Security policy for cloud services supplied by NUMINTEC

This document establishes the policies and technical and organizational measures applicable to the cloud services provided by NUMINTEC.

GENERAL SECURITY MEASURES

Organizational Policies

  • Information Security and Privacy Policy: There is an information security and personal data protection policy published and known by all staff and collaborators.
  • Security Officer: NUMINTEC has designated an Information Security Officer (“CISO”) responsible for coordinating and supervising security policies, regulations, and procedures.
  • Roles and Responsibilities: Roles and responsibilities regarding information security and privacy protection are defined and appropriately assigned within the organization.
  • Risk Management Program: Within the framework of the Information Security Management System, there is a plan for evaluating and treating information security risks, which is reviewed periodically.
  • Continuous Evaluation: NUMINTEC periodically verifies and evaluates the effectiveness of technical and organizational measures implemented to protect information security. This evaluation is based on industry security standards and the Information Security Management System.
  • Supplier Security Policy: There is a formal process to assess compliance with information security and privacy protection requirements by suppliers.

Staff and Collaborators

  • Responsibilities: All NUMINTEC staff have committed to complying with and enforcing the company’s information security policies and regulations.
  • Confidentiality Commitment: All staff and collaborators sign a contractual document obliging them to maintain secrecy and guarantee data confidentiality and security.
  • Internal Security Regulations: There are regulations on information security, personal data protection, and use of IT resources that all staff have committed to comply with.
  • Training and Awareness: All staff receive adequate training regarding information security and personal data protection.
  • System Usage Rules: Security regulations establish rules for the acceptable use of information systems and equipment.

Access to Systems

  • Access Control Policy: NUMINTEC maintains a policy determining security privileges based on the principle of least privilege.
  • Access Authorization: There is a formal process to manage authorization, registration, deregistration, and modification of user access.
  • Individual Accounts: Each person uses an individual and non-transferable user account.
  • Least Privilege: A default least privilege policy applies; staff only have access to information required for their job.
  • Authentication: Industry-standard practices are used to identify and authenticate users.

Information Processing Assets

  • Asset Inventory: An inventory of systems and equipment used in information processing is available.
  • Secure Disposal and Reuse: Formal processes for the secure disposal and/or reuse of equipment.
  • Equipment Maintenance: Systems and equipment are properly maintained or updated.
  • Malware Protection: Equipment has permanently active and updated anti-malware protection.

Network Security

  • Dedicated Security Team: 24×7 security monitoring and a team always available to respond to alerts and incidents.
  • Network Protection and Segregation: Networks are segregated and separated.
  • Architecture: Infrastructure primarily hosted in data centers in Spanish territory (ISO 27001). Data is kept in the corresponding zone according to legislation (e.g., Europe).
  • Perimeter Security: Double layer of firewalls to filter unauthorized traffic and deny non-explicit connections.
  • Secure Transmission Protocols: All traffic over public networks is encrypted using secure protocols.
  • Vulnerability Scanning: Periodic tests to verify networks are free of vulnerabilities.
  • Penetration Testing: At least once a year, a comprehensive pentest is performed on production networks and servers against third-party attacks.
  • Alert Management (SIEM): The monitoring system collects activity logs.
  • Intrusion Detection: Control of entry/exit points by logging accepted and denied connections.
  • DDoS Mitigation: Real-time network traffic monitoring.

Security Operations

  • Logical Access: Role-based security architecture and “need to know” policy (ISO 27001/27017).
  • Capacity Monitoring and Management: Continuous performance monitoring and future requirement projection.
  • Incident Response: 24/7 event escalation to operations and security teams. Specific cyberattack response procedure.
  • Change Management: Procedure to prevent changes from affecting information security.
  • Audit Logs: Logs of operations on data (access, modification, deletion) are collected, preserved, and reviewed.

Data Encryption

  • Encryption in Transit: Information over public networks is transmitted securely.
  • Call Encryption: The most secure voice signaling protocols available are used. (Note on legal interception per Law 25/2007 and Law 9/2014).
  • Encryption at Rest: Encryption at rest is used in all cases.

Availability and Continuity

  • Availability: Continuous monitoring to ensure committed availability objectives.
  • Redundancy: Redundant infrastructure (firewalls, routers, servers) to avoid single points of failure.
  • Backups: Automated and continuously supervised.
  • Recovery Testing: Periodic recovery and data verification tests.
  • Continuity Plan: Plan developed and tested to respond to disruptive incidents.
  • Disaster Recovery: Specific procedures for threats like ransomware or severe failures.

Physical Security

  • Security Perimeter: Protection of premises where information is processed.
  • Access Control: Physical controls to ensure only authorized personnel have access.
  • Threat Protection: Protection against physical and environmental threats.

Application Security

  • Logs: A log of accesses and modifications from the InvoxContact web application is maintained.
  • Passwords: Secure storage following best practices.

PERSONAL DATA PROTECTION

Technical and Organizational Measures

  • Management System: System to ensure legal compliance and risk treatment.
  • Responsibilities: Appointment of a Data Protection Officer (DPO).
  • Obligations: All staff sign a commitment to comply with data protection policies.
  • Training: Awareness sessions for employees.
  • Technical Measures: Protection according to ISO 27001 certification.
  • Privacy Policy: Included in the “General Terms and Conditions”.
  • Data Processing: NUMINTEC acts as a data processor, guaranteeing confidentiality, integrity, availability, and access restoration.
  • Data Communication: Not transferred to third parties except necessary providers, operators, and official bodies by law.
  • International Transfers: Only to countries with adequate protection level or valid certifications (USA).
  • Retention: Permanent deletion 90 days after disconnection, barring legal obligations.

Privacy by Design and Default

  • Minimization: Only strictly necessary data.
  • Term Limitation: Procedures to limit retention and delete temporary files.
  • Purpose Limitation: Avoiding use for purposes other than established ones.
  • Pseudonymization and Encryption: Applicable in cases of sensitive data.
  • Segregation: Restricted access to sensitive information.

Exercise of Rights and Breaches

  • Rights: Procedure to assist the controller in responding to data subjects.
  • Security Breaches: Procedure for identification and immediate notification to the controller and assistance in notifying the authority.

RELATIONSHIP WITH SUPPLIERS

General Measures

  • Security Policy: Assessment of supplier security requirement compliance.
  • Confidentiality: Signing of NDAs.
  • Certification: ISO 27001 or equivalent required (especially for Cloud providers).
  • Evaluation: Periodic review of SLAs.
  • Supply Chain: Diversification and redundancy.
  • Personal Data: Data Processing Agreements (DPA) with all suppliers.
  • Service Cessation: Obligation to delete information upon service termination.
  • Segregation: Guarantee of virtual environment segregation.

REGULATORY COMPLIANCE

  • Certifications: ISO 9001:2015, ISO 27001:2022, ISO 27017:2015, ISO 27018:2019. (Auditor: SGS).
  • Data Protection: Strict compliance with current legislation.