What is the purpose of NeuronUP's Information Security Policy?

The policy aims to establish a framework ensuring the security of information and the continuous provision of services by implementing appropriate measures to protect ICT systems from harm affecting availability, integrity, or confidentiality.

Who is responsible for information security at NeuronUP?

NeuronUP's management promotes and supports the establishment of security measures, delegating responsibility to the Information Security Management Committee (ISMC), which includes the Information Security Officer, Systems Administrator, and Chief Technology Officer.

What are the key responsibilities of NeuronUP's Security Committee?

The Security Committee sets the Information Security Policy, defines objectives for the Information Security Management System (ISMS), establishes acceptable risk levels, and ensures compliance with applicable laws, regulations, and standards.

How does NeuronUP manage information security risks?

NeuronUP conducts regular risk analyses to assess threats and vulnerabilities, repeating these analyses annually or when significant security incidents occur, to ensure appropriate measures are in place to mitigate identified risks.

What are the obligations of NeuronUP staff regarding information security?

All NeuronUP members must understand and comply with the Information Security Policy and related regulations. Non-compliance may result in disciplinary actions, and staff are required to attend annual ICT security awareness sessions.

How does NeuronUP handle personal data protection?

NeuronUP processes personal data in compliance with applicable regulations, maintaining a Personal Data Protection Policy and regularly updating its Security Document to ensure the security of processed personal data.

How does NeuronUP engage with third parties concerning information security?

NeuronUP ensures that third parties are aware of its Information Security Policy, establishing channels for reporting and coordinating security measures, and including appropriate security clauses in contracts to maintain compliance and protect information.

Information Security Policy

1. Introduction

NeuronUP relies on ICT systems (Information and Communication Technologies) to achieve its objectives. These systems must be managed diligently, taking appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity, or confidentiality of the information processed or the services provided.

NeuronUP staff must ensure that security is an integral part of every stage of the system life cycle, from its design to its decommissioning, including development or procurement decisions and operational activities.

NeuronUP departments, in accordance with the performance of the assigned functions, must be prepared to prevent, detect, respond to, and recover from incidents, in accordance with applicable regulations.

To ensure compliance with this policy, the Security Committee develops and regularly evaluates the systems and ensures that all NeuronUP staff are aware of and fulfill their duties in accordance with information security.

2. Scope

This policy applies to all people, processes, systems, and assets involved in the processing of information within NeuronUP.

This includes internal staff, external collaborators, suppliers, and third parties who have access to information or systems, as well as all information assets.

Compliance with this policy is mandatory and forms the basis upon which the organization’s Information Security Management System (ISMS) rules, procedures, and controls are established.

3. Purpose of this policy

The purpose of this policy is to establish the framework for action to ensure information security and the continued delivery of services.

This policy is implemented through security documentation and regulations available to all members of the organization who need to be aware of it, in particular those who use, operate, or administer information and communications systems, through procedures, processes, technical instructions, etc.

The security regulations are available to all employees of the organization in its document management system.

4. Regulatory framework

NeuronUP is committed to complying with all applicable laws, regulations, and standards relating to Information Security.

5. Security organization

Company Management assumes responsibility for promoting and supporting the establishment of technical, organizational, and control measures that ensure the levels of quality and security required for the company’s operations, committing to the continuous improvement of the Information Security Management System.

Responsibility for this task is delegated to the Security Committee, created by NeuronUP as a cross-functional collegiate body composed of:

The Information Security Officer, who also serves as President of the Security Committee.
The Systems Administrator, who also assumes the role of Secretary of the Security Committee.
The Director of Technology.

The specific duties of these roles are included in the job descriptions of their respective owners. The procedure for their appointment and/or renewal is approved by Management.

Appointments will be reviewed every 2 years or when a position becomes vacant, at the proposal of the Security Committee itself.

5.1. Functions of the Security Committee

The main function of the Security Committee is to set the Information Security Policy and the objectives of the ISMS.

The Security Committee will establish the levels of risk considered acceptable, determining appropriate actions to reduce those risks that exceed these thresholds.

It will be the mission of the Security Committee to carry out the annual review of this policy and to propose its revision or maintenance. Likewise, this policy will be complemented by means of security regulations and recommendations (other policies, protocols, procedures, technical instructions, etc.).

Specifically, the security points to be reviewed will be:

The status of the actions to be carried out since the last control.
Relevant changes for the ISMS.
Risk management, vulnerabilities, and threats.
Technologies, products, and services for continuous improvement.

6. Risk management

To harmonize risk analyses, the Security Committee will establish a reference valuation for the different types of information handled and the different services provided.

The Security Committee will study the availability of resources to meet the security needs of the different systems.

All systems subject to this policy must carry out a risk analysis, assessing the threats and risks to which they are exposed. This analysis will be repeated:

Regularly, at least once a year;
when a serious security incident occurs;
when serious vulnerabilities are reported.

To ensure the availability of critical services in the event of potential incidents, the company has a Disaster Recovery Plan that coordinates all recovery activities for business processes that may be affected.

7. Staff obligations

All members of NeuronUP are required to know and comply with the Information Security Policy and the security regulations, and it is the responsibility of the Security Committee to provide the necessary means for the information to reach those affected.

Non-compliance with this Information Security Policy and the rules that develop it may result in disciplinary sanctions in accordance with the provisions of the Workers’ Statute and the applicable collective bargaining agreement. The specific guidelines for employees are set out in the Security policy for employees.

7.1. Awareness and training

In accordance with the Information Security training and awareness policy, all members of NeuronUP will receive information security training at least once a year. Likewise, a continuous awareness program will be established to ensure that all stakeholders understand and comply with the Information Security Policy.

People with responsibility for the use, operation, or administration of systems will receive training for the secure handling of the systems to the extent they need it to perform their work. Training will be mandatory before assuming a responsibility, whether it is their first assignment or a change of position or responsibilities within the same role.

7.2. Basic ISMS guidelines

The basic guidelines for the secure processing of information and the structuring of the system’s security documentation, its management, and access are set out in the ISMS manuals, policies, regulations, and procedures.

These guidelines are as follows:

Information must be classified into the following categories: Public, Internal Use, Confidential, or Restricted.
Physical media that store non-public information must be kept in a secure place.
Access to information systems will be granted based on the need-to-know principle, ensuring that each person accesses only the information necessary to perform their duties.
Physical access to the company’s facilities is restricted solely to authorized personnel.
All employees must record their entries and exits through the time and attendance control system.
Access by external persons to the company must be recorded in the cases established by NeuronUP.
The Password management policy indicated by NeuronUP will be followed.
Computers are configured so that after a period of inactivity, they automatically lock with a password-protected screensaver. However, it is the user’s responsibility to lock it manually each time they leave their workstation.
Whenever an employee leaves the company, their access rights will be deactivated.
Users will have corporate email for the performance of their work.
Appropriate security clauses will be included in contracts with third parties.
Users must never disable antivirus programs or any other tool or control installed with the objective of improving security.
Users should not have an expectation of privacy when accessing the company’s information systems, since the company (within the established legal framework and for the purpose of managing the systems and enforcing security) may review any information stored on its systems.
Any security-related inquiry can be addressed to [email protected].
Upon detecting a situation that affects NeuronUP’s information security, any user (employee or external) must report it to the department head and/or the security officer.

8. Personal data

NeuronUP will only collect and process personal data when necessary and in accordance with data protection regulations; therefore, it has a Personal data protection policy, which complies with the security levels required by applicable regulations.

The necessary technical and organizational measures will be adopted to ensure the protection of personal data.

9. Third parties

When NeuronUP provides services to other organizations or handles third-party information, they will be informed of this Information Security Policy and the rules and instructions derived from it. Channels will be established for reporting and coordination between the respective Security Committees, and procedures will be established for responding to security incidents.

When NeuronUP uses third-party services or shares information with third parties, they will be informed of this policy and the security regulations that apply to such services or information. Said third party will be subject to the obligations established in the regulations and may develop its own operating procedures to comply. Specific procedures for incident reporting and resolution will be established. It will be ensured that third-party personnel are adequately aware of security matters, at least to the same level as established in this policy.

When any aspect of the policy cannot be satisfied by a third party as required in the previous paragraphs, a report will be required from the Security Officer detailing the risks incurred and how they will be addressed. Approval of this report will be required from the owners of the information and the affected services before proceeding.

Date of last review: November 22, 2025