The purpose of this Information Security Policy is to establish our organization’s commitment to protecting information assets by ensuring their confidentiality, integrity, and availability. This policy applies to all employees, collaborators, suppliers, and partners who interact with our systems, processes, and data, and is aligned with the requirements of the TISAX framework as well as other applicable regulations such as the General Data Protection Regulation (GDPR).

Information security is a fundamental pillar for maintaining the trust of our customers and partners. Therefore, we adopt a risk-based approach, periodically assessing threats that may affect our systems and applying appropriate technical and organizational controls. Information is classified according to its sensitivity and is protected through access controls, encryption, secure authentication mechanisms, and continuous monitoring.
Access to information is restricted according to the principle of least privilege, and permissions are reviewed regularly to ensure that each user has only the access required to perform their duties. Mobile and storage devices used within the corporate environment must comply with security requirements such as encryption, password protection, and registration within authorized systems.

Our organization has established procedures for managing security incidents, including immediate notification, impact analysis, corrective actions, and communication with relevant stakeholders when necessary. We also maintain a Business Continuity Plan that considers contingency scenarios such as technological failures, natural disasters, or cyberattacks, and is regularly tested to ensure its effectiveness.

Training and awareness in information security are integral to our organizational culture. All employees receive regular training on best practices, data protection, and regulatory compliance. Internal audits are conducted to verify proper application of this policy and identify opportunities for improvement.

This policy is reviewed at least once a year, or when there are significant changes in the legal, technological or business environment. Its content is available to all interested parties, reflecting our commitment to transparency, accountability and continuous improvement in information security.

In Barcelona, on October 3, 2025