Information security policy

KUNAK TECHNOLOGIES S.L.

Introduction

At KUNAK TECHNOLOGIES S.L. we design and operate environmental monitoring and IoT solutions that process critical data for our customers. Trust in our services relies on information being available, accurate, and properly protected against unauthorized access.

With this Information Security Policy, Top Management expresses its commitment to protecting information and complying with applicable legal and contractual requirements, integrating security into all organizational processes and services.

1. Purpose and scope

The purpose of this Policy is to establish the general principles and guidelines for managing information security at KUNAK TECHNOLOGIES S.L.

Its scope includes:

All information systems, infrastructures and services managed by KUNAK TECHNOLOGIES S.L., both on‑premises and in the cloud.

All internal staff and third parties who have access to these systems or to information managed by the organization.

Compliance with this Policy is mandatory for all persons and entities within its scope.

2. Reference framework

Information security management at KUNAK TECHNOLOGIES S.L. is aligned with the Spanish National Security Framework (Esquema Nacional de Seguridad, ENS) and with the ISO/IEC 27001 standard for information security management systems, currently in the certification process.

It also complies with applicable data protection regulations, including Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD), which underpin the internal procedures and controls implemented by the organization.

3. Security principles

KUNAK TECHNOLOGIES S.L. is committed to protecting information according to the following principles:

  • Confidentiality: information is only accessible to authorized persons, systems or entities.
  • Integrity: information is accurate and complete, preventing unauthorized modifications or uncontrolled errors.
  • Availability: systems and services are operational when required, with the defined levels of continuity and resilience.
  • Authenticity: the identity of the parties involved and the origin of exchanged data are guaranteed.
  • Traceability: relevant actions are logged so that they can be analysed and audited.

4. Organization and responsibilities

The Management of KUNAK TECHNOLOGIES S.L. has ultimate responsibility for information security and approves this Policy.

The organization has an Information Security Committee, made up of the service, information, security and systems managers, whose functions include:

  • Defining and reviewing the information security strategy and regulations.
  • Coordinating actions of the different areas in security matters.
  • Supervising risk management, incident management and security audits.

All staff, as well as external companies working with KUNAK TECHNOLOGIES S.L., must be aware of and comply with this Policy and with the internal regulations derived from it.

5. Risk management and compliance

KUNAK TECHNOLOGIES S.L. carries out risk analysis and risk management of its information systems, reviewing them periodically and whenever there are significant changes, new threats or relevant incidents.

The organization undertakes to:

  • Implement technical and organizational measures appropriate to the level of risk.
  • Maintain evidence of compliance with ENS, ISO/IEC 27001, GDPR, LOPDGDD and other applicable regulations.
  • Subject its systems to regular internal and third‑party reviews and audits.

6. Protection of personal data

Personal data are processed only when they are adequate, relevant and not excessive for the legitimate purposes of the organization and its customers.

KUNAK TECHNOLOGIES S.L. applies appropriate technical and organizational measures to:

  • Ensure a level of security appropriate to the risk.
  • Facilitate the exercise of data subjects’ rights.
  • Ensure the confidentiality, integrity and availability of personal data throughout their life cycle.

7. Awareness, training and third parties

Information security is the responsibility of everyone involved in the activities of KUNAK TECHNOLOGIES S.L.

The organization:

  • Provides periodic training and awareness on security and data protection.
  • Contractually requires providers and third parties that deliver services or process information on behalf of KUNAK TECHNOLOGIES S.L. to meet security requirements equivalent to its own.
  • Establishes security supervision and coordination mechanisms with such third parties.

8. Incident management and continuity

KUNAK TECHNOLOGIES S.L. has procedures in place for the detection, reporting, analysis and response to information security incidents, as well as for the recovery of affected services.

The organization maintains backup, contingency and business continuity plans that allow essential services to be restored in case of major failure or disaster, in line with customer requirements and the ENS.

9. Review and continual improvement

This Information Security Policy will be reviewed at least once a year, or whenever there are significant changes in systems, services, applicable regulations or identified risks.

Management and the Information Security Committee drive the continual improvement of the information security management system, incorporating lessons learned from audits, reviews, risk analysis and incident handling.