INFORMATION SECURITY POLICY

1. Approval and effective date

Text approved on October 10, 2025 by resolution of the Managing Director of LINGUASERVE INTERNACIONALIZACIÓN DE SERVICIOS S.A. (hereinafter “LINGUASERVE”).

This “Information Security Policy” (hereinafter “the Policy”) shall take effect as of its approval date and shall remain in force until replaced by a new Policy.

2. Introduction

LINGUASERVE relies heavily on ICT systems (Information and Communication Technologies) to achieve its objectives and is aware that digital transformation has led to an increase in the risks associated with the information systems that support public services and that, as a public sector provider, it must properly manage these risks.

The objective of this risk management is to protect Information and Communication Technology systems against accidental or deliberate damage that may affect the availability, integrity, confidentiality, authenticity or traceability of the information processed by LINGUASERVE in the context of services provided to the public sector and more specifically to residential facilities and social and healthcare centers.

ICT systems must be protected against rapidly evolving threats with the potential to impact the confidentiality, integrity, availability, intended use and value of information and services. To defend against these threats, a strategy is required that adapts to changes in environmental conditions in order to ensure the continuous delivery of services. This requires departments to apply the minimum security measures required by the National Security Framework (ENS) and ISO/IEC 27001, as well as to continuously monitor service performance levels, track and analyze reported vulnerabilities and prepare an effective incident response to ensure service continuity.

The different departments of LINGUASERVE must ensure that ICT security is an integral part of every stage of the system life cycle, from conception through development or acquisition decisions and operational activities to system decommissioning. Security requirements and funding needs must be identified and included in planning, in requests for proposals and in the contracting of ICT projects.

Departments must be prepared to prevent, detect, respond to and recover from incidents in accordance with Article 8 of the ENS and ISO/IEC 27001.

3. Scope

3.1 Subjective Scope

The parties bound by this Policy are all LINGUASERVE personnel and all persons or entities, both internal and external, that provide services to LINGUASERVE, whether on its premises or remotely.

3.2 Objective Scope

This Policy shall apply to LINGUASERVE information systems that support the IT infrastructure associated with translation services, language services and multilingual solutions, as well as software development.

The identification and maintenance of the regulatory framework shall be the responsibility of the LINGUASERVE Security Officer and shall be governed by the procedure relating to the identification and assessment of legal requirements. Mandatory technical security instructions published by resolution of the Secretariat of State for Digitalization and Artificial Intelligence of the Ministry of Economic Affairs and Digital Transformation, or by the entity that assumes those duties, shall be included.

Likewise, the LINGUASERVE Security Officer shall also be responsible for identifying CCN security guidelines that shall apply in order to improve compliance with the ENS and ISO/IEC 27001.

4. Minimum security requirements

The LINGUASERVE Security Policy governs the continuous management of the security process. This Policy has been established in accordance with the basic principles set out in Chapter II of the ENS, Section 5.2 of UNE-ISO/IEC 27001 and Article 21 of Directive (EU) 2022/2555 of the European Parliament and of the Council of December 14, 2022 on measures for a high common level of cybersecurity across the EU (NIS 2 Directive) and is developed taking into account the application of the following minimum security requirements:

1. Organization and implementation of the security process (Art. 13 ENS, 5.2.b UNE-ISO/IEC 27001).
2. Risk analysis and management (Art. 14 ENS, 5.2.b UNE-ISO/IEC 27001 and Art. 21(a) NIS 2 Directive).
3. Personnel management (Art. 15 ENS) and basic cyber hygiene practices and cybersecurity training (Art. 21(g) NIS Directive).
4. Professionalism (Art. 16 ENS, Art. 21(j) NIS 2 Directive and 5.2.c UNE-ISO/IEC 27001).
5. Authorization and access control (Art. 17 ENS and Art. 21(j) ENS).
6. Protection of facilities (Art. 18).
7. Acquisition of security products and contracting of security services (Art. 19 ENS, Art. 21(e) NIS 2 Directive and 5.2.b UNE-ISO/IEC 27001).
8. Least privilege (Art. 20 and 5.2.c UNE-ISO/IEC 27001).
9. System integrity and updating (Art. 21 and 5.2.c UNE-ISO/IEC 27001).
10. Protection of stored and transmitted information (Art. 22 and 5.2.c UNE-ISO/IEC 27001).
11. Prevention regarding other interconnected information systems (Art. 23 and 5.2.c UNE-ISO/IEC 27001).
12. Activity logging and detection of malicious code (Art. 24 and 5.2.c UNE-ISO/IEC 27001).
13. Security incidents (Art. 25 and 5.2.c UNE-ISO/IEC 27001).
14. Business continuity (Art. 26, Art. 21(c) NIS 2 Directive and 5.2.c UNE-ISO/IEC 27001).
15. Continuous improvement of the security process (Art. 27 and 5.2.c UNE-ISO/IEC 27001).

To comply with these minimum requirements, LINGUASERVE shall apply the security measures set out in Annex II of the ENS and Annex A of UNE-ISO/IEC 27001, taking into account:

• The assets that make up LINGUASERVE’s information system.
• The security category of the system, as provided for in Article 40 of the ENS.
• The decisions adopted to manage identified risks.

5. Basic principles

The LINGUASERVE Information Security Policy establishes the following basic principles to be considered in the use of information systems:

• Security as an integrated process: Security is a process encompassing all human, material, technical, legal and organizational elements related to information systems.
• Comprehensive risk-based management: Risk analysis and management are an essential part of the security process and must constitute a continuous and permanently updated activity. Risk management will enable the maintenance of a controlled environment while minimizing acceptable risks.
• Prevention, detection, response and preservation: Information system security must address actions related to prevention, detection and response.
• Existence of lines of defense: The LINGUASERVE information system must have a protection strategy consisting of multiple layers of security.
• Continuous monitoring and periodic reassessment: Continuous monitoring will enable the detection of anomalous activities or behaviors and an appropriate response. Ongoing assessment will make it possible to measure evolution and security measures shall be periodically reassessed and updated, adapting their effectiveness to changes in risks and protection systems.

6. Information security objectives

LINGUASERVE establishes the following security objectives:

• Ensure the protection of information.
• Physical security: LINGUASERVE locates information systems in secure areas protected by physical access controls appropriate to their level of criticality.
• Access control: LINGUASERVE restricts access to information assets by users, processes and other information systems through the implementation of identification, authentication and authorization mechanisms adapted to the criticality of each asset.
• Acquisition, development and maintenance of information systems: LINGUASERVE addresses security aspects in all phases of the information systems life cycle.
• Ensure continuous service delivery: LINGUASERVE implements appropriate procedures to ensure the availability of information systems and maintain the continuity of business processes.
• Data protection: LINGUASERVE adopts the technical and organizational measures necessary to manage risks arising from the processing of personal data.
• Compliance: LINGUASERVE adopts the technical and organizational measures necessary to comply with applicable information security legislation.

7. Mission

LINGUASERVE’s mission is to help create a world of accessible and efficient multicultural knowledge and relationships, as well as to eliminate digital language barriers and business obstacles through innovation, professional translation, digital marketing and AI. We aspire to become an indispensable partner for our clients and to accompany them in their pursuit of excellence and business success.

Our values have always been our springboard for growth and success. We believe in professionalism and excellence, transparency, honesty and responsibility, the power of teamwork and results-driven orientation.

8. Compliance with articles

To achieve compliance with the articles of Royal Decree 311/2022 of May 3, which regulates the National Security Framework (ENS), and with UNE-ISO/IEC 27001, LINGUASERVE has implemented various security measures proportionate to the nature of the information and services to be protected, taking into account the category of the affected systems.

Compliance with the provisions of the ENS and UNE-ISO/IEC 27001 is detailed in the document “Statement of Applicability”.

9. Policy development

The LINGUASERVE Information Security Committee has approved the development of a management system that shall be established, implemented, maintained and improved in accordance with security standards. This system shall be aligned with and shall serve to manage the controls of the National Security Framework and ISO/IEC 27001. The system shall be documented and shall enable the generation of evidence of the controls and of compliance with the objectives set by the Committee. There shall be a document management procedure that establishes guidelines for structuring the system’s security documentation, as well as its management and access.

The Information Security Committee shall be responsible for the annual review of this Policy and, where necessary, for proposing improvements for approval by the Managing Director of LINGUASERVE.

This Security Policy is mandatory and is structured at the documentary level into the following hierarchical levels:

• First level: Information Security Policy.
• Second level: Security standards.
• Third level: Security procedures.

The Chief Information Security Officer (CISO) shall review this regulation at least annually, proposing improvements where necessary.

LINGUASERVE personnel and third-party companies shall be aware not only of this Security Policy but also of all standards, procedures, technical instructions or other documentation that may affect the performance of their duties.

9.1 First regulatory level: ICT Security Policy

The ICT Security Policy constitutes the highest-level normative instrument within LINGUASERVE’s security regulatory framework. It must be approved by the Managing Director of LINGUASERVE.

9.2 Second regulatory level: Information Security Standards

The ICT Security Standards are mid-level instruments that cover a specific area of security. The body responsible for their approval is the LINGUASERVE Security Committee.

9.3 Third regulatory level: ICT Security Procedures

ICT Security Procedures are lower-level instruments, drafted with a higher level of detail and applicable to a specific scope. The party responsible for their approval is the Security Officer.

10. Security organization

10.1 Security roles or profiles

To ensure compliance with and adaptation of the required measures, security roles or profiles have been established and the positions or bodies to occupy them have been designated as follows:

• Information Owner: Iván Camuñas
• Service Owner: Iván Camuñas
• Security Officer: Giuseppe Deriard
• System Owner: Jorge Honrubia García

10.2 Information Security Committee

LINGUASERVE has established an Information Security Committee as a collegiate body, composed of the following members:

• Managing Director: Managing Director of LINGUASERVE.
• Members:
  • Service Owner.
  • System Owner.
  • Security Officer.

Optionally, other members of LINGUASERVE may join the Committee’s activities, including specialized working groups, whether internal, external or mixed.

The Information Security Committee shall hold its meetings at LINGUASERVE premises or remotely on a semiannual basis, following prior notice convened by the Managing Director of the Committee. In any case, the Committee may hold extraordinary meetings when circumstances so require.

10.3 Responsabilities associated with the National Security Scheme and ISO 27001

The duties and responsibilities of each ENS and ISO/IEC 27001 security role are detailed below:

Duties of the Information and Service Owner

• Establish and approve the security requirements applicable to the service and information within the framework set out in Annex II of the ENS and ISO 27001, following a proposal from the Security Officer and/or the Information Security Committee.
• Accept residual risk levels affecting the Service and the Information.

Duties of the Security Officer (CISO / RSF)

• Maintain and verify an adequate level of security for the information handled and the electronic services provided by the information systems.
• Manage, supervise and maintain the physical security of LINGUASERVE facilities.
• Promote training and awareness in security matters.
• Designate those responsible for carrying out risk analysis, the statement of applicability, identification of security measures, determination of required configurations and preparation of system documentation.
• Provide advice for determining the system category, in collaboration with the System Owner and/or the Information Security Committee.
• Participate in the preparation and implementation of security improvement plans and, where applicable, business continuity plans, validating them accordingly.
• Manage external or internal system reviews.
• Manage certification processes.
• Submit system changes and other system requirements to the Security Committee for approval.

Duties of the System Owner

• Halt or suspend access to information or service provision if aware of serious security deficiencies.
• Implement and manage LINGUASERVE Information Systems throughout their entire life cycle, including the implementation of cybersecurity controls, as well as their operation and verification of proper functioning.
• Define the topology and management of the Information System, establishing usage criteria and available services.
• Ensure that specific security measures are properly integrated into the overall security framework.
• Collaborate with the Security Officer in the investigation and resolution of cyber incidents affecting LINGUASERVE Information Systems and apply knowledge gained from incident analysis to reduce the likelihood or impact of future incidents.
• Carry out the duties of system security administrator:
  • Manage, configure and, where applicable, update the hardware and software on which security mechanisms and services are based.
  • Manage user authorizations granted within the system, particularly assigned privileges, including monitoring system activity and its alignment with authorized use.
  • Approve changes to the current configuration of the Information System.
  • Ensure strict compliance with established security controls.
  • Ensure that approved procedures for operating the Information System are applied.
  • Supervise hardware and software installations, modifications and improvements to ensure security is not compromised and that all actions comply with applicable authorizations.
  • Monitor the security status provided by security event management tools and technical audit mechanisms.
  • When system complexity so warrants, the System Owner may appoint delegated system owners deemed necessary, who shall report functionally to the System Owner and be responsible within their scope for delegated actions. Likewise, the System Owner may delegate specific duties associated with the assigned responsibilities to other parties.

Duties of the Information Security Committee

The Security Committee shall perform the following duties:

• Address requests related to Information Security from public authorities and from different security roles and/or areas, regularly reporting on the status of Information Security.
• Provide advice on Information Security matters.
• Resolve conflicts of responsibility that may arise between different administrative units.
• Promote continuous improvement of the Information Security management system. To this end, it shall:
• Coordinate the efforts of different areas in Information Security to ensure consistency, alignment with the established strategy and avoidance of duplication.
• Propose Information Security improvement plans with corresponding budget allocations, prioritizing security actions when resources are limited.
• Ensure that Information Security is considered in all projects from initial specification through operational deployment. In particular, ensure the creation and use of horizontal services that reduce duplication and support homogeneous operation across all ICT systems.
• Monitor key residual risks assumed by the organization and recommend possible actions.
• Monitor the management of security incidents and recommend possible actions.
• Prepare and periodically review the Information Security Policy for approval by the competent body.
• Develop Information Security regulations for approval in coordination with the Managing Director.
• Verify information security procedures and related documentation for approval.
• Develop training programs aimed at educating and raising awareness among staff regarding Information Security, particularly personal data protection.
• Develop and approve training and qualification requirements for administrators, operators and users from an Information Security perspective.
• Promote periodic ENS, ISO/IEC 27001 and data protection audits to verify compliance with Information Security obligations.

10.4 Designation procedures

The establishment of the Information Security Committee, the appointment of its members and the designation of the Responsible Officers identified in this Policy have been carried out by the Managing Director of LINGUASERVE and communicated to the relevant stakeholders.

Committee members and security roles shall be reviewed every three years or upon vacancy.

10.5 ARCI Matrix: responsibility assignment matrix

11. Conflict resolution

The LINGUASERVE Information Security Committee shall be responsible for resolving conflicts and/or differences of opinion that may arise between security roles.

12. Personal data

LINGUASERVE shall process personal data only when such data are adequate, relevant and not excessive and are related to the scope and purposes for which they were obtained. Likewise, it shall adopt the necessary technical and organizational measures to comply with applicable data protection regulations in each case, in accordance with the Personal Data Protection Policy approved by the Presidency of LINGUASERVE.

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), and its transposition into Spanish law through Organic Law 3/2018 of December 5 on the Protection of Personal Data and the guarantee of digital rights, appropriate measures have been progressively adopted, such as the legal basis assessment for each personal data processing activity carried out, risk analysis, impact assessments where the risk is high, the record of processing activities and the appointment of the person who will perform the functions of the Data Protection Officer.

13. Third parties

When providing services to other organizations or handling information belonging to other organizations, such parties shall be made aware of this Information Security Policy. LINGUASERVE shall define and approve the channels for information coordination and the procedures for responding to security incidents, as well as any other security-related actions carried out by LINGUASERVE in relation to other organizations.

When LINGUASERVE uses third-party services or discloses information to third parties, such parties shall be made aware of this Security Policy and of the applicable Security Regulations relating to such services or information.

 Such third parties shall be subject to the obligations established in said regulations and may develop their own operational procedures in order to comply with them. Specific procedures for communication and incident resolution shall be established. It shall be ensured that third-party personnel are adequately trained and aware of security matters, at least to the same level as established in this Security Policy. 

Likewise, taking into account the obligation to comply with the Technical Security Instructions set out in the second additional provision of Royal Decree 311/2022, and in consideration of the Resolution of October 13, 2016 of the Secretariat of State for Public Administrations approving the Technical Security Instruction in accordance with the National Security Framework, which establishes that private sector operators providing services or solutions to public entities subject to compliance with the National Security Framework must be in a position to present the corresponding Declaration of Conformity with the National Security Framework for BASIC category systems, or the Certification of Conformity with the National Security Framework for MEDIUM or HIGH category systems.

When any aspect of this Security Policy cannot be met by a third party as required in the preceding paragraphs, a report shall be required from the Security Officer specifying the risks incurred and the manner in which they are to be treated. Approval of this report by the Information and Service Owners concerned shall be required before proceeding.

14. Continuous improvement

Information security management is a process subject to continuous updating. Accordingly, LINGUASERVE shall implement a continuous improvement process that shall include, among other actions:

• Review of the Information Security Policy.
• Review of services and information and their categorization.
• Annual execution of risk analysis.
• Performance of internal and external audits.
• Review of security measures.
• Review and updating of standards and procedures.

For LINGUASERVE, proper information security management constitutes an ongoing and collective challenge that is essential for the continuity of the organization.