Information Security Policy

‍Contact email: dpo@sponso.com

This policy aims to establish the commitment of the Management of sponso.com, represented by the Security Committee, to information security and the protection of information assets necessary to perform the functions within scope. This commitment is materialized through the implementation, maintenance, and continual improvement of an Information Security Management System (ISMS) in accordance with the international standard UNE-EN ISO/IEC 27001:2022.

This policy applies to all members of the organization, as well as all third parties identified in the Information Security Management System (ISMS).

This Policy is accessible and public to all staff, as well as relevant interested parties, and is applicable within our organization.

This Information Security Policy will be reviewed and approved within the timeframes established by the organization’s Security Committee. Nevertheless, should relevant changes occur for the Organization—operational, legal, regulatory, or contractual—it will be reviewed whenever deemed necessary, ensuring that the Policy remains adapted at all times.

The organization undertakes to protect all assets under its responsibility through the necessary measures, always ensuring compliance with the applicable regulations and laws. To comply with UNE-EN ISO/IEC 27001:2022, the organization commits to maintaining an Information Security Management System (ISMS) that includes the processes, resources, procedures, technologies, and tools necessary to ensure the confidentiality, integrity, and availability of information assets and the technological assets that support them, particularly those processes included within the scope.

Compliance with this Information Security Policy is the responsibility of all personnel of the organization, as well as external personnel included within the scope of the ISMS. The Management of the organization expects all personnel to be familiar with this Information Security Policy.

The Management of Automated Investment Solutions, S.L. considers that achieving objectives depends on meeting various requirements aimed at ensuring Information Security within the Organization. Accordingly, Information Security must be a priority for the organization, and this Policy sets out the following guidelines:

• Information owned by and/or entrusted to the organization must be accessible only to duly authorized persons, whether or not they belong to the Organization.
• This Information Security Policy, as well as the rest of the ISMS documentation (procedures, guides, etc.), shall be accessible to all members of the organization within the ISMS scope, as well as to external personnel who interact with it through any of its processes.
• The Organization must comply with all applicable legal, regulatory, and statutory requirements, as well as contractual requirements.
• The confidentiality of information must be ensured at all times.
• The integrity of information must be ensured throughout all processes that manage, process, and store it.
• The availability of information must be ensured through appropriate backup and business continuity measures.
• All personnel within the ISMS scope must receive appropriate training and awareness in Information Security.
• Any incident or weakness that could compromise or has compromised the confidentiality, integrity, and/or availability of information must be recorded and analyzed in order to apply the corresponding corrective and/or preventive measures.
• Every member of the organization within the ISMS scope is responsible for implementing, maintaining, and improving this Policy, as well as for ensuring compliance with it.
• Every member of the organization within the ISMS scope is responsible for ensuring the proper implementation, maintenance, and continual improvement of the ISMS, as well as its conformity with the UNE-EN ISO/IEC 27001:2022 standard.

The application of this policy will result in the creation of documentation referring to Policies and Procedures applicable to the processes described within the ISMS scope. Such documentation will be distributed through appropriate channels and on a need-to-know basis to all interested parties.

Information Security is controlled and monitored by the Security Committee through the Risk Analysis and Management framework established within the ISMS. This framework enables Management to assess the degree of internal control over information assets by using a risk analysis methodology that provides objective, measurable, and reproducible results.

Management, acknowledging that complete risk mitigation is unattainable, establishes that the residual risk level associated with any information asset within the ISMS scope will not exceed a defined threshold. For the Management of Automated Investment Solutions, S.L., this level represents the residual risk threshold whose mitigation cost is greater than the loss incurred should it materialize. If the residual risk associated with any information asset exceeds the accepted risk level, the Management of Automated Investment Solutions, S.L. will evaluate alternatives for mitigating that risk and provide the necessary resources to bring it below the accepted residual risk level.

It is the responsibility of all members of the organization to notify Management of any event or situation that could constitute non-compliance with any of the guidelines defined by this Policy.

All members of Automated Investment Solutions, S.L. must have the appropriate training to perform their duties. Likewise, appropriate awareness of the members of Automated Investment Solutions, S.L. must be ensured in terms of Information Security and good practices.

This Policy establishes the obligation and responsibility of all members of the organization, as well as third parties included within the ISMS scope, to identify and report any incident that could compromise the security of its information assets, as well as any situation that could constitute a nonconformity with ISMS procedures and the UNE-EN ISO/IEC 27001:2022 standard.

‍

Information Security Policy for Supplier Relationships

The main objective of this policy is to mitigate possible risks associated with access to the information, information systems, or resources of Automated Investment Solutions, S.L. by service providers, regardless of the type of service provided or the relationship that links them to Automated Investment Solutions, S.L. (legal, contractual, or any other non-employment relationship), in order to protect the confidentiality, integrity, and availability of the information of Automated Investment Solutions, S.L. and its clients.

This policy applies to all of the organization’s suppliers.

‍

Confidentiality of information

All information, documentation, programs and/or applications, methods, organization, business strategies, and activities related to Automated Investment Solutions, S.L. or its business to which service providers have access for the purpose of performing the service shall be considered confidential information. Accordingly, access to, exchange of, and processing of such information shall always be carried out in accordance with the intended purposes described in the services contract, maintaining the corresponding duty of confidentiality during the term of the service and after the relationship with Automated Investment Solutions, S.L. ends.

‍

Data Retentionntellectual Property

Compliance with the legal restrictions on the use of material protected by intellectual property regulations will be ensured. Service providers may only use material authorized by Automated Investment Solutions, S.L. to carry out their duties.

‍

Information exchange

We use cookies and similar technologies to operate the Site, remember preferences, analyze traffic, and measure content Any type of information exchange that takes place between Automated Investment Solutions, S.L. and service providers shall be understood to have been carried out within the framework established by the corresponding services contract, and therefore such information may not be used outside that framework or for other purposes.