Security Policy of Made of Genes

Mission and Objectives

The mission of Made of Genes S.L. (hereinafter, the “Company”) is to provide advanced personalized health services and bio-health data management, guaranteeing the protection and confidentiality of our clients' personal and genetic data. The Company is committed to continuous innovation and the implementation of cutting-edge technologies to ensure the quality and safety of its services.

The Company recognizes the importance of identifying and minimizing the risks to which its information assets are subject, developing and implementing an Information Security Management System (ISMS) that allows the application and monitoring of controls to prevent the loss, disclosure, modification and unauthorized use of information, both in local systems and in the cloud, thus helping to reduce operating and financial costs, ensuring compliance with legal, contractual, regulatory and business requirements. These controls aim to ensure the security of information by preserving its confidentiality, integrity, traceability, availability and authenticity, especially when dealing with personal and sensitive data.

This policy is communicated to stakeholders in order to involve them in the continuous improvement of the system.

Legal and regulatory framework

The Company carries out its activities in compliance with a rigorous legal and regulatory framework that includes, but is not limited to:

• International Standards: ISO/IEC 27001:2022, ISO/IEC 27017:2015, ISO/IEC 27018:2019.
• National Regulations: Royal Decree 311/2022 - National Security Scheme.
• Data Protection and Information Services Legislation:
  • General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
  • Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD) - Organic Law 3/2018, of December 5.
  • LSSI - Law 34/2002, of July 11, 2002, on information society services and electronic commerce.
• Other Relevant Regulations: Specific health sector regulations and any other regulatory framework applicable to the management of personal and genetic data, including digital environments.
• Law 14/2007, of July 3, 2007, on Biomedical Research.
• Law 41/2002, of November 14, 2002, which regulates patient autonomy and the rights and obligations regarding clinical information and documentation.

Although these are the main applicable regulations, the complete register of reference regulations is available to interested parties upon specific request.

Security roles and functions

Company Management

The Company Management, and on its behalf the Chief Executive Officer (CEO), is committed to:

1. Periodically establish objectives on the management of Information Security, the use and provision of Cloud Services, the management of Personal Data, as well as the actions necessary for their development.
2. Establish systematic risk analysis, assessing the impact and threats, including those specific to Cloud Services and Personal Data management.
3. Implement the necessary actions to reduce the identified risks that are considered unacceptable, according to the criteria established by the Security Committee.
4. Implement the necessary controls and their corresponding monitoring methods.
5. Comply with the legal, regulatory and contractual security requirements assumed by the Company, especially with regard to the management and privacy of our customers' personal and genetic data.
6. To guarantee to each client that their information will be processed in accordance with the fundamental requirements of confidentiality, integrity and availability of a bio-health information management system.
7. Promote awareness and ensure training in information security to all our own personnel, as well as to external collaborators involved in the use or management of information systems.
8. When workers do not comply with security policies, apply disciplinary measures in accordance with the workers' agreement, within the applicable legal framework and sized to the impact they have on the organization.
9. Implement a secure development policy that includes change management, software security requirements and code quality, both internal and external.
10. Provide the necessary resources to ensure the continuity of the Company's business.

Additionally, the following are responsibilities of the Company's Management:

• The strategic coordination of all information security actions.
• The inclusion of security policies in the company's strategy.
• The provision of resources to the technical managers
• To ensure compliance with the regulations and legislation in force.
• Transmitting and facilitating the implementation of security policies at a transversal level between departments.
• Annually review the ISMS and the final acceptance of the different security policies.
• Act as Interim Chief Information Officer in the absence of the RSI.

Chief Technology Officer (CTO) / Service Manager

The CTO is appointed by the Company Management to be responsible for the following tasks:

• Define the requirements and scope of technological developments.
• Incorporate an information security dimension to the company's technological developments.
• Establish and monitor indicators related to the correct functioning of the information systems.
• To transfer the defined security measures to the team responsible for technological development.
• Communicate to the Security Manager any incident in the field of Information Security arising from system monitoring or software development processes.
• Implement a Secure Development policy and evaluate Software Quality.
• Audit the due diligence of technical staff regarding system security.

Information Security Officer (ISO)

The Company's Management appoints the ISO as responsible for the following tasks:

• Manage the Incidents reported in the ISMS.
• Convene and lead the Security Committee Meetings.
• Receive and manage communications with clients or users related to information security.
• Coordinate, together with RSIS, ISMS audits on a regular basis.
• Audit the CTO's due diligence regarding system security.

Chief Information Security Officer (CISO)/Information Security Officer

The Company Management appoints the CISO as responsible for the following tasks:

• Define and supervise the correct application of the Security Policies in the different areas of the company.
• Ensuring Confidentiality, Traceability, Authenticity, Integrity and Availability of Information Services and Assets.
• Coordinate the technical actions transversally to other departments.
• Define and supervise the processes of integration or transfer of data with third parties.
• Define and supervise the projects of information exploitation, own or from third parties.
• Monitor and communicate to the technical teams any changes in the services of cloud providers.
• Act as Information Manager

System Administrator (SA) / Systems Manager

The CISO appoints the AS as responsible for the following tasks:

• Configure Identity and Permission Management Tools.
• Management of the Endpoint Devices (Endpoints)
• Monitoring of security relevant SIEM events
• User support on Information Security issues

Data Protection Officer (DPD)

The Company Management appoints the DPD as responsible for the following tasks:

• Ensure compliance with the applicable regulations on Personal Data Protection in the different processes of the company.
• Receive and manage communications with customers or users regarding the management of personal data.
• Communication with the authorities in case of personal data breaches.

Responsible for the Information Security System (RSIS)

The Company Management appoints the QARA Lead as RSIS and responsible for the following tasks:

• Coordinate the integration of information security requirements within the quality management system.
• Identify and assess security risks in processes related to quality and regulation.
• Coordinate, together with the ISO, internal and external audits to ensure regulatory compliance.
• Coordinate with the security team the implementation of security controls in products and services.
• Advise work teams on the implementation of good safety practices in quality and regulation.

Information Users

Information Users, including customers, suppliers, employees and other stakeholders, have a duty and responsibility to comply with established security policies, report security incidents, and protect information in accordance with the Company's guidelines, as outlined in the applicable Terms and Conditions.

Appointment and renewal procedure

The members of the Security Committee and the roles defined in this policy shall be appointed by the executive management. They shall be included in the corresponding formally approved meeting minutes, as well as in the specific and detailed Roles and Responsibilities Definition document (document for internal use), and shall be communicated to the parties through the entity's communication channels (e-mail, meeting, or messaging applications).

The appointment will be reviewed every 2 years or when the position becomes vacant. The management shall decide to assign more than one role to the same person when deemed appropriate and in compliance with the requirements of the ENS, for which purpose the CCN-STIC-801 guide shall be taken into consideration.

Security Committee

The Security Committee is established as an overall information security management body at the company level. The Head of Information Security acts as secretary of this committee, being responsible for defining the necessary measures and implementations agreed by the Committee. The Security Committee will meet, in general, on a monthly basis, except for the months of August and December, although meetings may be scheduled or cancelled depending on the workload. In any case, a minimum of 10 meetings of the Committee shall be held during a calendar year.

A Standing Committee of 4 people is established. The Committee Meetings will be attended by at least 2 people, one of whom must be the Information Security Manager, who will inform the rest of the members of the Agenda and the relevant information for the meeting. A permanent committee is established that will be convened at each meeting, and non-permanent members that will be convened if the Agenda requires it:

Standing members:

• Chief Executive Officer
• Chief Information Security Officer / Information Security Manager
• Chief Technology Officer
• Systems Administrator
• Responsible for the Information Security System

Non-permanent members:

• Data Protection Officer
• Administration and General Affairs

The main functions of the Security Committee are:

• Identification, review and approval of risks
• Review and approval of company security policies and protocols.
• Approval of corrective measures to mitigate these risks.
• Review of incidents
• Proposing improvements
• Distribution and communication of information related to information security.
• Design and implementation of security training plans for the company's employees.

Conflict resolution

The eventual resolution of conflicts will be resolved according to the organizational hierarchy, being ultimately the responsibility of the organization's management.

Security principles and objectives

The Information Security Policy is supported by a set of specific policies, records, controls and procedures that guide the correct handling, custody and protection of information and are based on the control objectives of the international standards ISO 27001, ISO 27017, ISO 27018, as well as those controls applicable according to Royal Decree 311/2022 - National Security Scheme. The development, maintenance and continuous improvement of the ISMS will be based on the results of a process of continuous evaluation of the risks that act on the Company's information assets and that are grouped around the following work blocks:

• Protection of files and databases, either locally or in the cloud.
• Protection of private information including passwords, certificates and cryptographic keys.
• Protection of the source code repositories of the company's products and services, as well as their quality.
• Protection of the IT infrastructure supporting the organization, including facilities, buildings and rooms.
• Protection of virtual resources in the cloud, including their life cycle management and required access controls.
• Protection of resources and services located in the cloud through specialized service providers.
• Protection of networks and communication channels used internally or publicly, locally and in the cloud.
• Protection of the company's passive assets and the data of the users of its services, locally and in the cloud.
• The vetting, regulation and compliance of service providers, whether physical or cloud services.
• Training and continuous supervision of employees and collaborators with access to information systems.
• The communication of relevant facts, including security breaches, from customers of on-premises and cloud services.
• Supporting the investigation of relevant events, including security breaches, to customers, authorities and affected parties.
• Ensuring business continuity through contingency plans and redundancy at multiple levels.
• Compliance with legal and regulatory standards.

Other Information Security Policies

The Company extends this Security Policy through specific sub-policies, listed as follows

• Application Security Policy
• Credentials Policy
• Code Control and Secure Development Policy
• Security Incident and Event Management Policy
• Continuity Management Policy
• Work Center Security Policy
• Personnel Security Policy
• Technology Service Providers Policy
• User Account Policy (Clients)
• User Account Policy (Employees)
• Cryptography and Secret Communications Policy
• IT Systems Administration Policy (Servers)
• Backup Policy
• Remote Access and Teleworking Policy
• Personal Equipment and Removable Media Policy

Where applicable, the above sub-policies are available to interested parties upon request and prior confidentiality agreement.

Processing of Personal Data

The Company implements a Register of Processing Activities, as well as an Impact Assessment related to Personal Data. These documents are available to interested parties upon request and prior confidentiality agreement, as long as their access is relevant and justified for the interested party.

In addition, users may consult the details regarding the processing of Personal Data, both in the Role of the Company as Data Controller and as Data Processor in the General Conditions of the service.

Point of Contact

Interested parties may contact the Security Officer, or on his or her behalf another permanent member of the Security Committee, by e-mail at security@madeofgenes.com.

Application and modification

This policy applies to all Company personnel, as well as to collaborators and suppliers with responsibility for company assets, in order to maintain confidentiality, traceability, authenticity, integrity and ensure the availability of information. All users shall have the obligation to report information security incidents using the guidelines established by the Company through the channels established for this purpose or, in general, through the Point of Contact.

This Information Security Policy may be reviewed and modified as provided by the Security Committee in accordance with the review needs established from time to time.

Distribution of the Policy and obligations

The Security Policy shall be distributed in the following ways depending on the stakeholder group to which it is addressed:

Staff and managers of the organisation

The distribution of the Security Policy shall be carried out by means of e-mail or official messaging tools of the organisation.

Everyone in the Company is obliged to know and comply with this information security policy, as well as the documentation that develops it insofar as it affects them, and the Security Committee is responsible for providing the necessary means for the information to reach them.

All Company personnel shall attend an IT security awareness session at least once a year.

Persons with responsibility for the use, operation or administration of information systems shall receive additional training in the secure use of the systems to the extent that they need it to carry out their work.

Customers, collaborators, suppliers and other stakeholders.

The Security Policy will be included as a section of our website where it can be consulted and updated at all times. Channels will be established for the reporting and coordination of the respective Information Security Committees and action procedures will be established for reacting to security incidents.

These groups shall be subject to the obligations established in this policy, and may develop their own operating procedures to comply with it.

Approval and entry into force

This Information Security Policy is effective from the date of approval until superseded by a new one.