Data Security Policy

Introduction

This Data Security Policy ("Policy") outlines the principles and guidelines to ensure the protection, confidentiality, integrity, and availability of data assets within Waiis Solution Iberia, SL ("the Company"). This Policy applies to all employees, contractors, and third-party vendors who handle or have access to company data.

Purpose

The purpose of this Policy is to:

  1. Safeguard sensitive and confidential information from unauthorized access, use, disclosure, alteration, or destruction.
  2. Comply with applicable data protection laws, regulations, and industry standards.
  3. Minimize the risk of data breaches, cyber-attacks, and other security incidents.
  4. Foster a culture of data security awareness and responsibility among employees.

Scope

This Policy applies to all data assets, regardless of their format or storage media, including but not limited to:

  1. Personal data of employees, customers, partners, and other individuals.
  2. Financial data, such as credit card information and bank account details.
  3. Intellectual property, trade secrets, and proprietary information.
  4. Operational data, including system logs and network configurations.

Roles and Responsibilities

4.1 Management

  1. Management is responsible for defining the overall data security strategy, assigning roles, and allocating resources.
  2. They will regularly review and update this Policy to align with emerging threats, technologies, and regulatory requirements.
  3. Management should promote a culture of data security awareness and provide employees with appropriate training and resources.

4.2 Employees

  1. All employees must adhere to this Policy and take responsibility for safeguarding company data.
  2. Employees should report any actual or suspected data security incidents promptly to the designated authority.
  3. Compliance with this Policy is a condition of employment, and failure to comply may result in disciplinary action, up to and including termination.

Data Classification and Handling

5.1 Data Classification

  1. All data assets should be classified based on their sensitivity, criticality, and legal/regulatory requirements.
  2. The classification levels include:
    1. Confidential: Highly sensitive information requiring the highest level of protection.
    2. Internal Use: Information intended for internal use only, with some restrictions on access and distribution.
    3. Public: Information that can be freely shared with the public.

5.2 Data Handling

  1. Access Control: Access to data should be granted on a need-to-know basis and in accordance with user roles and responsibilities.
  2. Encryption: Confidential and sensitive data should be encrypted both in transit and at rest, using industry-standard encryption protocols.
  3. Data Storage: Data should be stored in approved systems and infrastructure, ensuring appropriate backup and disaster recovery mechanisms.
  4. Data Transmission: Secure channels, such as virtual private networks (VPNs), should be used for transmitting sensitive data over public networks.
  5. Data Retention: Data should be retained only as long as necessary, in compliance with legal and regulatory requirements.

Security Controls

6.1 Information Security Infrastructure

  1. The Company will establish and maintain an information security infrastructure to protect data assets, including firewalls, intrusion detection/prevention systems, and antivirus/anti-malware software.
  2. Regular vulnerability assessments, penetration testing, and security audits will be conducted to identify and mitigate risks.

6.2 User Authentication and Access Control

  1. Strong password policies, multi-factor authentication (MFA), and least privilege principles will be implemented to ensure authorized access.
  2. User accounts and access rights should be reviewed regularly to remove unnecessary privileges.

6.3 Incident Management

  1. The Company will maintain an incident response plan to detect, respond to, and recover from data security incidents promptly.
  2. All employees should be aware of the incident reporting process and report any actual or suspected incidents to the designated authority.

Training and Awareness

  1. The Company will provide regular training and awareness programs to educate employees on data security best practices, policies, and procedures.
  2. Employees should stay updated on emerging threats, social engineering techniques, and cybersecurity trends.

Compliance

  1. The Company will comply with all applicable data protection laws and regulations, including the General Data Protection Regulation (GDPR) and any other relevant industry-specific regulations.
  2. Periodic audits and assessments will be conducted to ensure compliance and identify areas for improvement.

Policy Review

This Policy will be reviewed and updated as necessary to reflect changes in technology, business requirements, and regulatory frameworks.