PRIVACY AND SECURITY POLICY

GENERAL:

For the purposes of the provisions of the European Data Protection Regulation EU 2016/679, of 27 April, of the Parliament and of the Council and other national legislation in force, Deoban, informs you that it fully complies with current legislation on the protection of personal data and with the obligations of confidentiality of its activity. Deoban informs you of the existence of an information processing system owned by Deoban for management, communication and information purposes. The aforementioned system is described in the corresponding register of processing activities, which can be accessed by the user to check the status of his data.

WHO WE ARE:

Our website address is: https://deoban.com/

SECURITY MEASURES AND LEVELS OF SECURITY:

Deoban has adopted the necessary measures to guarantee the security of the information, as required by art. 32 of the RGPD, according to the nature of the personal data processed and the circumstances of the processing, in order to avoid, as far as possible and always according to the state of the art, their alteration, loss, processing or unauthorised access, guaranteeing the confidentiality, integrity and availability of the same.

SCOPE OF APPLICATION:

The security measures that Deoban has described in the Register of Processing Activities will be applied to all the assets of the information processing system in which personal data is processed, in order to comply with current legislation on data protection. All personnel contracted by Deoban and its Data Processors are obliged to comply with the aforementioned regulations, with special attention to their functions and obligations, including the duty of secrecy, which will be duly determined by Deoban.

DATA COLLECTION:

The acceptance of the present conditions requires the user to collect some essential data for the provision of its services, which will be requested personally through forms or the website. At the time of collecting the data, the user will be duly informed of the rights to which he/she is entitled. In order to ensure that the information contained in our processing system is always up to date and error-free, we ask our customers and users to inform us as soon as possible of any changes and corrections to their personal data.

OBJECT: EXERCISE OF RIGHTS:

To exercise your rights of access, opposition, rectification, cancellation or deletion, revocation of consent, limitation of data processing and portability, you should contact Deoban, Calle Manuel de Falla 12, Local 1, Alcobendas, province of Madrid, C.P. 28100, Spain. However, other means may be used to recognise the identity of the customer exercising any of the above rights.

CONSENT:

The user will give their consent so that Deoban can make use of their personal data in order to provide a correct fulfilment of the contracted services. The completion of the form included on the site or sending emails or other communications to Deoban, implies the express consent of the user to the inclusion of their personal data in the aforementioned processing system, owned by Deoban. At the time of the request for this information, the client or user will be informed of the recipient of the information, the purpose for which the data is collected, the identity and address of Deoban and the user’s right to exercise the rights of access, opposition, rectification, cancellation or deletion, revocation of consent, limitation of data processing and portability, and to file a complaint with the AEPD (Spanish Data Protection Agency).

TRANSFER TO THIRD PARTIES:

Deoban does not transfer personal data without the express consent of their owners, which must be granted on each occasion, being only transferred for the purpose expressed and always with the consent of the user or client.

CONFIDENTIALITY AND PROFESSIONAL SECRECY:

The data collected in all private communications between Deoban and customers or users will be treated with absolute confidentiality, committing Deoban. to the obligation of secrecy of personal data, its duty to protect them and take all necessary measures to prevent alteration, loss and unauthorized access or treatment, in accordance with the provisions of current regulations. In addition, information of any type that the parties exchange between themselves, that which they agree to be of this nature, or that which simply concerns the content of such information, shall also have the status of confidential. The visualisation of data through the Internet does not imply direct access to the same, except with the express consent of the owner on each occasion. We recommend that the client does not provide any third party with their identification, password or reference numbers that Deoban could provide them with. Likewise, to ensure that the protection of professional secrecy between Deoban and the client is preserved in all communications, the client/user must not disclose confidential information to third parties.

CHANGES TO THE SECURITY AND DATA PROTECTION POLICY:

Deoban reserves the right to modify its security and data protection policy in order to adapt it to new legislative or jurisprudential developments, as well as those that may arise from existing standard codes on the subject, or due to strategic corporate decisions, with effect from the date of publication of said modification on the Deoban website.

CONTACT ADDRESS:

The information processing system created, is located at the registered office, which is established for the purposes of this Legal Notice, at Deoban,

Calle Manuel de Falla 12, Local 1, Alcobendas, province of Madrid, C.P. 28100, Spain; under the supervision and control of Deoban, who assumes responsibility for the adoption of technical and organisational security measures to protect the confidentiality and integrity of the information, in accordance with the provisions of the European Data Protection Regulation EU 2016/679 of 27 April of the Parliament and the Council and other national legislation in force, and other applicable legislation.
Deoban, in accordance with Law 34/2002, on Information Society Services and Electronic Commerce, informs you that the broad meaning of said Law includes among these services the provision of information by said means. In any case, the European Data Protection Regulation EU 2016/679 of 27 April of the Parliament and the Council and the rest of the national regulations in force, and its implementing regulations, will be applicable in this regard, especially with regard to the collection of personal data, the information to interested parties and the creation and maintenance of personal data files.

INFORMATION SECURITY POLICY DEOBAN SYSTEMS

DEOBAN, as a company dedicated to the management of innovative business solutions, Toll Collection Systems (TCS), Intelligent Transportation Systems (ITS), Intelligent Surveillance, electronic services, and Information Technology (IT) products, assumes its commitment to information security, ensuring its proper management to provide all its stakeholders with the highest guarantees regarding the security of the information used.

Based on the above, the Management establishes the following information security objectives:

• Provide a framework to enhance resilience capacity for an effective response.
• Ensure the quick and efficient recovery of services in the face of any physical disaster or contingency that could jeopardize operational continuity.
• Prevent information security incidents to the extent technically and economically feasible, as well as mitigate information security risks arising from our activities.
• Guarantee the confidentiality, integrity, availability, authenticity, and traceability of information.

To achieve these objectives, it is necessary to:

• Continuously improve our information security system.
• Comply with applicable legal requirements and any other commitments we subscribe to, in addition to the commitments acquired with our clients, as well as their continuous update. The legal and regulatory framework within which we carry out our activities includes:
  • REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
  • Organic Law 3/2018, of December 5, on the Protection of Personal Data and the guarantee of digital rights.
  • Law 34/2002 of July 11 on Services of the Information Society and Electronic Commerce (LSSI).
  • REGULATION (EU) No 910/2014: concerning electronic identification and trust services for electronic transactions in the internal market (eIDAS).
  • Royal Legislative Decree 1/1996, of April 12, Intellectual Property Law.
  • Royal Decree-Law 2/2018, of April 13, amending the consolidated text of the Intellectual Property Law.
  • Royal Decree 311/2022, of May 3, on the development of the National Security Framework modified by Royal Decree 951/2015, of October 23.
  • ISO/IEC 27001:2022.

Identify potential threats, as well as the impact these threats may cause on business operations if they materialize.
Preserve the interests of its main stakeholders (customers, shareholders, employees, and suppliers), reputation, brand, and value-creation activities.
Work jointly with our suppliers and subcontractors to improve the provision of IT services, service continuity, and information security, resulting in greater efficiency in our operations.
Evaluate and ensure the technical competence of personnel, as well as guarantee their proper motivation for participating in the continuous improvement of our processes, providing appropriate training and internal communication so they can develop best practices defined in the system.
Ensure the proper condition of facilities and adequate equipment, in line with the company’s activities, objectives, and goals.
Guarantee continuous analysis of all relevant processes, establishing necessary improvements in each case, based on the results obtained and the objectives set.
Structure our management system to ensure it is easy to understand. Our management system is organized as follows:

The management of our system is entrusted to the Management Responsible, and the system will be available in our information system in a repository, accessible according to the access profiles granted as per our current access management procedure.

These principles are adopted by the Management, which provides the necessary means and allocates sufficient resources to its employees to ensure compliance. These principles are reflected and made publicly available through this Integrated Management Systems Policy.

Security Organization
The primary responsibility lies with the General Management of the organization, as it is responsible for organizing functions and responsibilities and providing the necessary resources to achieve the objectives of the ENS. Managers are also responsible for setting a good example by adhering to the established security standards.

These principles are adopted by the Management, which provides the necessary means and allocates sufficient resources to its employees to ensure compliance. These principles are reflected and made publicly available through this Integrated Management Systems Policy.

The defined security roles or functions are:

This definition is further detailed in job profiles and system documents.

The procedure for their designation and renewal will be ratified by the Security Committee.
The Security Management and Coordination Committee is the highest authority within the information security management system, ensuring that all major decisions related to security are agreed upon by this committee.

The members of the Information Security Committee are:

• Information Manager.
• Services Manager.
• Security Manager.
• System Manager.
• Company Management (partners-administrators).

These members are appointed by the committee, the only body authorized to name, renew, and dismiss them.
The security committee is an autonomous, executive body with decision-making autonomy and does not subordinate its activities to any other element of our company. The organization of Information Security is outlined in the supplementary document, which highlights its role in ensuring compliance with the ENS. Among its main tasks is conflict resolution, as differences in criteria that could lead to a conflict will be addressed within the Security Committee, and in all cases, the General Management’s criteria will prevail.

This definition of duties and responsibilities is further detailed in job profiles and in the system’s “Registry of Responsibilities, Roles, and Duties” documents.

Risk Management
All systems subject to this Policy must undergo a risk analysis, assessing the threats and risks to which they are exposed. This analysis is reviewed regularly:

• At least once a year;
• When the information being handled changes;
• When the services provided change;
• When a severe security incident occurs;
• When serious vulnerabilities are reported.

To harmonize risk analyses, the ICT Security Committee will establish a reference evaluation for the different types of information handled and the various services provided. The ICT Security Committee will also facilitate resource availability to address the security needs of different systems, promoting horizontal investments.

The risk analysis will follow the methodology established in the Risk Analysis procedure.

Personnel Management

All members of our Organization are obligated to know and comply with this Information Security Policy and the Security Regulations. The ICT Security Committee is responsible for providing the necessary means to ensure that the information reaches the affected parties.

All members of our Organization will attend an ICT security awareness session at least once a year. A continuous awareness program will be established to include all members of the organization, particularly new hires.

Individuals responsible for the use, operation, or administration of ICT systems will receive training for the secure management of the systems as needed to perform their work. This training will be mandatory before assuming any responsibility, whether it is their first assignment or a change of position or responsibilities within the same role.

Professionalism and Human Resources Security
This Policy applies to all organization personnel and external personnel performing tasks within the company.

The HR department will include information security functions in job descriptions, inform all new hires of their obligations regarding compliance with the Information Security Policy, manage confidentiality commitments with personnel, and coordinate user training tasks related to this Policy.

The Security Management Officer (RGS) [CISO] is responsible for monitoring, documenting, and analyzing reported security incidents, as well as communicating with the Information Security Committee and information owners.

The Information Security Committee will be responsible for implementing the necessary means and channels for the Security Management Officer (RGS) [CISO] to handle system incident and anomaly reports. The Committee will also oversee investigations, monitor information developments, and promote the resolution of information security incidents.

The Security Management Officer (RGS) [CISO] will participate in preparing the Confidentiality Agreement that employees and third parties performing functions in the organization will sign, provide advice on sanctions to be applied for non-compliance with this Policy, and manage information security incidents.

All personnel within the organization are responsible for promptly reporting detected weaknesses and information security incidents.

Professionalism in Human Resources:

• Determine the necessary competence of personnel to perform work that impacts Information Security.
• Ensure that individuals are competent based on appropriate education, training, or experience.
• Demonstrate through documented information the personnel’s competence in Information Security.

The objectives for controlling personnel security are:

• Reduce the risks of human error, irregularities, misuse of facilities and resources, and unauthorized handling of information.
• Explain security responsibilities during the recruitment stage and include them in agreements to be signed, verifying compliance during the employee’s tasks.
• Ensure users are aware of information security threats and concerns and are trained to support the organization’s Information Security Policy during their regular duties.
• Establish confidentiality commitments with all personnel and external users outside information processing facilities.
• Establish the tools and mechanisms necessary to promote the communication of existing security weaknesses and incidents to minimize their effects and prevent recurrence.

Authorization and Access Control to Information Systems

The purpose of access control to information systems is:

• Prevent unauthorized access to information systems, databases, and information services.
• Implement user access security through authentication and authorization techniques.
• Control security in the connection between the organization’s network and other public or private networks.
• Review critical events and activities performed by users in the systems.
• Raise awareness of the responsibility for the use of passwords and devices.
• Ensure information security when using laptops and personal computers for remote work.

Protection of Facilities
The objectives of this policy regarding facility protection are:

• Prevent unauthorized access, damage, and interference to the organization’s headquarters, facilities, and information.
• Protect critical information processing equipment of the organization by placing it in protected areas secured by a defined security perimeter with adequate security measures and access controls. Additionally, ensure its protection during transport or when outside protected areas for maintenance or other reasons.
• Control environmental factors that could harm the proper functioning of computing equipment hosting the organization’s information.
• Implement measures to protect information handled by personnel in offices as part of their regular tasks.
• Provide protection proportional to identified risks.

This policy applies to all physical resources related to the organization’s information systems: facilities, equipment, wiring, files, storage media, etc.

The Security Management Officer (RGS), together with the Information Owners as appropriate, will define physical and environmental security measures for the protection of critical assets based on a risk analysis and oversee their implementation. They will also verify compliance with physical and environmental security provisions.

Department heads will define physical access levels for organizational personnel to restricted areas under their responsibility. Information Owners will formally authorize off-site work involving business information to organizational employees when deemed appropriate.

All personnel of the organization is responsible for adhering to the clean desk and screen policy to protect information related to daily office work.

Product Acquisition
Departments must ensure that ICT security is an integral part of every stage of the system life cycle, from its conception to its decommissioning, including decisions on development or acquisition and operational activities. Security requirements and funding needs must be identified and included in planning, requests for proposals, and bidding specifications for ICT projects.

Moreover, information security will be considered in the acquisition and maintenance of information systems, limiting and managing changes.

The development and acquisition policy for information systems is outlined in the document: POLICY FOR THE ACQUISITION, DEVELOPMENT, AND MAINTENANCE OF SYSTEMS.

Default Security
The organization considers it strategic that processes integrate information security as part of their life cycle. Information systems and services must include default security from their creation to their decommissioning, embedding security in development and/or acquisition decisions and all operational activities, establishing security as an integral and transversal process.

System Integrity and Update
Our Organization is committed to ensuring system integrity through a change management process that allows control over updating physical or logical elements through prior authorization before their installation in the system. This evaluation will primarily be carried out by the systems management team, which will assess the impact on system security before implementing changes and will document significant or security-impacting changes.

Periodic security reviews will evaluate the systems’ security status concerning manufacturer specifications, vulnerabilities, and relevant updates, reacting diligently to manage risks based on the current security status.

Protection of Stored and Transmitted Information
The organization establishes measures to protect the Security of Information stored or transmitted through insecure environments. Insecure environments include laptops, personal digital assistants (PDAs), peripheral devices, information media, and communications over open or weakly encrypted networks.

Prevention of Interconnected Information Systems
The organization establishes measures to protect Information Security, especially to secure the perimeter, particularly when connecting to public networks or using them primarily for providing publicly available electronic communication services.

In all cases, risks associated with system interconnection through networks with other systems will be analyzed, and their connection points will be controlled.

Activity Logs
The organization will log user activities, retaining the necessary information to monitor, analyze, investigate, and document improper or unauthorized activities, allowing the identification of the acting individual at all times.

Incident Management Objectives:

• Establish a detection and reaction system against harmful code.
• Implement incident management procedures for security and system weaknesses.
  • These procedures will cover detection mechanisms, classification criteria, analysis and resolution procedures, communication channels with stakeholders, and action logging.
• Use this record for continuous improvement of system security.
• Ensure optimal performance of IT services after incidents.
• Reduce potential risks and impacts caused by incidents.
• Maintain system integrity in case of security incidents.
• Communicate the impact of an incident as soon as it is detected to activate alerts and implement an appropriate business communication plan.
• Promote business efficiency.

Activity Continuity
To ensure activity continuity, the organization establishes measures for systems to have backups and mechanisms to guarantee operational continuity in case of loss of usual working means.

Continuous Improvement of the Security Process
The organization establishes a process for continuous improvement of information security, applying the criteria and methodology established in the standard.

November 19, 2024
Members of the Information Security Committee