---

Information Security Policy

1. Introduction

Information has become one of the main assets of our organization, and that is why caring for and protecting it becomes an absolute priority.

It is part of our strategy, from now on, to maintain information security as a critical and fundamental element. This challenge is multiplied in demand and importance if we apply it to an environment as specific and critical as ours, where the secure treatment and management of information is imposed as a necessity to compete and improve in the future.

NEOSISTEC AND NAVILENS PROJECTS CORP. (hereinafter NEOSISTEC Y NAVILENS PROJECT CORPS. ) depends on ICT systems (Information and Communication Technologies) to achieve its objectives. These systems must be managed diligently, taking the appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity or confidentiality of the information processed or the services provided.

The objective of information security is to guarantee the quality of information and the continuous provision of services, acting preventively, supervising daily activity and reacting promptly to incidents.

ICT systems must be protected against rapidly evolving threats with the potential to affect the confidentiality, integrity, availability, intended use and value of information and services. Defending against these threats requires a strategy that adapts to changing environmental conditions to ensure continuous service delivery. This implies that the departments must apply the minimum security measures required by the National Security Scheme and ISO27001, as well as continuously monitor the levels of service provision, monitor and analyze reported vulnerabilities, and prepare an effective response to incidents to guarantee the continuity of the services provided. The different departments must ensure that ICT security is an integral part of each stage of the system life cycle, from its conception to its decommissioning, through development or acquisition decisions and exploitation activities.

Security requirements and financing needs must be identified and included in the planning, in the request for offers, and in the bidding documents for ICT projects. Departments must be prepared to prevent, detect, react and recover from incidents, in accordance with Article 7 of the ENS

1.1 Prevention

Departments must avoid, or at least prevent as much as possible, that information or services are compromised by security incidents. For this, the departments must implement the minimum security measures determined by the ENS, as well as any additional control identified through a threat and risk assessment. These controls, and the security roles and responsibilities of all personnel, must be clearly defined and documented. To guarantee compliance with the policy, the departments must:

· Authorize the systems before going into operation. · Regularly assess security, including assessments of changes in configuration performed routinely. · Request periodic review by third parties in order to obtain an independent evaluation.

1.2 Detection

Since services can quickly degrade due to incidents, ranging from a simple slowdown to a stoppage, services must continuously monitor operation to detect anomalies in service delivery levels and act accordingly as set out in Article 9 of the ENS. Monitoring is especially relevant when lines of defense are established in accordance with Article 8 of the ENS. Detection, analysis and reporting mechanisms will be established that reach those responsible regularly when there is a significant deviation from the parameters that have been pre-established as normal.

1.3 Response

Departments must:

• Establish mechanisms to respond effectively to security incidents.
• Designate point of contact for communications regarding incidents detected in other departments or other bodies.
• Establish protocols for the exchange of information related to the incident. This includes two-way communications with Emergency Response Teams (CERTs).

1.4 Recovery

To ensure the availability of critical services, departments should develop IT systems continuity plans as part of their overall plan for business continuity and recovery activities.

2. Purpose and scope

The purpose of this High Level Policy is to define the objective, direction, principles and basic rules for information security management.

This Policy applies to the entire Information Security Management System (ISMS) and to all employees of NEOSISTEC Y NAVILENS PROJECTS CORP. And extensible to third parties that carry out information processing owned by NEOSISTEC and NAVILENS PROJECTS CORP.

The Security Policy applies to the entire company and its information assets:

To all departments, both their managers and employees.

To contractors, customers or any other third party that has access to the organization's information or systems.

To databases, electronic and paper files, treatments, equipment, supports, programs and systems.

Information generated, processed and stored, regardless of its support and format, used in operational or administrative tasks.

To the information transferred within an established legal framework, which will be considered as its own for the sole purpose of its protection.

All systems used to administer and manage the information, whether owned, leased or licensed by the company.

3. References and regulatory framework

The management of NEOSISTEC AND NAVILENS PROJECT CORPS. ensures that documentation of external origin that is of interest to the operation of the company is known to those employees of the company who need it and is kept up to date and available at all times.

For this purpose, the means defined in this document and the procedures that develop it are used.

As regards the standards applied to formalize the different safety procedures established, the criteria of the following international standards have been followed:

• Information technology. Security techniques. Information Security Management Systems (ISMS). Requirements. UNE-ISO/IEC 27001
• Information Technology. Security techniques. Code of Good Practices for Information Security Management. UNE-ISO/IEC 27002
• Requirements of interested parties

Additionally, the register "SGSI84_RE07_ Registro Normativa aplicable" has been created to provide all the information, links of interest and information related to the Regulations applied.

Data protection regulations

• REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation- GDPR).
• Organic Law 3/2018, of December 5, 2018, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).

Normativa laboral

• Royal Legislative Decree 2/2015, of October 23, which approves the Revised Text of the Workers' Statute Law.
• Royal Legislative Decree 8/2015, of October 30, which approves the Revised Text of the General Social Security Law.
• Law 31/1995, of November 8, 1995, on Occupational Risk Prevention.
• Order ESS/86/2015, of January 30, which develops the legal rules on Social Security contributions, unemployment, protection for termination of activity, Wage Guarantee Fund and vocational training, contained in Law 36/2014, on General State Budgets for 2015.

General regulations

• Spanish Constitution of 1978.
• Organic Law 10/1995, of November 23, 1995, of the Penal Code (in accordance with articles 196 to 201 and art. 31 bis).
• Organic Law 10/1995, of November 23, 1995, of the Penal Code (in force until July 1, 2015).
• Commercial Code.
• Law 1/2010, of the Capital Companies Law.
• Law 3/2004, measures to combat late payment in commercial transactions. Other applicable regulations
• Law 14/2011 on Science, Technology and Innovation.
• Law 38/2003 and Regulation (RD 887/2006) on General Subsidies.
• Law 34/2002, of July 11, 2002, on Information Society Services and Electronic Commerce (LSSICE).
• Royal Legislative Decree 1/1996, of April 12, 1996, approving the Revised Text of the Intellectual Property Law and Law 23/2006, of July 7, 2006, amending the above.
• Royal Legislative Decree 1/1996, of April 12, 1996, approving the revised text of the Intellectual Property Law, regularizing, clarifying and harmonizing the legal provisions in force on the matter.

4. Security Organization

4.1 Committees: roles and responsibilities

A security committee is formed, whose members and e-mails are reserved from this publication for security reasons. However, it will be communicated on the intranet, and can be shared with interested parties on demand.

There is a mailing list called comiteseguridad@neosistec.com to respond to any internal/external need in information security.

Each person responsible for his area may modify and adapt documents or procedures that fall within his competence without the express approval of the rest of the committee, provided that these modifications do not significantly alter the functioning of the ISMS. In any case, the committee must be informed of these modifications.

The roles and responsibilities of the Security Committee are listed below.

• Coordination of Information Security (IS), ensuring compliance with the Information Security Policy, approving methodologies, procedures and technical instructions on information security protection, and establishing a culture of awareness of Information Security throughout the organization.
• Adopt or propose the adoption of the necessary measures to ensure that personnel are aware of the security regulations that affect the performance of their duties and of the consequences that may be incurred in the event of non-compliance.
• It shall update the ISMS documentation and adapt it to the regulations in force.
• It will be the consultative body for establishing new measures related to information security and data protection.
• Adopt or propose the adoption to the Management, of corrective measures as a consequence of the deficiencies detected in an audit process and as well as those approved by the Management.
• Supervise compliance with the procedures established to authorize the use of mobile devices and teleworking.
• Supervise that a list of personnel with access to personal data, a list of personnel authorized to grant, cancel or alter access rights, in accordance with established criteria, and a list of personnel with authorized access to places where media and documents are stored, are maintained in accordance with established procedures.
• Promote information and advise the organization and the personnel employed in the processing of the obligations incumbent on them in terms of data protection and IS.
• Supervise compliance with the provisions of the applicable regulations, including the assignment of responsibilities, awareness and training of personnel involved in processing operations, and the corresponding audits.
• Supervise the correct maintenance and updating of the Records of Processing Activities and other documentary supports for compliance with the GDPR legislation.

4.2 Roles: functions and responsibilities

In the document called "ISMS65_Roles and Responsibilities NEOSISTEC AND NAVILENS PROJECT CORPS." all the roles and responsibilities of the organization are detailed.

4.3 Designation procedures

The Information Security Officer shall be appointed by Management on the proposal of the Security Committee. The appointment will be reviewed every 2 years or when the position becomes vacant. The Department responsible for a service that is provided electronically in accordance with Law 11/2007 shall designate the System Manager, specifying his/her functions and responsibilities within the framework established by this Policy.

4.4 Information security policy

The Information Security Committee is in charge of building and maintaining the Information Security Policy, although the Management of NEOSISTEC Y NAVILENS PROJECTS CORP. is responsible for the approval and publication of this Policy, as well as for distributing it to all employees and affected third parties.

Any change or evolution that affects or could affect the content of the Information Security Policy will be registered in a new signature of the approval document. In this way, the commitment of these entities to information security is confirmed.

Periodically, and in any case not exceeding a period of one year, the validity and reasonableness of this policy will be reviewed and the required improvements, adaptations or modifications will be carried out according to the applicable organizational, technical or regulatory changes.

4.5. Security Policy Distribution

The distribution of the security policy will be distributed in the following ways depending on the target stakeholder group depending on the group of interest to which it is directed:

Personnel and managers of the company Nuevos Sistemas Tecnológicos S.L. The distribution of the security policy will be made by e-mail. To assure that it is received an acknowledgement of receipt of the corresponding document will be signed.

Clients, partners, suppliers and other groups of interest: the security policy will be included as a section of the web page of the company (www.navilens.com), where they will be able to consult it at any moment.

5. Sanctions

Any premeditated or negligent violation of the security policies and rules and that supposes a potential damage, consummated or not to NEOSISTEC AND NAVILENS PROJECTS CORP. will be sanctioned according to the mechanisms enabled in the Company's agreement and in the legal, contractual and corporate regulations in force.

All actions in which the security of NEOSISTEC Y NAVILENS PROJECTS CORP. is compromised and that are not foreseen in this policy, must be reviewed by the Executive Management and by the responsible for Information Security to issue a resolution subject to the criteria of the company and the legislation in force.

Disciplinary actions in response to non-compliance with the Information Security Policy are the responsibility of the Executive Management of NEOSISTEC AND NAVILENS PROJECTS CORP.

NAVILENS PROJECTS CORP. and the governing bodies according to the applicable legislation.

There is a complaints channel and an incident management protocol available to employees through which any member of the company can report a possible incident or breach to the safety committee or the person responsible for security.

This infraction and the corresponding sanction will be communicated to the offender by a member of management by e-mail with a request for confirmation of receipt.

6. Mission (Security Policy)

In response to a new technological environment where the convergence between computing and communications are facilitating a new paradigm of productivity for companies, NEOSISTEC Y NAVILENS PROJECTS CORP. is highly committed to maintaining the Promotion of research projects, technological development and innovation, in a quality environment, where the development of good practices in Information Security is essential to achieve the objectives of confidentiality, integrity, availability and legality of all information managed. As a consequence of the above, NEOSISTEC AND NAVILENS PROJECTS CORP., defines the following application principles to be taken into account within the framework of the Information Security Management System (ISMS):

The Management of NEOSISTEC AND NAVILENS PROJECTS CORP. understands its duty to ensure information security as an essential element for the proper performance of the organization's services, and, therefore, supports the following objectives and principles:

1. To implement the value of Information Security throughout the Organization.
2. To contribute, each and every person of NEOSISTEC and NAVILENS PROJECTS CORP. to the protection of Information Security.
3. To preserve the confidentiality, integrity, availability and resilience of the information, in order to ensure compliance with legal requirements, regulations, and our customers, regarding information security, and specifically with regard to personal data:
   1. The data will be processed in a lawful, fair and transparent manner in relation to the data subject (Lawfulness, fairness and transparency).
   2. The data will be collected for specified, explicit and legitimate purposes and will not be further processed in a way incompatible with those purposes (Purpose limitation).
   3. The data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (Data minimization).
   4. Data shall be accurate and, where necessary, kept up to date; all reasonable steps shall be taken to ensure that personal data which are inaccurate in relation to the purposes for which they are processed are promptly deleted or rectified (Accuracy).
   5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be kept for longer periods provided that they are processed exclusively for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Limitation of the retention period).
   6. Processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, through the implementation of appropriate technical or organizational measures (Integrity and confidentiality).
4. To protect the information assets of NEOSISTEC AND NAVILENS PROJECTS CORP. from threats, whether internal or external, deliberate or accidental, in order to ensure the continuity of the service offered to our customers and the security of the information.
5. Establish an Information Security Plan that integrates the activities of prevention and minimization of the risk of security incidents based on the risk management criteria established by NEOSISTEC AND NAVILENS PROJECTS CORP.
6. To provide the necessary means to be able to carry out the pertinent actions in order to manage the identified risks.
7. Assume responsibility for awareness and training in information security as a means to ensure compliance with this policy.
8. Extend our commitment to information security to our employees and suppliers.
9. Continually improve security by establishing and regularly monitoring information security objectives.

This Policy shall be maintained, updated and adequate for the Organization's purposes, aligned with the Organization's risk management context. To this effect, it will be reviewed at planned intervals or whenever significant changes occur, in order to ensure that its suitability, adequacy and effectiveness are maintained.

Similarly, a formally defined risk assessment procedure is established to manage the risks faced by NEOSISTEC AND NAVILENS PROJECTS CORP. In turn, all policies and procedures included in the ISMS will be reviewed, approved and promoted by the Executive Management of NEOSISTEC Y NAVILENS PROJECTS CORP.

7. Risk Management

All systems subject to this Policy shall perform a risk analysis, assessing the threats and risks to which they are exposed. This analysis shall be repeated

• regularly, at least once a year
• when the information handled changes
• when the services provided change
• when a serious security incident occurs
• when serious vulnerabilities are reported

In order to harmonize risk analyses, the ICT Security Committee will establish a reference assessment for the different types of information handled and the different services provided. The ITC Security Committee will boost the availability of resources to meet the security needs of the different systems, promoting investments of a horizontal nature.

8. Development of the Information Security Policy

This Policy will be developed by means of security regulations that address specific aspects, as well as other complementary policies. The security regulations shall be available to all members of the organization who need to know them, in particular to those who use, operate or administer the information and communications systems.

9.staff obligations

All members of NEOSISTEC AND NAVILENS PROJECT CORPS. And NAVILENS PROJECTS CORP. have the obligation to know and comply with this Information Security Policy and the Security Regulations, being the responsibility of the ICT Security Committee to arrange the necessary means for the information to reach those affected. All members of NEOSISTEC AND NAVILENS PROJECT CORPS. And NAVILENS PROJECTS CORP. will attend an ICT security awareness session at least once a year. An ongoing awareness program will be established to cater to all members of the organization, particularly new hires. Persons with responsibility for the use, operation or administration of ICT systems shall be trained in the safe operation of the systems to the extent that they need it to perform their work. Training will be mandatory before taking on a responsibility, whether it is their first assignment or a change of job or job responsibilities.

Information Security is a joint effort, so it requires the involvement and participation of all members of the organization who work with the organization's Information Systems. Therefore, each employee must comply with the requirements of the Security Policy and its associated documentation.

Employees who deliberately or negligently violate the Safety Policy will be subject to disciplinary action as contemplated herein.

10. Third parties

The present Security Policy is of extensible knowledge and fulfillment for any external person belonging to third entities that carry out any type of treatment on the information property of NEOSISTEC Y NAVILENS PROJECTS CORP.

When NEOSISTEC AND NAVILENS PROJECTS CORPS. AND NAVILENS PROJECTS CORP. provide services to other organizations or handle information from other organizations, they will be made participants of this Information Security Policy, channels will be established for reporting and coordination of the respective ICT Security Committees and procedures will be established for the reaction to security incidents. When NEOSISTEC AND NAVILENS PROJECT CORPS. AND NAVILENS PROJECTS CORP. use services of third parties or transfer information to third parties, they will be made participants of this Security Policy and of the Security Regulations related to such services or information. Such third party shall be subject to the obligations set forth in such regulations, and may develop its own operating procedures to comply with them. Specific incident reporting and resolution procedures shall be established. It shall be ensured that third party personnel are adequately security-aware to at least the same level as that set out in this Policy. Where any aspect of the Policy cannot be satisfied by a third party as required in the preceding paragraphs, a report from the Security Officer shall be required which specifies the risks incurred and how they will be addressed. Approval of this report by those responsible for the information and services concerned will be required before proceeding further.

11. Approval and Validity

This document has been approved by Management, effective as of the date 11th of May, 2023