1. DECLARATION OF PRINCIPLES

ENTHEC SOLUTIONS SL (hereinafter ENTHEC) is a company with a professional in the design and development of cybersecurity solutions to control the risk of the information that companies exposed to the network, which is a problem both at the level of cybersecurity (attacks against their systems and infrastructures) and reputation (attack against their customers and employees). To this end, it assumes values that it considers essential for achieving its objectives, such as the preservation of information and personal data, both its own and that of other interested parties, and the professional and personal development of all the members of its work team.

Due to our activity at ENTHEC, we are aware that information is an asset with a high value for our organization and, therefore, requires adequate protection and management to give continuity to our line of business and minimize possible damage caused by failures in integrity, availability, confidentiality, traceability, and authenticity of the information. Likewise, current legislation on the protection of personal data (GDPR and LOPDGDD) and ENTHEC’s commitment to our customers make us particularly sensitive to the processing of personal data to which we have access in the exercise of our activity.

To this end, ENTHEC establishes a set of management activities that aim to preserve the principles of Confidentiality, Integrity, Availability, Authenticity, Traceability and Regulatory Compliance of information. In turn, these principles are defined as follows:

• Confidentiality: is the quality that guarantees that access to information can only be exercised by authorized persons.
• Integrity: is the quality of safeguarding the accuracy and completeness of information assets.
• Availability: is the quality that ensures that authorized persons can access and process information whenever necessary.
• Authenticity: is the characteristic of an entity being who it claims to be or guaranteeing the source from which the data comes.
• Traceability: is the quality or characteristic consisting of the fact that the actions of an entity can be attributed exclusively to that entity.
• Regulatory Compliance: is the property enhancement that ensures that information is managed according to the ethical, professional, and legal principles established by the applicable regulations in each context.

Systems must be protected against rapidly evolving threats with the potential to impact information and services. To defend against these threats, a strategy that adapts to changes in environmental conditions is required to ensure the continuous delivery of services

1.1. Senior Management Commitment

The Information Security Management System aims to ensure that information security and privacy risks are known, assumed, managed, and minimized in a documented, systematic, structured, repeatable, assumable, and adapted way to changes in risks, the environment, and technologies.

To this end, the management declares the commitment of ENTHEC to:

• Establish as a primary objective the services of the Kartos Platform, a platform for the delivery of information and qualification of cyber risks of domains and cyber intelligence center based on outside-in monitoring strategies, artificial intelligence, and machine learning to detect vulnerabilities, leaks, and cybercrimes, as well as the Qondar platform, with the same capabilities focused on information on people,  with absolute respect for quality standards, preserving the information, with special attention to the sensitivity of the personal data processed, with all the necessary measures at its disposal.
• Apply the principle of continuous improvement to all organizational processes to achieve the highest degree of customer satisfaction.
• Ensure compliance with the applicable legal and regulatory requirements (in particular those relating to personal data protection) and those that the organization has voluntarily assumed in developing Corporate Social Responsibility and the Code of Conduct.
• To promote the professional team’s participation, communication, information, and training to make them feel part of the work of the organization as a whole.
• Promote the team members’ commitment to responsibility following the security requirements and those related to privacy and information security agreed upon internally and with customers through appropriate and regular training and awareness actions.
• Ensure business continuity by developing continuity plans following recognized methodologies.
• To carry out and periodically review a risk analysis based on recognized methods that allow us to establish the level of both personal data privacy and information security at a general level and of the projects and services underway and to minimize risks through the development of specific policies, technical solutions and contractual agreements with specialized organizations.
• Commitment to information to interested parties.
• Selection of suppliers and subcontractors based on privacy and information security criteria.

ENTHEC’s management supports and promotes the principles set out in this Policy, asking ENTHEC staff to assume and abide by the provisions of the documented management system for ENS and ISO 27001.

Date: 30/01/2025

ENTHEC´s Management