Information Security and Integrated Business Continuity Policy

This document is an extract from the Comprehensive Information Security and Continuity Policy V.1.2 of DATA CENTER EUSKADI, S.L., approved on 3 November 2025 by the General Management and ratified by the Security Committee.

For further information, please contact the organisation via the email address rgpd@adi-dc.com.

1. INTRODUCTION

DATA CENTER EUSKADI, S.L., trading under the name ATLANTIC DATA INFRASTRUCTURE (hereinafter, “aDi”), relies on ICT systems (Information and Communication Technologies) to achieve its objectives. These systems must be managed with due diligence, adopting appropriate measures to protect them against accidental or deliberate damage that could affect the availability, integrity, or confidentiality of the information processed or the services provided.

The objective of information security and business continuity is to ensure that the organization can achieve its objectives, maintain information quality, and ensure the continuous delivery of services by acting preventively, monitoring day-to-day operations, and responding promptly to incidents.

ICT systems are protected against rapidly evolving threats with the potential to impact the confidentiality, integrity, availability, unintended use, and value of information and services. This is achieved by applying the security measures required by the National Security Framework (ENS) and its CCN-STIC implementation guides, as well as other international standards and regulations (ISO 27001 of Security of the information, cybersecurity and protection of the privacy; ISO 22301 of Security and resilience; and the Directive (UE) 2022/2555 or NIS2) and demás normativa aplicable, además de realizando un seguimiento continuo de los niveles de prestación de servicios, siguiendo y analizando las vulnerabilidades reportadas, y preparando una respuesta efectiva a los incidentes para garantizar la continuidad de los servicios prestados.

aDi ensures that ICT security is an integral part of every stage of the system lifecycle, from conception to decommissioning, including development or procurement decisions and operational activities. Security requirements and funding needs are identified and incorporated into planning, requests for proposals, and contracts for ICT projects.

1.1 PREVENTION

aDi actively seeks to avoid, or at least to prevent as far as possible, any adverse impact on information or services resulting from security incidents. To this end, the organization implements the security and business continuity measures established by the ENS, ISO 27001, ISO 22301 and NIS2, as well as any additional controls identified through threat and risk assessments. These controls, together with the security roles and responsibilities of all personnel, are clearly defined and documented.

To ensure compliance with this policy, aDi carries out the following actions:

  • Authorize systems prior to entering into operation.
  • Regularly assess security.
  • Request periodic reviews by third parties in order to obtain an independent assessment.

1.2 DETECTION

As services may be rapidly degraded as a result of incidents, operations are continuously monitored in order to detect anomalies in service delivery levels and to act accordingly.

Detection, analysis and reporting mechanisms are established to reach the responsible persons regularly and when there is a significant deviation from the parameters that have been established as normal.

1.3 RESPONSE

aDi implements the following measures:

  • Establish mechanisms to respond effectively to security incidents.
  • Designate a point of contact (POC) for incident-related communications.
  • Establish protocols for the exchange of information regarding incidents.

1.4 RECOVERY

To ensure the availability of critical services, aDi develops ICT system continuity plans as part of its overall business continuity and recovery activities.

2. OBJECTIVES

aDi has established an information security and business continuity management framework in accordance with Royal Decree 311/2022 (ENS), ISO 27001, ISO 22301, and Directive (EU) 2022/2555 (NIS2).

One of the fundamental objectives of implementing this reference framework is to lay the foundations that enable aDi’s employees and customers to access services within a secure management environment, anticipating their needs and safeguarding their rights.

The INFORMATION SECURITY AND INTEGRATED BUSINESS CONTINUITY POLICY is the instrument on which aDi relies to ensure that its resources achieve their objectives through the secure use of information systems and communications.

The INFORMATION SECURITY AND INTEGRATED BUSINESS CONTINUITY POLICY identifies responsibilities and establishes principles and guidelines for the appropriate and consistent protection of services and information assets managed through Information and Communication Technologies (ICT).

The objective is to achieve protection proportional to risk for the information processed by aDi, as well as for the systems, devices, and components that support service delivery and data processing activities, by preserving the dimensions of information security, namely authenticity, confidentiality, integrity, availability, traceability, and retention.

3. SCOPE

This Policy shall apply to and be mandatory for all aDi employees, as well as for its suppliers, resources, and affected processes, whether internal or external, that are linked to the entity through contracts or agreements with third parties.

4. MISSION

aDi provides services to its customers while ensuring the effective protection of their rights and the continuous improvement of procedures, services, and offerings in accordance with the policies established by the organization. Likewise, aDi takes into account the available resources, thereby determining the scope of the services provided, their content, and the corresponding quality standards.

aDi is organized and operates in full compliance with the principle of legality and in accordance with the principles of hierarchy, functional decentralization, deconcentration, coordination, effectiveness in achieving established objectives, efficiency in the allocation and use of available resources, transparency, accountability in management, and effective service delivery to its customers.

aDi uses information systems that are protected in an effective and efficient manner.

5. REGULATORY FRAMEWORK

aDi has identified and complies with regulations at the European, national, regional, and local levels, as well as with sector-specific regulations and international standards governing information security and business continuity. These include, in particular:

  • Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (NIS 2 Directive).
  • Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive).
  • Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act).
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation – GDPR).
  • Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market, repealing Directive 1999/93/EC.
  • Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights.
  • Law 11/2022 of 28 June, General Telecommunications Law.
  • Law 6/2020 of 11 November regulating certain aspects of electronic trust services.
  • Law 5/2014 of 4 April on Private Security.
  • Law 34/2002 of 11 July on Information Society Services and Electronic Commerce.
  • Royal Legislative Decree 1/1996 of 12 April approving the consolidated text of the Intellectual Property Law, regularising, clarifying, and harmonising the existing legal provisions in this area.
  • Royal Decree-Law 12/2018 of 7 September on the security of networks and information systems.
  • Royal Decree 311/2022 of 3 May regulating the National Security Framework (ENS) in the field of Electronic Administration.
  • ISO/IEC 27001:2022 – Information security, cybersecurity and privacy protection. Information Security Management Systems – Requirements.
  • ISO/IEC 27002:2022 – Information security, cybersecurity and privacy protection. Information security controls.
  • ISO/IEC 22301:2019 – Security and resilience. Business Continuity Management Systems – Requirements.

6. MANAGEMENT POLICY

aDi’s Management agrees that the development of the company’s activities and the achievement of its strategic objectives require, at all times, ensuring compliance with the established levels of information security, in all its dimensions and in an integrated manner, as well as business continuity for its information assets. At the same time, this requires demonstrating the ability to consistently deliver its own solutions and services and to efficiently manage the services provided to customers.

To this end, an Integrated Management System (IMS) has been developed and implemented, establishing the reference framework for the secure handling of the company’s assets and ensuring customer trust and satisfaction through the integration of an efficient service delivery methodology.

aDi’s commitment to information security and business continuity management, as set out in this policy, is as follows:

  • Demonstrate Management’s commitment to the IMS and to information security and business continuity management, both for aDi and its customers, as reflected in the approval and dissemination of this policy.
  • Ensure that IMS requirements are integrated into the company’s business processes.
  • Ensure the access, integrity, confidentiality, availability, authenticity, and traceability of information, as well as the continuous delivery of aDi’s services, through preventive action, daily operational monitoring, and rapid incident response.
  • Implement the necessary measures to comply with applicable security, business continuity, and legal requirements, based on risk.
  • Ensure that information security and business continuity objectives are established and are consistent with the company’s context and strategic direction.
  • Define, develop, and implement the necessary controls, promoting a process-based approach and risk-based thinking to ensure continuous compliance with the risk levels approved by the company.
  • Ensure that appropriate actions are taken for the classification and inventory of information assets.
  • Establish a clear structure for the framework of information security and business continuity policies, standards, and procedures to be developed within the organization.
  • Identify and assign roles and responsibilities related to information security and business continuity within the organization.
  • Establish communication plans that ensure efficient communication and coordination, both under normal circumstances and in disaster situations that activate the Business Continuity Plan.
  • Protect information resources, the technologies used to process them, and the supporting physical infrastructure against internal or external, deliberate or accidental threats arising from assets or context, in order to ensure confidentiality, integrity, availability, legality, and reliability of information. Implement security measures that enable access traceability and respect, among others, the principle of least privilege, reinforcing the duty of confidentiality of users regarding the information accessed in the performance of their duties.
  • Deploy and control physical security, ensuring that information assets are located in secure areas protected by access controls, taking into account identified risks.
  • Establish security in communications management through appropriate procedures, ensuring that information transmitted over communication networks is adequately protected.
  • Control the acquisition, development, and maintenance of information systems throughout all stages of their lifecycle, ensuring security by design and by default.
  • Monitor compliance with security measures in service delivery, maintaining control over the acquisition and integration of new system components.
  • Ensure adequate business continuity, even in adverse situations, taking into account all areas, suppliers, and critical services. Critical services shall be restored within acceptable timeframes.
  • Manage security incidents to ensure their proper detection, containment, mitigation, and resolution, adopting the necessary measures to prevent recurrence.
  • Protect personal data by adopting technical and organizational measures in accordance with the risks arising from processing activities and applicable data protection legislation.
  • Comply at all times with applicable legislation, as well as with standards and specific requirements applicable to the services provided by the company and aimed at customer satisfaction, particularly with regard to the protection of personal data.
  • Foster a culture of integrated information systems management, both internally among all personnel and externally with customers and suppliers.
  • Engage, lead, and support personnel from Management in order to contribute to the effectiveness of the IMS, by training and raising awareness among aDi employees; ensuring the availability of the necessary resources; and supporting other relevant management roles in applying the management system within their areas of responsibility.
  • Ensure the protection and safety of personnel, both under normal conditions and in contingency situations.
  • Facilitate cooperation with authorities in the event of disasters or emergencies.
  • Treat information security and business continuity management as a process of continuous improvement.
  • Maintain customer trust and satisfaction.
  • Ensure the resilience of the organization, its information systems, and its services against climate change and natural disasters.

In this regard, any exemptions or exceptions to compliance with this policy or any of the documents forming part of the IMS must be duly justified and expressly approved in advance by General Management. Such approval shall require confirmation of the indispensability of the relevant process, action, or element, and the absence of viable alternatives.

7. LEADERSHIP AND COMMITMENT

aDi’s General Management demonstrates its leadership and commitment with respect to the Integrated Management System (IMS) by:

  • Ensuring that aDi’s INFORMATION SECURITY AND INTEGRATED BUSINESS CONTINUITY POLICY and SECURITY REGULATIONS, as well as their objectives, are established and aligned with the company’s strategic direction.
  • Ensuring that the necessary resources for the IMS are available.
  • Communicating the importance of effective system management and of meeting system requirements.
  • Ensuring that the IMS achieves its intended outcomes.
  • Leading and supporting personnel in contributing to the effectiveness of the IMS.
  • Promoting continuous improvement.
  • Supporting other relevant management functions to demonstrate leadership within their respective areas of responsibility.

8. SECURITY ORGANIZATION

In order to achieve its objectives in information security, business continuity, and personal data protection, aDi has designated the following roles, each with their respective responsibilities:

  • Security Manager
  • Deputy Security Manager
  • System Owner
  • Information Owner
  • Service Owner
  • Quality and Compliance Manager
  • Business Continuity Manager
  • Data Protection Compliance Officer
  • Internal Auditor

In addition, a Security Committee has been established to ensure proper coordination and integration of all related activities, as well as to resolve any conflicts that may arise in this area.

9. PERSONAL DATA

In the performance of its activities, aDi requires the processing of personal data. Accordingly, the rights and freedoms of data subjects, as well as the security of information, communications, and the information systems supporting such processing, shall be ensured in accordance with the measures provided for under applicable legislation.

To provide the necessary safeguards, all relevant actions will be carried out, including the following:

  • Conducting risk analyses on processing activities and data protection impact assessments where processing is likely to result in a high risk to the rights and freedoms of individuals.
  • Designing and implementing technical and organizational measures to mitigate risks related to the processing of personal data, by default and by design.
  • Redesigning processes to mitigate risks that cannot be otherwise mitigated or accepted.
  • Preparing all necessary documentation to support processing activities and to guarantee the rights and freedoms of data subjects, in compliance with the principles established by applicable regulations.
  • Communicating relevant obligations to all personnel with access to personal data.
  • Managing relationships with data processors based on established criteria, including the regulation of such relationships through contracts formalizing obligations and security requirements.
  • Maintaining a record of processing activities.
  • Appointing, and making available contact details for, the Data Protection Compliance Officer, given that there is no obligation to appoint a Data Protection Officer (DPO) due to the characteristics of the organization and its activities.
  • Maintaining and providing, upon request by the Spanish Data Protection Authority (AEPD) and in accordance with applicable laws, the following:
    • The processing activities or files in use.
    • The results of data protection impact assessments carried out.
    • International transfers outside the European Union (EU) that are to be carried out.
  • Notifying the Spanish Data Protection Authority (AEPD) of:
    • Security breaches likely to result in a risk to the rights and freedoms of data subjects, within 72 hours of detection.
    • Any other information required by law or by instructions from the competent data protection authority.
  • Providing layered information to data subjects regarding processing activities, in a concise, transparent, intelligible, and easily accessible manner.
  • Obtaining the express and unambiguous consent of data subjects prior to the commencement of processing activities and/or the establishment of data disclosures, where required.
  • Notifying data subjects of security breaches that pose a high risk to their rights and freedoms, within 72 hours of detection.

10. RISK MANAGEMENT APPROACH

The Integrated Management System is focused on proper risk management, enabling informed decision-making about the environment in order to protect aDi’s assets and minimize potential damage of any kind. To this end, risk analyses are carried out on all systems and assets subject to this Policy, in accordance with a methodology that ensures reliability and produces measurable, comparable, and reproducible results. As risk management is a continuous process, these analyses are kept permanently up to date.

Risks related to personal data protection shall also be taken into account, with input from the Data Protection Compliance Officer.

11. DEVELOPMENT OF THE INFORMATION SECURITY AND INTEGRATED BUSINESS CONTINUITY POLICY

This INFORMATION SECURITY AND INTEGRATED BUSINESS CONTINUITY POLICY is implemented through SECURITY REGULATIONS that address specific aspects of aDi. These regulations are available to all members of the organization who need to be aware of them.

In addition, specific policies and regulations, management manuals, procedures, and technical instructions are in place to support its implementation. These cover, among other matters:

  • Risk analysis and management.
  • Third-party and supplier risk management.
  • Catalogue of organizational, technical, and physical security measures.
  • Personnel management and professionalism.
  • Procurement of security products or services.
  • Incident detection and management.
  • Recovery plans and assurance of operational continuity.
  • Continuous improvement.
  • System interconnection.
  • Activity logging.

12. STAFF OBLIGATIONS

All aDi employees are required to be familiar with and comply with this INFORMATION SECURITY AND INTEGRATED BUSINESS CONTINUITY POLICY and the SECURITY REGULATIONS. The Security Committee is responsible for ensuring that the necessary means are in place for this information to be effectively communicated to all affected parties.

All aDi employees shall attend at least one security and business continuity awareness session per year.

Training is mandatory prior to assuming any responsibility, whether it is a first assignment or the result of a change in role or responsibilities.

13. TRAINING AND AWARENESS

aDi carries out training and awareness activities to ensure that personnel are fully aware of their responsibility for information security, which affects all activities and members of the organization, and to foster awareness of the associated risks.

14. THIRD PARTIES

When aDi provides services to other organizations or handles their information, such organizations shall be informed of this INFORMATION SECURITY AND INTEGRATED BUSINESS CONTINUITY POLICY. Without prejudice to compliance with data protection regulations, reporting and coordination channels shall be established, as well as procedures for responding to security incidents. In this regard, the Security Manager or the Deputy Security Manager shall act as the Point of Contact (PoC).

Third parties shall also be informed of the SECURITY REGULATIONS where these are deemed applicable to the services provided by such third parties, without prejudice to other data protection obligations. Third parties shall be subject to the obligations set out therein and may develop their own operational procedures to comply with them, allowing aDi to supervise such procedures or request evidence of compliance, including second- or third-party audits. Specific incident reporting and resolution procedures shall be established and shall be channeled through the PoC of the relevant third parties and, where personal data are affected, through the entity’s Data Protection Officer, where appointed. It shall be ensured that third-party personnel are adequately trained and aware of security matters, at least to the same level as required under this Policy or as specifically required by contract. In the procurement of services or acquisition of products, consideration shall be given to the third party’s compliance with and/or certification under information security, business continuity, and data protection standards.

In the acquisition of rights to use cloud assets, the CLOUD SERVICES USE POLICY shall be taken into account.

Where any requirement set out in the preceding paragraphs cannot be met by a third party, a report signed by the Security Manager or the Deputy Security Manager, depending on the nature of the third party’s activities, shall be required. This report shall specify the risks involved and how they are to be managed. Approval of this report by the Information Owner and the Service Owner shall also be required prior to contracting. The report shall be submitted to General Management, which must subsequently authorize the contracting process with the third party, thereby accepting the identified risks.

15. ACCESS CONTROL AND FACILITIES PROTECTION

aDi has access control procedures in place for both its logical (IT) infrastructure and its physical infrastructure.

In this regard, access to aDi’s information systems is controlled and restricted to authorized users, processes, devices, and other information systems.

Access to facilities and the physical infrastructure supporting aDi’s activities and systems is likewise controlled and limited to authorized persons and vehicles.

All access must be previously authorized, restricting access solely to the permitted functions, systems, and areas.

16. PROCUREMENT OF PRODUCTS

aDi uses information and communication technology security products whose security-related functionality has been certified for the purpose of their acquisition. Such certification shall be in accordance with the most widely recognized international standards and norms in the field of functional security.

This requirement is applied in a proportionate manner.

17. SECURITY BY DEFAULT

aDi’s systems are designed and configured to ensure security by default and minimal functionality.

18. SYSTEM INTEGRITY AND UPDATES

At aDi, any physical or logical component requires prior formal authorization before being installed in the system. In addition, the security status of aDi’s systems—regarding manufacturers’ specifications, vulnerabilities, and applicable updates—is continuously monitored and known at all times, enabling aDi to respond diligently in managing risks based on the systems’ security status.

19. PROTECTION OF INFORMATION AT REST AND IN TRANSIT

aDi applies procedures for the secure management of storage media in accordance with this Policy.

Special attention is given to information stored or transmitted through insecure environments, open networks, or networks with weak encryption. aDi proactively prevents information loss through the implementation of backup processes.

In addition, all information stored on non-electronic media is protected under lock and key, with the same level of security as information stored on electronic media.

20. USE OF ARTIFICIAL INTELLIGENCE

When aDi acquires, develops, or deploys an Artificial Intelligence system, in addition to complying with applicable regulations, it must obtain a report from the Deputy Security Manager, who shall consult with the Information Owner and the Service Owner and, where necessary, the System Owner. The Data Protection Compliance Officer must also issue an opinion.

In addition, aDi has an AI USE POLICY that must be complied with by all employees.

21. PREVENTION REGARDING OTHER INTERCONNECTED INFORMATION SYSTEMS

aDi analyzes the risks arising from the interconnection of its systems with other systems through networks, and controls and monitors such interconnections via their points of connection. It also ensures that robust security requirements are met.

22. AUTHORIZATION PROCESS

Responsibilities related to information security and business continuity are documented and assigned to specific individuals by General Management. These individuals have the necessary qualifications to perform their duties effectively, as well as a formal authorization process for information systems.

Depending on the type of component or action, authorization from the following roles shall be required:

Type of Change Authoriser
Business activity General Management
Project / Service General Management
Physical infrastructure component Security Manager
Technological component Delegated security officer

The elements subject to the authorization process shall include, at a minimum:

  • Primary and alternative facilities
  • Deployment of equipment into production
  • Deployment of applications into production
  • Establishment of communication links
  • Use of telematic communication means
  • Use of storage media
  • Use of mobile devices
  • Use of third-party services, under contract or agreement
  • Any changes that may pose a risk to the information security of aDi or its customers

23. ACTIVITY LOGGING

aDi logs the activities of users as well as system administrators, retaining the information necessary to monitor, analyze, investigate, and document improper or unauthorized activities, enabling the identification at all times of the individual performing the action. This is carried out in accordance with applicable law, respecting individuals’ privacy and rights, and periodic reminders are issued.

Log management systems and the logs themselves are also protected against tampering and unauthorized access.

24. SECURITY INCIDENTS

aDi has a detection and response system for security incidents of both a physical and logical nature, ensuring an agile, consistent, and effective approach to their management, including the communication of events, incidents, emergencies, vulnerabilities, and security weaknesses.

This also covers security incidents involving personal data.

25. BUSINESS CONTINUITY

aDi proactively prevents service unavailability. To this end, it has specific policies and procedures in place dedicated to ensuring continuity. In addition, it has the necessary tools and technical security measures to guarantee the continuity of operations.

26. CONTINUOUS IMPROVEMENT OF THE SECURITY PROCESS

The integrated security and business continuity process implemented at aDi is continuously reviewed and improved. Engineering processes are frequently updated to ensure the ongoing improvement of the applied security and continuity processes and to adapt to new potential threats.

27. STRUCTURING OF SYSTEM DOCUMENTATION

aDi has a document control and change management procedure in place.