Security Data Security

Data Security

Modified on December 18, 2025

Purpose

This “Information Security Policy” is effective from its entry into force by APPLIVERY, S.L.

The Policy is reviewed by the Information Security Manager at planned intervals, not exceeding one year in duration, or whenever significant changes occur, in order to ensure that its suitability, adequacy and effectiveness are maintained.

The security of information systems must engage all members of the organization, and be communicated effectively.

Changes to the Information Security Policy will be approved by the Management of APPLIVERY, S.L. Any change to it must be disseminated for the knowledge of the entire Organization.

The company’s management is aware of the value of information and is deeply committed to the policy described in this document.

Scope of application

Furthermore, it is applicable and mandatory for all personnel who, permanently or eventually, provide their services to APPLIVERY, S.L., including external provider personnel, when they are users of its Information Systems.

Therefore, a user is understood to be any employee belonging to or external to APPLIVERY, S.L., as well as personnel from external private organizations, collaborating entities or any other person with some type of link to APPLIVERY, S.L. and who uses or has access to the Information Systems of APPLIVERY, S.L.

Validity

In this Information Security Policy of APPLIVERY, S.L., the general guidelines have been established for the appropriate use of the information processing resources that the company makes available to its users for the performance of their duties and who, correlatively, assume the described obligations, committing to comply with the provisions of the following paragraphs.

Any subsequent modification will enter into force immediately after its publication by APPLIVERY, S.L.

Review and evaluation

The management of this Security Policy corresponds to the Security Committee.

Annually (or less frequently, if circumstances advise it), the Security Committee will review this General Regulation, which will be submitted, if there are modifications, for approval by the Governing Body.

The review will be aimed at identifying opportunities for improvement in information security management, as well as adaptation to regulatory changes, technological infrastructure, etc.

The Security Manager will be the person in charge of the custody and dissemination of the approved version of this document.

Regulatory framework

The regulatory framework in terms of information security in which APPLIVERY, S.L. develops its activity is, essentially, the following:

  • Organic Law 3/2018, of December 5, on Personal Data Protection and guarantee of digital rights.
  • RD 311/2022, of May 3, which regulates the National Security Scheme in the field of Electronic Administration.
  • ENS. Article 12. Organization and implementation of the security process.
  • REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), applicable to the totally or partially automated processing of personal data, as well as to the non-automated processing of personal data contained or intended to be included in a file.
  • ICT Security Guide CCN-STIC 805 ENS. Information security policy.
  • ICT Security Guide CCN-STIC 801 ENS. Responsibilities and functions.
  • Law 34/2002, of July 11, on Services of the Information Society and Electronic Commerce (LSSI-CE).
  • ISO/IEC 27001

Mission

The purpose of this Information Security Policy is to protect the information of APPLIVERY, S.L.’s services.

The Security Policy, together with the Security Regulations, will be communicated to all workers, so that the document can be analyzed, understood, and read.

This policy applies to information systems owned by APPLIVERY, S.L., for the adequate provision of security services, by assigning qualified personnel to carry out its management and monitoring in the areas of:

Information systems that support the design, development, deployment, and maintenance activities of mobile device management platforms, applications, and access points.

Security functions

APPLIVERY, S.L. has appointed a Security Committee with its functions and responsibilities.

The establishment of this committee, as well as the designation of the different roles, are registered in the Committee Constitution Act.

The ENS Information Security Committee is composed of:

  • Security Manager
  • Systems Manager
  • Information Manager
  • Service Manager
  • Data Protection Officer (DPO)

And this Security Committee will have substitutes for each of the security committee managers, i.e., 5 substitutes.

Clear managers must be identified to ensure compliance and be known by all members of the organization. The attributions of each manager will be detailed in the organization’s security policy.3

Appointments are established by the Organization’s Management and are reviewed every 2 years or when a position becomes vacant. Differences in criteria that could lead to a conflict will be dealt with within the Security Committee and the criteria of the Management will prevail in any case.4

The different roles along with their respective functions and responsibilities:

The Information Manager will have the following functions:

  • Accepting residual risks regarding information, calculated in the risk analysis.
  • Although the formal approval of the levels corresponds to the Information Manager, a proposal may be requested from the Security Manager and the opinion of the Systems Manager should be heard.
  • Determining the requirements of the processed information.
  • Ensuring the security of information in its different aspects: physical protection, service protection, and respect for privacy.
  • Being aware of regulatory changes (laws, regulations, or sectoral practices) that affect the Organization.
  • Adopting the necessary technical and organizational measures to guarantee the security of personal data and prevent its alteration, loss, treatment, or unauthorized access, taking into account the state of technology, the nature of the stored data, and the risks to which they are exposed, whether they come from human action or from the physical or natural environment.

The Service Manager will have the following functions:

  • Determining the Security requirements of the services provided by APPLIVERY, S.L.
  • Reviewing and approving the security levels of the services.
  • Including security specifications in the life cycle of services and systems, accompanied by the corresponding control procedures.
  • Assessing the consequences of a negative impact on the security of the services, which will be carried out taking into account its repercussions on the organization’s capacity to achieve its objectives, the protection of its assets, the fulfillment of its service obligations, respect for legality, and the rights of APPLIVERY, S.L.
  • Assuming ownership of the risks related to the services.

The Systems Manager will have the following functions:

  • Developing, operating, and maintaining the System throughout its entire life cycle, its specifications, installation, and verification of its correct operation.
  • Defining the topology and management policy of the System, establishing the criteria for use and the services available in it.
  • Defining the policy for connecting or disconnecting new equipment and users to the System.
  • Implementing and controlling the specific security measures of the System and ensuring that they are adequately integrated within the general security framework.
  • Determining the authorized configuration of hardware and software to be used in the System.
  • Approving any substantial modification to the configuration of any element of the System.
  • Carrying out the process of risk analysis and management in the System.
  • Determining the category of the system and determining the security measures that must be applied. Developing and approving the System’s security documentation.
  • Investigating security incidents that affect the System, and, where appropriate, communicating them to the Security Manager.
  • Establishing contingency and emergency plans, carrying out frequent exercises so that personnel become familiar with them.

The Security Manager will have the following functions:

  • Determining the decisions to satisfy the security requirements of the information and the services.
  • Working to achieve total security of the company’s data, as well as its privacy.
  • Supervising, controlling, and managing access to the company’s information and that of its workers.
  • Developing a set of response measures to security incidents related to information, including disaster recovery.
  • Ensuring compliance with regulations related to information security.
  • In the case of outsourced services, the ultimate responsibility always lies with the Organization receiving the services, even when the immediate responsibility may correspond (via contract) to the organization providing the service.
  • Maintaining the security of the information handled and the services provided by the Information Systems within their scope of responsibility, in accordance with what is established in the organization’s Information Security Policy.
  • Promoting training and awareness regarding information security.
  • Ensuring the proper use of computer equipment within their scope of responsibility.
  • Supervising and coordinating the team in charge of carrying out the response measures in the event of security breaches.
  • POC (Information security contact person).
  • Carrying out security operations to combat fraud and information theft.
  • Designing the Training Plan, within the scope of the ENS, for the people of APPLIVERY, S.L. who provide services within the scope of this policy.

The DPO (Data Protection Officer) will have the following functions:

  • Informing and advising the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions.
  • Monitoring compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.5
  • Providing advice where requested as regards the data protection impact assessment and monitoring its performance pursuant to Article 35.6
  • Cooperating with the supervisory authority.
  • Acting as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and consulting, where appropriate, with regard to any other matter.
  • Performing their tasks by paying due regard to the risks associated with processing operations, taking into account the nature, scope, context and purposes of processing.

Risk analysis and management (ART. 14)

A risk analysis will be carried out, evaluating the threats and risks to which they are exposed. This analysis will be the basis for determining the security measures that must be adopted, in addition to the minimums established according to the provisions of articles 7 and 14 of the BOE, it will be repeated:

  • Regularly, at least once a year.
  • When the information is handled changes.
  • When the services provided change.
  • When a serious security incident occurs.
  • When serious vulnerabilities are reported.
  • When there is a security incident related to the LOPDGDD regulations.
  • When there is a security breach related to a user’s processed information according to the LOPDGDD regulations.

The risk evaluation criteria will be specified in the risk and security incident evaluation methodology that the organization will develop, based on standards, recognized good practices, and legal norms.13

At a minimum, all risks that may seriously impede the provision of services or the fulfillment of the organization’s mission must be addressed. Priority will be given especially to risks that imply a cessation in the provision of services, or affect the information processed during the service.

The risk evaluation criteria will be specified in the risk evaluation methodology that the organization will develop, based on recognized standards and good practices. At a minimum, all risks that may seriously impede the provision of services or the fulfillment of the organization’s mission must be addressed. Priority will be given especially to risks that imply a cessation in the provision of services of APPLIVERY, S.L.

The owner of a risk must be informed of the risks that affect their property and the residual risk to which it is subjected. When an information system enters operation, the residual risks must have been formally accepted by its corresponding owner.

Personnel Management (ART. 15)

Personnel, own or external, related to the information systems subject to the provisions of this royal decree 311/2022, must be trained and informed of their duties, obligations, and responsibilities regarding security.

Their actions must be supervised to verify that the established procedures are followed, they will apply the approved security operating standards and procedures in the performance of their duties.

Professionalism (ART. 16)

The security of information systems will be handled and will be reviewed and audited by qualified personnel, dedicated and instructed in all phases of their life cycle: planning, design, acquisition, deployment, operation, maintenance, incident management, and decommissioning.

The entities within the scope of application of this royal decree will demand, objectively and non-discriminatorily, that the organizations that provide them with security services have qualified professionals and adequate levels of management and maturity in the services provided.

APPLIVERY, S.L. will determine the necessary training and experience requirements for personnel to carry out their job.

Authorization and Access Control (ART. 17)

Controlled access to information systems included in the scope of this royal decree must be limited to properly authorized users, processes, devices, or other information systems, and exclusively to permitted functions.

Access privileges of a resource (person) to the APPLIVERY, S.L. information systems are restricted by default to the minimum necessary for the performance of their duties.

The APPLIVERY, S.L. information systems will always be configured in such a way as to prevent a resource (person) from accidentally accessing resources with rights different from those authorized.

Facilities Protection (ART. 18)

The information systems and their associated communications infrastructure at APPLIVERY, S.L. must remain in controlled areas and have adequate and proportional access mechanisms based on the risk analysis, without prejudice to the provisions of Law 8/2011, of April 28, which establishes measures for the protection of critical infrastructures and in Royal Decree 704/2011, of May 20, which approves the Regulation on the protection of critical infrastructures.

Acquisition of Security Products and Contracting of Security Services (ART. 19)

In the acquisition of security products or contracting of security services for information and communication technologies that will be used in the information systems within the scope of this royal decree,

Those that have certified security functionality related to the object of their acquisition will be used, in a manner proportional to the determined system category and security level.

The Certification Body of the National Scheme for Evaluation and Certification of Information Technology Security of the National Cryptologic Center (hereinafter, CCN), established under the provisions of article 2.2.c) of Royal Decree 421/2004, of March 12, which regulates the National Cryptologic Center, taking into account the national and international evaluation criteria and methodologies recognized by this body and depending on the intended use of the specific product or service within its competencies, will determine the following aspects:

  1. The functional security requirements and certification assurance.
  2. Other additional security certifications that are required by regulation.
  3. Exceptionally, the criterion to follow in cases where there are no certified products or services.

For the contracting of security services, the provisions of the previous sections and article 16 will apply.

Least Privilege (ART. 20)

Information systems must be designed and configured granting the minimum necessary privileges for their correct performance, which implies incorporating the following aspects:

  1. The system will provide the essential functionality for the organization to achieve its statutory or contractual objectives.
  2. The functions of operation, administration, and activity logging will be the minimum necessary, and it will be ensured that they are only performed by authorized persons, from authorized locations or equipment.
  3. Functions that are unnecessary or inadequate for the intended purpose will be eliminated or disabled through configuration control. The ordinary use of the system must be simple and secure, so that insecure use requires a conscious act on the part of the user.
  4. Security configuration guides for the different technologies will be applied, adapted to the system’s categorization, in order to eliminate or disable functions that are unnecessary or inadequate.

System Integrity and Update (ART. 21)

The inclusion of any physical or logical element in the system’s updated asset catalog, or its modification, will require formal authorization from the Security Manager of APPLIVERY, S.L.

Permanent evaluation and monitoring will allow the security status of the systems to be adapted to configuration deficiencies, identified vulnerabilities, and updates that affect them, as well as the early detection of any incident that occurs on them. The Responsibility will be borne by the Security Manager of APPLIVERY, S.L.

Protection of Stored and Transmitted Information (ART. 22)

In the organization and implementation of security, special attention will be paid to information stored or in transit through portable or mobile equipment or devices, peripheral devices, information media, and communications over open networks, which must be specially analyzed to achieve adequate protection.

Procedures will be applied to guarantee the long-term recovery and preservation of electronic documents produced by the information systems included in the scope of this royal decree, when required.

All non-electronic media information that has been the cause or direct consequence of the electronic information referred to in this royal decree must be protected with the same degree of security as the latter. To this end, the measures corresponding to the nature of the medium will be applied, in accordance with the applicable regulations.

Prevention against other Interconnected Information Systems (ART. 23)

The perimeter of the information system will be protected, especially if it connects to public networks, as defined in Law 9/2014, of May 9, General Telecommunications Law, reinforcing prevention, detection, and response to security incidents.

Activity Log and Detection of Malicious Code (ART. 24)

For the purpose of satisfying the object of this royal decree, with full guarantees of the right to honor, personal and family privacy, and the affected parties’ own image, and in accordance with the regulations on personal data protection, public or labor function, and other applicable provisions, user activities will be recorded, retaining the information strictly necessary to monitor, analyze, investigate, and document undue or unauthorized activities, allowing the person acting to be identified at all times.

In order to preserve the security of information systems, ensuring and in accordance with the provisions of the General Data Protection Regulation and respect for the principles of purpose limitation, data minimization, and retention period limitation stated therein, the subjects included in article 2 may, to the strictly necessary and proportionate extent, analyze incoming or outgoing communications, and only for information security purposes, in a way that makes it possible to prevent unauthorized access to networks and information systems, stop denial-of-service attacks, prevent the malicious distribution of harmful code as well as other damages to the aforementioned networks and information systems.

To correct or, where appropriate, demand responsibilities, each user who accesses the information system must be uniquely identified, so that it is known, at all times, who receives access rights, what type they are, and who has carried out a certain activity.

Security Incidents (ART. 25)

The entity holding the information systems within the scope of this royal decree will have security incident management procedures in accordance with the provisions of article 33, the corresponding Technical Security Instruction, and, in the case of being an essential service operator or a digital service provider, in accordance with the provisions of the annex to Royal Decree 43/2021, of January 26, which develops Royal Decree-Law 12/2018, of September 7, on the security of networks and information systems.

Likewise, detection mechanisms, classification criteria, analysis and resolution procedures, as well as channels of communication to interested parties and the record of actions, will be available. This record will be used for the continuous improvement of system security.

Business Continuity (ART. 26)

The systems will have backup copies and the necessary mechanisms will be established to guarantee the continuity of operations in case of loss of usual means.

Continuous Improvement of the Security Process (ART. 27)

The implemented comprehensive security process must be continuously updated and improved. To this end, criteria and methods recognized in national and international practice regarding the management of information technology security will be applied.

  • In this page