Security Policy
The publisher of this WEBSITE is the company AITANA MANAGEMENT S.L.
1. Approval and Entry into Force
This text was approved on July 28, 2025, by the General Director of AITANA MANAGEMENT SL.
This Information Security Policy is effective from that date until it is replaced by a new Policy.
2. Introduction
AITANA MANAGEMENT SL relies on ICT (Information and Communication Technologies) systems to achieve its objectives. These systems must be managed with diligence, taking appropriate measures to protect them from accidental or deliberate damage that may affect the availability, integrity, authenticity, traceability, or confidentiality of the information processed or services provided.
The goal of information security is to ensure the quality of information and the continuous delivery of services, acting preventively, monitoring daily activities, and reacting swiftly to incidents.
ICT systems must be protected against rapidly evolving threats that have the potential to impact the availability, integrity, authenticity, traceability, confidentiality, intended use, and value of information and services. To defend against these threats, a strategy is required that adapts to changes in environmental conditions to ensure the continuous delivery of services. This means that departments must apply the minimum security measures required by the National Security Framework (Esquema Nacional de Seguridad), as well as continuously monitor service delivery levels, track and analyze reported vulnerabilities, and prepare an effective response to incidents to ensure the continuity of the services provided.
Different departments must ensure that ICT security is an integral part of every stage of the system lifecycle, from its design to its retirement, including development or acquisition decisions and operational activities. Security requirements and financing needs must be identified and included in planning, requests for proposals, and tender documents for ICT projects.
3. Scope
The General Scope of information systems related to business processes subject to ENS certification is as follows:
“Information systems that support the following services: ERP, CRM, BI, and Custom Solutions consulting and implementation.”
As per the applicable statement of applicability.
The reference objective category determined for the information systems described in this General Scope is: MEDIUM LEVEL.
4. Mission
At AITANA MANAGEMENT SL, our mission is to develop innovative technological solutions that transform the way businesses operate and grow. We strive to create products that not only solve current problems but also anticipate our clients’ future needs, providing them with tools that drive their success in an ever-evolving digital world.
5. Regulatory Framework
AITANA MANAGEMENT SL is subject, without limitation, to the following regulations and laws:
Regulation (EU) 2016/679 of the European Parliament and Council of April 27, 2016, on the protection of natural persons regarding the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights.
Law 34/2002, of July 11, on Information Society Services and Electronic Commerce.
Royal Legislative Decree 1/1996 (Intellectual Property Law).
Organic Law 10/1995, of November 23, the Penal Code.
6. Personal Data
AITANA MANAGEMENT SL processes personal data. The data protection procedures, which are only accessible to authorized persons, include the affected treatments and the corresponding responsible parties. All information systems of AITANA MANAGEMENT SL will comply with the security levels required by the regulations based on the nature and purpose of the personal data collected in these procedures.
7. Risk Management
All systems subject to this Policy must conduct a risk analysis, evaluating the threats and risks to which they are exposed. This analysis will be repeated:
Regularly, at least once a year.
When the information handled changes.
When the services provided change.
When a significant security incident occurs.
When serious vulnerabilities are reported.
To harmonize risk analysis, the ICT Security Committee will establish a reference evaluation for different types of information handled and services provided. The ICT Security Committee will promote the availability of resources to meet the security needs of different systems, encouraging horizontal investments.
8. Development of the Information Security Policy
This Information Security Policy complements AITANA MANAGEMENT SL’s security policies in various areas:
Internal IT security procedures.
Internal personal data protection procedures.
Internal operational procedures affecting information security.
This Policy will be developed through security regulations addressing specific aspects. The security regulations will be available to all members of the organization who need to know them, particularly for those who use, operate, or administer the information and communication systems.
9. Obligations of Personnel
All company members are obligated to know, understand, and comply with both the Information Security Policy and the applicable Security Regulations. Each employee is responsible for applying the established security measures in the performance of their duties, ensuring the protection of the organization’s information assets.
The ICT Security Committee will provide the necessary means and resources for the proper dissemination and understanding of these regulations, ensuring that all staff receive the appropriate training and updates. Moreover, a culture of security will be promoted through awareness sessions, periodic training, and the availability of accessible documentation for all employees.
10. Third Parties
When AITANA MANAGEMENT SL provides services to public entities or handles information from public entities, they will be made aware of this Information Security Policy, and channels will be established for reporting and coordinating with the respective ICT Security Committees. Procedures for responding to security incidents will also be set.
When AITANA MANAGEMENT SL outsources services to third parties or shares information with third parties in the context of providing services to public entities, they will be made aware of this Security Policy and the applicable Security Regulations related to those services or information. Such third parties will be subject to the obligations established in these regulations and may develop their own operational procedures to meet them. Specific reporting and incident resolution procedures will be established. It will be ensured that third-party staff are adequately aware of security matters, at least to the same level as required by this Policy.
11. Continuous Improvement
Information security management is an ongoing process subject to constant updates. Changes in the organization, threats, technologies, and/or legislation are examples of situations that require continuous improvement of systems. Therefore, a permanent process will be implemented that will include, among other actions:
Review of the Information Security Policy.
Review of services and information and their categorization.
Annual risk analysis execution.
Conducting internal or, when appropriate, external audits.
Review of security measures.
Review and update of rules and procedures.
12. Conflict Resolution
In case of a conflict between the different information or service managers within the organizational structure of the Information Security Policy, the matter will be resolved by their hierarchical superior, with the Information Security Manager participating in the resolution and mediation. If no agreement is reached, the issue will be escalated for final resolution to the Information Security Committee.
Last revision: August 1, 2025