Information Security Plan that integrates the activities of prevention and minimization of the risk of security incidents based on the risk management criteria established by NEOSISTEC AND NAVILENS PROJECTS CORP.
To provide the necessary means to be able to carry out the pertinent actions in order to manage the identified risks.
Assume responsibility for awareness and training in information security as a means to ensure compliance with this policy.
Extend our commitment to information security to our employees and suppliers.
Continually improve security by establishing and regularly monitoring information security objectives.

This Policy shall be maintained, updated and adequate for the Organization's purposes, aligned with the Organization's risk management context. To this effect, it will be reviewed at planned intervals or whenever significant changes occur, in order to ensure that its suitability, adequacy and effectiveness are maintained.

Similarly, a formally defined risk assessment procedure is established to manage the risks faced by NEOSISTEC AND NAVILENS PROJECTS CORP. In turn, all policies and procedures included in the ISMS will be reviewed, approved and promoted by the Executive Management of NEOSISTEC Y NAVILENS PROJECTS CORP.

7. Risk Management

All systems subject to this Policy shall perform a risk analysis, assessing the threats and risks to which they are exposed. This analysis shall be repeated

regularly, at least once a year
when the information handled changes
when the services provided change
when a serious security incident occurs
when serious vulnerabilities are reported

In order to harmonize risk analyses, the ICT Security Committee will establish a reference assessment for the different types of information handled and the different services provided. The ITC Security Committee will boost the availability of resources to meet the security needs of the different systems, promoting investments of a horizontal nature.

8. Development of the Information Security Policy

This Policy will be developed by means of security regulations that address specific aspects, as well as other complementary policies. The security regulations shall be available to all members of the organization who need to know them, in particular to those who use, operate or administer the information and communications systems.

9.staff obligations

All members of NEOSISTEC AND NAVILENS PROJECT CORPS. And NAVILENS PROJECTS CORP. have the obligation to know and comply with this Information Security Policy and the Security Regulations, being the responsibility of the ICT Security Committee to arrange the necessary means for the information to reach those affected. All members of NEOSISTEC AND NAVILENS PROJECT CORPS. And NAVILENS PROJECTS CORP. will attend an ICT security awareness session at least once a year. An ongoing awareness program will be established to cater to all members of the organization, particularly new hires. Persons with responsibility for the use, operation or administration of ICT systems shall be trained in the safe operation of the systems to the extent that they need it to perform their work. Training will be mandatory before taking on a responsibility, whether it is their first assignment or a change of job or job responsibilities.

Information Security is a joint effort, so it requires the involvement and participation of all members of the organization who work with the organization's Information Systems. Therefore, each employee must comply with the requirements of the Security Policy and its associated documentation.

Employees who deliberately or negligently violate the Safety Policy will be subject to disciplinary action as contemplated herein.

10. Third parties

The present Security Policy is of extensible knowledge and fulfillment for any external person belonging to third entities that carry out any type of treatment on the information property of NEOSISTEC Y NAVILENS PROJECTS CORP.

When NEOSISTEC AND NAVILENS PROJECTS CORPS. AND NAVILENS PROJECTS CORP. provide services to other organizations or handle information from other organizations, they will be made participants of this Information Security Policy, channels will be established for reporting and coordination of the respective ICT Security Committees and procedures will be established for the reaction to security incidents. When NEOSISTEC AND NAVILENS PROJECT CORPS. AND NAVILENS PROJECTS CORP. use services of third parties or transfer information to third parties, they will be made participants of this Security Policy and of the Security Regulations related to such services or information. Such third party shall be subject to the obligations set forth in such regulations, and may develop its own operating procedures to comply with them. Specific incident reporting and resolution procedures shall be established. It shall be ensured that third party personnel are adequately security-aware to at least the same level as that set out in this Policy. Where any aspect of the Policy cannot be satisfied by a third party as required in the preceding paragraphs, a report from the Security Officer shall be required which specifies the risks incurred and how they will be addressed. Approval of this report by those responsible for the information and services concerned will be required before proceeding further.

11. Approval and Validity

This document has been approved by Management, effective as of the date 08th of April, 2025