1. APPROVAL AND ENTRY INTO FORCE

Text approved on January 9, 2025, by the Board of Directors of Medity Platforms S.L.

This Information Security Policy (hereinafter, the Security Policy) will enter into force the day after the date indicated above and will remain in effect until it is replaced by a new policy.

2. PURPOSE

Medity Platforms S.L. considers information an essential asset for the proper performance of its functions. Much of the information contained in the information systems of public administrations and the services they provide constitute strategic national assets. The information and services provided are subject to threats and risks arising from malicious or illegal actions, errors or failures, and accidents or disasters.

In its effort to ensure that the services offered electronically to clients are provided with levels of security equivalent to those experienced when interacting in person at the company’s facilities, Medity Platforms S.L. develops and approves this Information Security Policy, applying the minimum security measures required by the National Security Scheme (ENS) regarding:

• Organization and implementation of the security process.
• Risk analysis and management.
• Personnel management.
• Professionalism.
• Access authorization and control.
• Protection of facilities.
• Acquisition of security products and contracting of security services.
• Least privilege.
• System integrity and updates.
• Protection of stored and in-transit information.
• Prevention against other interconnected information systems.
• Activity logging and malicious code detection.
• Security incidents.
• Business continuity.
• Continuous improvement of the security process.

The different areas and services must ensure that information security is a vital part of the public services provided by Medity Platforms S.L., and must safeguard said information throughout its entire lifecycle (collection, transport, processing, storage, and destruction). Areas and services must be prepared to prevent, detect, react to and recover from incidents, thus ensuring the continuity of service provision with adequate quality and safety.

This Security Policy ensures a clear commitment from the highest authorities of the entity to the dissemination, consolidation and compliance with this Policy.

3. SCOPE

This Security Policy applies to all areas, services, and internal and external employees of Medity Platforms S.L., regardless of their hierarchical classification. It also applies to all information systems and communication infrastructures used to perform the functions of Medity Platforms S.L.

With this information security policy, the organization demonstrates its commitment to establishing, implementing, maintaining, and continuously improving a security management system in accordance with the principles set forth in Article 5 of Royal Decree 311/2022. That is:

• Understanding security as a comprehensive process.
• Managing security based on risk.
• Continuously monitoring and overseeing security events to ensure prevention, detection, response, and maintenance.
• Establishing defenses.
• Periodically evaluating the security status.
• Clearly differentiating responsibilities.

4. MISSION AND OBJECTIVES

Medity Platforms S.L., in its commitment to fulfilling its assigned interests, functions, and responsibilities, provides its clients with the services and activities necessary to satisfy their aspirations and interests. Medity Platforms S.L. utilizes appropriate technologies and values ​​its electronic relationship with clients, building the necessary trust based on a comprehensive information security system that extends throughout the entire company.

These systems aim to guarantee the quality of information and the continuous provision of services by acting proactively, monitoring daily activity, and responding promptly to incidents. To this end, the following general objectives are established in the area of ​​information security:

• Implement the necessary control measures to ensure compliance with applicable legal requirements arising from the activities carried out, particularly regarding the protection of personal data and the provision of services through electronic means.
• Ensure access, integrity, confidentiality, availability, authenticity, and traceability of information, as well as the continuous provision of services, by acting proactively, monitoring daily operations, and responding swiftly to incidents.
• Protect the organization’s information resources and the technology used to process them against internal or external, deliberate or accidental threats.
• Provide customer confidence by protecting their information throughout its entire lifecycle.
• Facilitate the continuous improvement of security processes, procedures, products, and services.
• Ensure business continuity by establishing contingency plans for critical services and maintaining security at all times.
• Raise awareness, train, and motivate staff on the importance of security in the workplace.

5. REGULATORY FRAMEWORK

This National Security Framework (ENS), currently regulated by Royal Decree 311/2022 of May 3, establishes the security policy to be applied in the use of electronic means. The ENS comprises the basic principles and minimum requirements for adequate information protection. It will be applied by Public Administrations to ensure the access, integrity, availability, authenticity, confidentiality, traceability, and preservation of the data, information, and services used in electronic means that they manage in the exercise of their powers.

The National Interoperability Framework (ENI), regulated by Royal Decree 4/2010 of January 8, establishes the set of criteria and recommendations that Public Administrations must consider when making technological decisions that guarantee interoperability. Complementary technical interoperability standards develop certain technical aspects.

Laws 39/2015 and 40/2015 regulate the Common Administrative Procedure and the Legal Framework of Public Administrations. These laws expressly refer to the National Security Scheme (ENS) as a secure information management system for public administrations and to the National Interoperability Framework (ENI) as a benchmark for interoperability between administrations.

[Law 9/2017, of November 8, on Public Sector Contracts, which transposes into Spanish law Directives 2014/23/EU and 2014/24/EU of the European Parliament and of the Council of February 26, 2014, regulating public procurement procedures]

Likewise, Organic Law 3/2018, of December 5, on Data Protection and Guarantee of Digital Rights, aims to guarantee and protect, with regard to the processing of personal data, the fundamental rights and freedoms of individuals, and especially their honor and personal and family privacy, as well as guaranteeing citizens’ digital rights in accordance with the mandate established in Article 18.4 of the Constitution.

Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data establishes the obligation to implement technical and organizational measures to guarantee the confidentiality, availability, and integrity of information. It also stipulates that these measures must be proactive and that the data controller must be able to demonstrate that these measures are being followed and their application.

Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 on measures to ensure a high common level of security of network and information systems across the Union establishes obligations for all Member States to adopt a national network and information systems security strategy and to establish security and notification requirements for operators of essential services and for digital service providers.

Royal Decree 43/2021, of January 26, which develops Royal Decree-Law 12/2018, of September 7, on the security of networks and information systems, ensuring the alignment of Spanish law with the harmonised European framework in accordance with Directive 2016/1148 (NIS Directive).

This Royal Decree aims to specify some of the main obligations and procedures to be used in order to ensure optimal security risk management in networks and information systems in critical sectors, as well as to ensure adequate coordination among the various actors involved in these types of risk situations. To this end, a series of organizational and operational obligations have been established for operators subject to this regime, such as the definition of technical and organizational measures for the proper management of cybersecurity risks, the designation of a security officer, and the notification and management of security incidents.

Law 2/2019, of March 1, amends the consolidated text of the Intellectual Property Law, approved by Royal Legislative Decree 1/1996, of April 12.

Furthermore, the regulatory framework will be reviewed and updated in accordance with the regulatory compliance standard, as indicated in document ENS.REG.01 CM Dashboard. It will be reviewed periodically on an annual basis, as well as on an extraordinary basis when there is any change that requires the updating and revision of the same.

6. SECURITY ORGANIZATION

To proactively manage and coordinate information security, the INFORMATION SECURITY COMMITTEE is established as the management body.

This Committee will be composed of the following positions:

• Information Officer
• Security Officer
• Systems Officer
• Services Officer

However, given the structure and composition of Conecta Consultores, and the need to concentrate the roles stipulated in the National Security Framework (ENS) into two people, the criteria expressed in the CCN-STIC 801 ICT Security Guide on Roles and Responsibilities, in its Annex B, will be adopted. This Annex outlines the distribution of responsibilities in entities with a minimal structure, distinguishing between:

• Governance and Oversight
• Operation

Furthermore, given the structure of Medity Platform, the option of delegating the functions of the security and system managers, including outsourcing them, may be considered, without prejudice to the ultimate responsibility that will always remain with Medity Platform.

The designation of positions and functions will be formalized through NM.ENS-01 Security Committee Appointment, and will require the express acceptance of the appointees.

a. INFORMATION MANAGER

It will determine the requirements for the information processed.

It has ultimate responsibility for the use made of certain information and, therefore, for its protection. It will advise on and have the authority to technically determine the security requirements for information and services. It will also have the authority to determine the levels of information security.

It will also report on the status of security in the area of ​​information and communication systems. It may convene meetings and send information and communications to the members of the committee.

b. SERVICE MANAGER

It will determine the requirements for the services provided.

It will be the person or persons responsible for the operation of the different areas of the entity, establishing requirements, objectives, and means for carrying out these tasks. It will determine the security requirements for the services provided. This includes the responsibility for determining the security levels of the services, and for this purpose, it may seek advice from the security manager and the system manager.

It will include security specifications throughout the lifecycle of services and systems, accompanied by the corresponding control procedures. It will also be responsible for assessing the consequences of any negative impact on service security, taking into account the repercussions on Medity Platforms S.L.’s ability to achieve its objectives, protect its assets, fulfill its service obligations, comply with the law, and respect citizens’ rights.

Furthermore, they will be responsible for monitoring compliance with security regulations within their area and reporting to the Information Officer on compliance with the security regulations approved by the Security Committee.

c. SECURITY OFFICER

The Security Officer will determine the decisions necessary to meet information and service security requirements, oversee the implementation of the measures required to ensure these requirements are met, and report on these matters.

This individual is designated by the highest governing body to oversee the information security system and will be responsible for determining the relevant security decisions to meet the requirements established by those responsible for information and services.

The two essential functions of the Security Officer are:

• Maintain the security of the information handled and the services provided by the information systems within your area of ​​responsibility, in accordance with the organization’s Information Security Policy.
• Promote training and awareness in information security within your area of ​​responsibility.

If the information system, due to its complexity, distribution, physical separation, or number of users, so requires, Medity Platforms S.L. may appoint Delegate Security Officers, to whom functions may be delegated, but never responsibilities. These Delegate Security Officers will report directly to the Security Officer.

The functions assigned to the Security Officer include the following:

• The incumbent will coordinate and monitor the measures defined in the Record of Processing Activities and will generally be responsible for ensuring compliance with the security measures detailed in the data protection impact assessment report.
• They will report directly to the Information Security Committee.
• They may act as Secretary of the Information Security Committee, if so determined.
• They will gather the security requirements from the Information and Service Managers and categorize the System.
• They will conduct the Risk Analysis.
• It will prepare a Statement of Applicability based on the security measures required in accordance with Annex II of the National Security Framework (ENS) and the results of the Risk Analysis.
• It will provide the Information Managers and Service Managers with information on the expected residual risk level after implementing the treatment options selected in the risk analysis and the security measures required by the ENS.
• It will coordinate the preparation of the System Security Documentation.
• It will participate in the development, within the framework of the Information
• Security Committee, of the Information Security Policy, for its approval by the municipal governing bodies.
• It will participate in the development and approval, within the framework of the Information Security Committee, of the Information Security regulations.
• It will develop the Information Security Operating Procedures.
• The Security Officer will periodically provide the Security Committee with a summary of security actions, information security incidents, and the system’s security status (particularly the level of residual risk to which the system is exposed).
• The Security Officer will develop Security Improvement Plans, in conjunction with the Systems Managers, for approval by the Information Security Committee.
• The Security Officer will analyze and propose safeguards to prevent similar incidents should they occur.
• The Security Officer will develop Information Security Training and Awareness Plans for staff, which must be approved by the Information Security Committee.
• The Security Officer will develop System Continuity Plans, which must be approved by the Information Security Committee and periodically tested by the Systems Manager.
• The Security Officer will approve the guidelines proposed by the Systems Managers for considering Information Security throughout the entire lifecycle of assets and processes: specification, architecture, development, operation, and changes.

d. SYSTEM ADMINISTRATOR

This role is responsible for developing the specific methods for implementing system security and overseeing its daily operation. They may delegate this responsibility to administrators or operators under their supervision.

This role is responsible for the operation of the information system, adhering to the security measures determined by the Security Officer. Their responsibility may lie within the organization (using in-house systems) or be divided between indirect responsibility (within the organization) and direct responsibility (with third parties, public or private), when information systems are outsourced. Their specific functions are as follows:

• Develop, operate, and maintain the information system throughout its entire lifecycle, including its specifications, installation, and verification of its proper functioning.
• Define the topology and management of the information system, establishing usage criteria and available services.
• Ensure that security measures are properly integrated into the overall security framework.
• The System Administrator may suspend the handling of certain information or the provision of a certain service if informed of serious security deficiencies that could affect compliance with established requirements. This decision must be agreed upon with the Data Controllers, the Service Managers, and the Security Officer before implementation.
• Apply the security operating procedures developed and approved by the Security Officer.
• Monitor the security status of the Information System and report it periodically or in the event of relevant security incidents to the Information Security Officer.
• Conduct periodic exercises and tests of the System Continuity Plans to keep them updated and verify their effectiveness.
• Develop guidelines for considering Information Security throughout the entire lifecycle of assets and processes (specification, architecture, development, operation, and changes) and submit them to the Information Security Officer for approval.

If the information system, due to its complexity, distribution, physical separation, or number of users, requires additional personnel to perform these functions, Medity Platforms S.L. may appoint Delegate System Managers, to whom functions may be delegated, but never responsibilities. These Delegate System Managers will report directly to the System Manager.

e. SECURITY ADMINISTRATOR

Their most significant functions would be the following:

• The implementation, management, and maintenance of security measures applicable to the information system.
• The management, configuration, and updating, as needed, of the hardware and software on which the information system’s security mechanisms and services are based.
• The management of authorizations and privileges granted to system users, including monitoring that activity performed on the system complies with authorization.
• The application of Security Operating Procedures (SOPs).
• Ensuring that established security controls are properly observed.
• Ensure that approved procedures for managing the information system are followed.
• Monitor hardware and software installations, modifications, and upgrades to ensure that security is not compromised and that they always comply with relevant authorizations.
• Monitor the system’s security status using security event management tools and technical audit mechanisms implemented in the system.
• Report any security-related anomalies, compromises, or vulnerabilities to the Security Officer or the System Administrator.
• Collaborate in the investigation and resolution of security incidents, from detection to resolution.

The Security Administrator may report to either the System Administrator or the Security Officer, but not both simultaneously.

It is not mandatory to appoint a Security Administrator; if not required, their functions will be assumed by the Security Officer.

f. SECRETARY

The Secretary will be responsible for ensuring that the procedures approved by the Committee comply with the law, as well as advising the Committee on this matter. They will also keep minutes of the meetings.

g. DATA PROTECTION OFFICER

It will oversee and advise on the protection of data subjects’ rights regarding data protection.

APPOINTMENT

The members of this Committee will be appointed by the Manager of Medity Platforms S.L., and the rest of the Medity Platforms S.L. employees will be informed subsequently, with transitional measures in place to ensure security compliance. Furthermore, future resolutions regarding the appointment of area managers, heads of affiliated entities, or changes in the distribution of functions between areas and entities must expressly include the appointment of a member to this information security committee.

6.1 FUNCTIONS OF THE SAFETY COMMITTEE

Their functions are as follows:

• Responsibilities arising from the processing of personal data.
• Addressing the concerns of the Corporation and its various departments.
• Regularly reporting on the status of information security to the senior management.
• Promoting the continuous improvement of the Information Security Management System.
• Developing the evolution strategy for Medity Platforms S.L. with regard to information security.
• Coordinating the efforts of the different departments in the area of ​​information security to ensure that these efforts are consistent, aligned with the established strategy, and to avoid duplication.
• Developing (and regularly reviewing) the Information Security Policy for approval by the Security Committee before its final approval by the full Board.
• Approve information security regulations.
• Periodically assess risks to establish appropriate security measures based on the results.
• Develop and approve training and qualification requirements for administrators, operators, and users from an information security perspective.
• Monitor the main residual risks assumed by Medity Platforms S.L. and recommend possible actions to address them.
• Monitor the performance of security incident management processes and recommend possible actions to address them. In particular, ensure the coordination of the different security areas in the management of information security incidents.
• Promote the implementation of periodic audits to verify the organization’s compliance with its security obligations.
• Prioritize security measures when resources are limited.
• Approve information security improvement plans for the Organization. In particular, ensure the coordination of different plans that may be implemented in different areas.
• Ensure that information security is considered in all ICT projects from their initial specification to their implementation. In particular, ensure the creation and use of horizontal services that reduce redundancies and support the consistent operation of all ICT systems.
• Establish appropriate measures for the training, information, and awareness of all personnel regarding information security and the protection of personal data.
• Resolve conflicts of responsibility that may arise between different managers and/or between different areas of the Organization, escalating cases where there is insufficient authority to decide.
• In the event of an information security incident, approve the Security Improvement Plan.

The Information Security Committee is not a technical committee, but it will regularly gather relevant information from its own or external technical staff to inform its decision-making. The Information Security Committee will seek advice on matters on which it must make decisions or issue opinions. This advice will be determined on a case-by-case basis and may take various forms:

• Specialized internal, external, or mixed working groups.
• External consulting.
• Attendance at courses or other types of training or experience-sharing environments.

6.2 DOCUMENT MANAGEMENT AND STRUCTURE

Documented information regarding security controls must be communicated to all personnel working at the organization (employees and suppliers), who will be obligated to apply it in the performance of their work activities, thereby committing to compliance with the requirements of the National Security Framework (ENS).

Documented information will be classified as: public or publishable, internal, confidential, and secret, and its use will be appropriate according to this classification and the criteria established in the information classification regulations.

A procedure will define the labeling criteria for the documents that form part of the Information System.

Thus, the documentation that comprises this system is distributed as follows.

• Information Security Policy (ISP). A set of guidelines, documented in writing, that govern how an organization manages and protects the information it processes and the services it provides.
• Regulations (R) (Regulation). A regulatory framework that outlines permitted and prohibited conduct, as well as defining the scope, basic concepts, framework, responsibilities, and objectives of a given measure or set of measures.
• Procedures (R) (Procedure). Protocols that define and detail processes and mechanisms, or phases that carry out the different actions to achieve a specific result.
• Records (R) (Records). These are tools and tables that collect data and indicators to monitor compliance with a control or evaluate its effectiveness.

This same order determines the hierarchy and precedence of these documents.

The employee portal will make available to members of the organization the documents that may be of interest to them, and this will also be communicated during both the onboarding process and initial training.

Likewise, in the ENS.REG.01 CM Dashboard registry, all documents that are part of the catalog of the system covered by this policy will be compiled. The Security Officer may designate a person responsible for maintaining and updating the system documentation.

7. AWARENESS

Medity Platforms S.L. will establish the necessary mechanisms, taking into account the proposals of the Security Committee, to ensure that all personnel have the appropriate information, training, and awareness to manage information in accordance with this Security Policy and its derived internal regulations, both in terms of privacy and security.

The Committee will establish appropriate mechanisms for disseminating information and will record all training activities carried out in this regard.

8. RISK MANAGEMENT

Medity Platforms S.L. will periodically conduct a Risk Analysis, and whenever its information systems undergo a significant alteration, following the guidelines set forth in Article 6 of the National Security Scheme (ENS), in order to anticipate existing risks. This Risk Analysis and its conclusions must be reviewed by the Security Committee, which will then establish appropriate safeguards to ensure an acceptable level of risk.

To this end, the Committee will develop a Risk Analysis and Potential Impact Assessment procedure that clearly defines acceptable risk levels, criteria for accepting residual risk, the frequency of the analysis, and when it will be performed in exceptional circumstances.

The risk analysis conducted by Medity Platforms S.L. will also specifically address those risks arising from the processing of personal data in the performance of its duties.

9. PERSONAL DATA PROTECTION

Medity Platforms S.L. will only collect personal data when it is adequate, relevant, and not excessive, and when it is related to the scope and purposes for which it was obtained. Likewise, it will adopt the appropriate technical and organizational measures to comply with data protection legislation.

These measures, as indicated in the first additional provision of Law 3/2018 of December 5, on Data Protection and Guarantee of Digital Rights, will correspond to those described in the National Security Framework, which will be defined in the corresponding policies, regulations, and procedures.

10. APPROVAL AND REVIEW OF THIS SECURITY POLICY

This security policy must be a document that accurately reflects the commitment of Medity Platforms S.L. and related entities to information security. Therefore, this policy may be modified at the proposal of the Security Committee to adapt to changes in the legislative, technical, or organizational environment. Both the initial approval of this policy and its future revision will be carried out by the competent senior body of the entity following a proposal from the information security committee.