1. Statement of Principles

ARITIUM TECHNOLOGIES, S.L. is a company dedicated to integrating IoT (Internet of Things) and AI (Artificial Intelligence) to develop end-to-end solutions in an agile and user-friendly manner. To achieve this, we embrace core values essential to meeting our goals, such as the preservation of information and personal data—both our own and that of other stakeholders—and the professional and personal development of all team members.

Due to our activities, ARITIUM TECHNOLOGIES, S.L. recognizes that information is a highly valuable asset for our organization. Therefore, it requires adequate protection and management to ensure business continuity and minimize potential damage resulting from breaches of information integrity, availability, and confidentiality. Additionally, the existing legislation on personal data protection (GDPR and LOPDGDD) and our commitment to our clients make us particularly sensitive to the handling of personal data accessed during our operations.

To this end, ARITIUM TECHNOLOGIES, S.L. establishes a series of management activities aimed at preserving the principles of Confidentiality, Integrity, Availability, Authenticity, Traceability, and Regulatory Compliance of information. These principles are defined as follows:

• Confidentiality: Ensures that access to information is restricted to authorized individuals only.
• Integrity: Safeguards the accuracy and completeness of information assets.
• Availability: Guarantees that authorized individuals can access and process information whenever necessary.
• Authenticity: Ensures that an entity is what it claims to be or confirms the origin of the data.
• Traceability: Ensures that the actions of an entity can be attributed exclusively to that entity.
• Regulatory Compliance: Ensures that information is managed according to ethical, professional, and legal standards established by applicable regulations.

Systems must be protected against rapidly evolving threats that can impact information and services. Addressing these threats requires a strategy that adapts to changing environmental conditions to guarantee continuous service delivery.

This involves implementing the minimum-security measures required by the National Security Framework, continuously monitoring service levels, analyzing reported vulnerabilities, and preparing effective incident responses to ensure service continuity

All departments must ensure that security is an integral part of every stage of the system lifecycle, from conception to decommissioning, including development, acquisition decisions, and operational activities. Security requirements and funding needs must be identified and incorporated into planning, procurement requests, and project tenders for ICT initiatives.

Departments must be prepared to prevent, detect, respond to, and recover from incidents as required under Article 8 of the National Security Framework.

Within this context, privacy protection is embedded. Our systems process sensitive personal data, making privacy protection an essential pillar of our ISMS (Information Security Management System) and a social necessity that companies must respect and safeguard, as well as a subject of specific global legislation and regulation.

1.1. General Objectives

The Security Policy establishes the foundation for defining and outlining the objectives and responsibilities for the various technical, legal, and organizational actions required to ensure information security and privacy, while complying with the applicable legal framework, as well as global and specific company policies and defined procedures.

These actions, from a security and privacy perspective, are selected and implemented based on risk analysis and a balance between acceptable risk and the cost of measures.

The objective of the Security Policy is to set the necessary framework to protect information and data resources against threats, whether internal or external, intentional or accidental.

Information and data may exist in a variety of formats, supported by electronic media, paper, or other means. They sometimes include critical data regarding ARITIUM TECHNOLOGIES, S.L.'s operations, strategies, or activities, as well as those of its clients, and may involve sensitive data as defined by personal data protection regulations. The loss, corruption, or theft of information or the systems managing it can significantly impact our company.

ARITIUM TECHNOLOGIES, S.L. is convinced that effective management of Information Security and Privacy is a key enabler for the organization to fully understand and adequately address the risks to which its information is exposed. It also allows the company to respond and adapt efficiently to increasing regulatory, legal, and client requirements.

1.2. Senior Management Commitment

The purpose of the Information Security Management System is to ensure that information security and privacy risks are identified, addressed, managed, and minimized in a documented, systematic, structured, repeatable, practical manner, while adapting to changes in risks, the environment, and technology.

To this end, the management of ARITIUM TECHNOLOGIES, S.L. declares its commitment to:

• Establish as a primary objective the integration and combination of IoT (Internet of Things) with AI (Artificial Intelligence) for the agile and simple development of end-to-end solutions, ensuring information protection, with special attention to the sensitivity of personal data handled, by implementing all necessary measures.
• Apply the principle of continuous improvement to all organizational processes, with the additional goal of achieving the highest level of client satisfaction.
• Ensure compliance with applicable legal and regulatory requirements (particularly those related to personal data protection), as well as those voluntarily assumed by the organization.
• Encourage team participation, communication, information sharing, and training to ensure employees feel an integral part of the organization's work.
• Promote responsibility among team members in line with quality requirements and agreements on privacy and information security, both internally and with clients, through adequate and regular training and awareness programs.
• Ensure business continuity by developing continuity plans aligned with recognized methodologies.
• Conduct and periodically review a risk analysis using recognized methods to determine the level of privacy and security for data in general, as well as ongoing projects and services, and to minimize risks by developing specific policies, technical solutions, and contractual agreements with specialized organizations.
• Commit to informing stakeholders as necessary.
• Select suppliers and subcontractors based on privacy and information security criteria.

Regarding personal data protection, ARITIUM TECHNOLOGIES, S.L. commits to complying with the principles outlined in the applicable legislation, which include:

• Lawfulness, transparency, and fairness: Data must be processed lawfully, fairly, and transparently for the individual.
• Purpose limitation: Data must be processed for one or more specific, explicit, and legitimate purposes, and cannot be processed for purposes incompatible with the initial intent.
• Data minimization: Apply technical and organizational measures to ensure only the necessary data for specific purposes are processed, limiting the extent, retention time, and accessibility of the data.
• Accuracy: Implement reasonable measures to ensure data is accurate, up-to-date, and corrected or removed without delay if found inaccurate for its intended purposes.
• Purpose limitation: Data must be processed for one or more specific, explicit, and legitimate purposes, and cannot be processed for purposes incompatible with the initial intent.
• Security: Conduct a risk analysis to determine the technical and organizational measures needed to ensure the integrity, availability, and confidentiality of personal data.
• Accountability: Maintain due diligence to protect the rights and freedoms of individuals whose data is processed, ensuring and demonstrating compliance with GDPR and applicable data protection laws.
• Direct, support, and supervise the information security management system as defined in RD 311/2022 and subsequent amendments, aiming to achieve its objectives.

The management of ARITIUM TECHNOLOGIES, S.L. commits to supporting and promoting the principles of this policy and expects company personnel to comply with the provisions of the documented management system for the ENS.

1.3. Development of the Security Policy

This Security Policy complements ARITIUM TECHNOLOGIES, S.L.'s security policies in various areas and will be further developed through security regulations addressing specific aspects. These regulations will be accessible to all members of the organization who need to be aware of them, particularly those who use, operate, or manage information and communication systems.

Information Security-related documentation will be classified into three levels, with each document at one level based on and supporting those of higher levels:

• Level 1: Security policy.
• Level 2: Security norms and procedures.
• Level 3: Reports, records, and electronic evidence.

2. Policy

2.1. Prevention

Departments must avoid, or at least prevent as much as possible, information or services from being compromised by security incidents. To this end, departments must implement the minimum-security measures determined by the ENS, as well as any additional controls identified through a threat and risk assessment. These controls, along with the security roles and responsibilities of all personnel, must be clearly defined and documented.

To ensure compliance with the policy, departments must:

• Authorize systems before they go into operation.
• Regularly assess security, including evaluations of configuration changes made routinely.
• Request periodic third-party reviews to obtain an independent assessment.

2.2. Detection

Since services can quickly degrade due to incidents, ranging from a simple slowdown to a complete stoppage, services must monitor operations continuously to detect anomalies in service delivery levels and act accordingly as established in Article 9 of the ENS.

Monitoring is especially relevant when lines of defense are established according to Article 8 of the ENS. Mechanisms for detection, analysis, and reporting will be established to regularly inform those responsible and when there is a significant deviation from the parameters previously set as normal.

2.3. Response

Departments must:

• Establish mechanisms to effectively respond to security incidents.
• Designate a contact point for communications regarding incidents detected in other departments or organizations.
• Establish protocols for the exchange of information related to the incident. This includes communications, in both directions, with Emergency Response Teams (CERTs).

2.4. Recovery

To ensure the availability of critical services, departments must develop continuity plans for systems as part of their overall business continuity and recovery activities.

2.5. Organization of Security

ARITIUM TECHNOLOGIES, S.L. is committed to providing its services in a managed manner and in compliance with the requirements established in its Integrated Management System to ensure uninterrupted service in accordance with the availability, security, and quality requirements towards clients.

Given our activity, at ARITIUM TECHNOLOGIES, S.L., we understand that information is a highly valuable asset for our organization and especially for our clients, and therefore requires appropriate protection and management to ensure business continuity and minimize potential damage caused by information security failures.

To achieve this, the organization will:

• Adequately protects the confidentiality, availability, integrity, authenticity, and traceability of its information assets by introducing a series of controls to manage relevant security risks.
• Prioritize the protection and safeguarding of its clients and their data as a business priority.
• Establish, implement, monitor, maintain, and continually improve its information security management as part of its broader business management approach and maintain Accredited Certification to appropriate standards.
• Manage any information security breaches in a timely and responsible manner and invest in adequate detection, response, and remediation strategies.
• Test its information security controls and responses to scenarios that may pose a threat to its operations at planned intervals.
• Provide the organization with adequate resources to establish, maintain, and improve the security environment as appropriate to the evolving risk landscape.
• Invest in staff competencies to carry out their tasks and provide personnel with relevant training and awareness appropriate to their role and the information they have access to.
• Ensure that our suppliers and partner organizations do the same, establishing and enforcing security standards for those to whom we transmit any information.

2.5.1. Security Committee

The members of the Security Committee will be appointed in a founding document, where the appointed person and the position they must hold will be indicated.

The Secretary of the Security Committee will be the SECURITY OFFICER and will have the following functions:

• Convene the Security Committee meetings.
• Prepare the topics to be discussed at the Committee meetings, providing timely information for decision-making.
• Draft the meeting minutes.
• Be responsible for the direct or delegated execution of the Committee's decisions.
• The Security Committee will report to the General Director.

The Security Committee will have the following functions:

• Address the concerns of Senior Management and the various departments.
• Regularly inform Senior Management of the status of information security.
• Promote the continuous improvement of the information security management system.
• Develop the organization's strategy concerning information security evolution.
• Coordinate the efforts of the various areas regarding information security to ensure that efforts are consistent, aligned with the decided strategy, and avoid duplication.
• Draft (and regularly review) the Security Policy for approval by the Management.
• Approve the information security regulations.
• Coordinate all of the organization's security functions.
• Ensure compliance with applicable legal and sectoral regulations.
• Ensure that security activities align with the organization's objectives.
• Coordinate the Continuity Plans of the various areas to ensure seamless action in case they need to be activated.
• Coordinate and approve, as appropriate, project proposals received from the various security areas, managing control and regular progress reporting on the projects and announcing possible deviations.
• Receive security concerns from the organization's Management and relay them to the relevant departmental managers, gathering appropriate responses and solutions, which, once coordinated, must be communicated to the Management.
• Gather regular reports from departmental security managers on the organization's security status and potential incidents. These reports will be consolidated and summarized for communication to the organization's Management.
• Coordinate and respond to concerns conveyed through departmental security managers.
• Define within the Corporate Security Policy the role assignments and criteria to achieve appropriate guarantees regarding the segregation of functions.
• Draft and approve the training and qualification requirements for administrators, operators, and users from an information security perspective.
• Monitor the main residual risks assumed by the organization and recommend possible actions regarding them.
• Monitor the performance of security incident management processes and recommend possible actions regarding them. In particular, ensure the coordination of the various security areas in managing information security incidents.
• Promote periodic audits to verify compliance with the organization's security obligations.
• Approve improvement plans for the organization's information security. In particular, it will ensure coordination between different plans that may be undertaken in various areas.
• Prioritize security actions when resources are limited.
• Ensure that information security is considered in all projects from their initial specification to their operation. In particular, ensure the creation and use of horizontal services that reduce duplication and support a homogeneous operation of all ICT systems.
• Resolve responsibility conflicts that may arise between different managers and/or areas of the organization.

2.5.2. Roles: Functions and Responsibilities

The functions of the organization’s responsible parties are detailed below:

Information Manager:

• Ultimate responsibility for the use of certain information and, therefore, its protection.
• Ultimately responsible for any error or negligence that leads to an incident affecting confidentiality, integrity (in terms of data protection), or availability (in terms of information security).
• Establish the information security requirements.
• Determine and approve information security levels.
• Approve the categorization of the system concerning the information.
• Those indicated in the documents within the scope of the ENS.

Service Manager:

• Establish the service security requirements.
• Determine the security levels for the services.
• Approve the categorization of the system concerning the services.
• Those indicated in the documents within the scope of the ENS.

Security Manager:

Their functions include:

• Maintaining the security of the information handled and the services provided by the information systems within their responsibility, as outlined in the organization's Information Security Policy.
• Promoting training and awareness on information security within their scope of responsibility.
• Approving the statement of applicability.
• Channeling and supervising compliance with security requirements for the service provided or solution delivered, as well as communications related to information security and incident management for that service’s scope (POC).
• Those indicated in the documents within the scope of the ENS.

The Security Manager will serve as the secretary of the Security Committee, with the functions indicated in section 3.5.1 of this policy.

In accordance with the principle of "segregation of functions and tasks" outlined in Article 10 of the ENS, the Security Manager will be a distinct role from the System Manager.

System Manager:

Their functions include:

• Developing, operating, and maintaining the information system throughout its lifecycle, including its specifications, installation, and verification of correct operation.
• Defining the topology and management of the information system, establishing usage criteria and available services.
• Ensuring that security measures are adequately integrated into the overall security framework.
• The authority to propose the suspension of certain information processing or the provision of a specific service if significant security deficiencies are detected that could compromise the established requirements.
• Those indicated in the documents within the scope of the ENS.

Privacy Manager:

Their functions include:

• Coordinating all aspects related to ensuring ARITIUM TECHNOLOGIES, S.L.'s compliance with personal data protection regulations.
• Coordinating, together with the Security Manager, compliance with the ENS regarding personal data protection.

2.5.3. Appointment Procedures

The Security Manager will be appointed by the Security Committee. The appointment will be reviewed every two years or when the position becomes vacant.

Similarly, the other roles mentioned in the previous section will be appointed by the Security Committee through meeting minutes

2.5.4. Review of the Security Policy

The Security Committee will be responsible for annually reviewing this Security Policy and proposing its revision or maintenance. The Policy will be approved by Senior Management and disseminated to ensure awareness among all affected parties.

2.6. Personal Data

ARITIUM TECHNOLOGIES, S.L., in the provision of its services, processes identifying and contact personal data.

Relevant documentation, accessible only to authorized personnel, records the activity logs of affected data processing and the corresponding managers. All information systems of ARITIUM TECHNOLOGIES, S.L. will adhere to the security levels required by regulations for the nature and purpose of the personal data.

2.7. Risk Management

All systems subject to this Policy must undergo a risk analysis, evaluating the threats and risks they face. This analysis will be repeated:

• Regularly, at least once a year.
• When the information handled changes.
• When the services provided change.
• When a serious security incident occurs.
• When serious vulnerabilities are reported.

To harmonize risk analyses, the Security Committee will establish a reference evaluation for the different types of information handled and the various services provided. The Security Committee will promote the availability of resources to address the security needs of different systems, promoting horizontal investments.

2.8. Staff Obligations

All members of ARITIUM TECHNOLOGIES, S.L. are required to know and comply with this Security Policy and the Security Regulations. The Security Committee is responsible for providing the means to ensure the information reaches the affected parties.

All members of ARITIUM TECHNOLOGIES, S.L. will attend an information security awareness session at least once a year. A continuous awareness program will be established to address all members, particularly new hires.

Individuals responsible for the use, operation, or administration of systems will receive training for the secure handling of systems as needed for their job functions. Training will be mandatory before assuming responsibility, whether it is their first assignment or a change in job position or responsibilities.

2.9. Third Parties

When ARITIUM TECHNOLOGIES, S.L. provides services to other public or private organizations or handles information from other public or private organizations, these parties will be made aware of this Security Policy. Channels will be established for reporting and coordination between the respective Security Committees, along with procedures for responding to security incidents.

When ARITIUM TECHNOLOGIES, S.L. uses third-party services or transfers information to third parties, these entities will be made aware of this Security Policy and the applicable Security Regulations. These third parties will be subject to the obligations established in these regulations, while retaining the ability to develop their operational procedures to comply with them. Specific procedures for reporting and resolving incidents will be established. Third-party personnel must be adequately trained in security matters, at least to the same level required by this Policy.

If a third party cannot meet an aspect of the Policy as required in the preceding paragraphs, a report from the Security Manager detailing the risks incurred and how they will be addressed will be required. This report must be approved by the managers of the affected information and services before proceeding.

3. Applicable Legislation

Below is a detailed list of the laws considered applicable to the ISMS, along with the definition of the area responsible for assessing their impact on the organization.