Information Security Policy

1. Introduction

MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. relies on Information Systems and Information and Communication Technologies (ICT) to achieve its objectives and provide services to its clients. In this regard, through the Information Security Management System (ISMS), all systems are managed diligently, taking appropriate measures to protect them against accidental or deliberate damage that could affect the availability, integrity, confidentiality, authenticity, and traceability of the information processed or the services provided.

The purpose of the Information Security Management System (ISMS), therefore, is to ensure the quality of information and the continuous provision of services, acting proactively, monitoring daily activities, and responding promptly to incidents.

By implementing this Information Security Management System (ISMS), the Organization’s Information Systems are protected against rapidly evolving threats that could impact confidentiality, integrity, availability, authenticity, traceability, as well as the intended use and value of information and services. To defend against these threats, the Organization maintains a strategy that adapts to changes in environmental conditions to ensure the continuous provision of services. This means that, throughout the Organization, at a minimum, the security measures required by Directive (EU) 2022/2555, the so-called Network and Information Security Directive 2 (hereinafter, NIS2 Directive), are applied, based on the control measures of the National Security Framework (hereinafter, ENS) and any regulatory developments implementing this Directive (EU) into Spanish law, as well as continuous monitoring of service performance levels, analysis of any detected vulnerabilities, and preparation of an effective response to any incident to guarantee the continuity of services provided.

In all areas of the Organization, Information Security is an integral part of every stage of the lifecycle of its systems, from conception to service retirement, including development or procurement decisions and operational activities. Security requirements and funding needs are duly identified and included in planning, in requests for proposals, and in tender specifications for projects related to Information and Communication Technologies (ICT). Furthermore, all systems are prepared to prevent, detect, respond to, and recover from incidents, in accordance with Article 21 of the NIS2 Directive, as well as the provisions of Article 8 of the Royal Decree regulating the ENS.

2. Mission, Vision, and Values

What identifies MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. as an organization and the characteristic traits that distinguish it from other companies are defined in its Mission, Vision, and Values. Through all of these, external stakeholders can understand who MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. is as an Organization, what it intends to achieve, and how it plans to carry it out.

2.1. Mission

The Mission of MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. is to help its clients achieve operational excellence in their factories.

This defines the purpose of its actions, who the people within it are, why they come together as an organization, and why they aim to act socially.

Anyone external to MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U., upon reading the Organization’s Mission, can decide whether they identify with it and whether it is worth committing to this purpose. Everything carried out by the entity has a clear meaning, follows a specific direction, and is not done by chance.

2.2. Vision

The Vision of MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. is to lead the next generation of industrial operations, empowering plant teams and digital factories to operate intelligently and technologically, thanks to the Organization.

This Vision represents where the Organization wants to be in the coming years, what it expects to achieve in the medium term, where it envisions itself over time, and how the Mission is translated into action, reflecting its ideals and the goals chosen for the future.

External stakeholders who currently identify with the Organization’s Mission can understand, through the Vision, why work is carried out in a specific way.

2.3. Values

All individuals within MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. share a common understanding of the Organization, based on the following values.

2.3.1. Attitude

At MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U., attitude always comes before aptitude: Attitude > Aptitude.

Within the Organization, individuals always maintain an honest, proactive, and committed attitude. 

Enthusiasm, passion, motivation, transparency, and positivity are what make the difference. 

2.3.2. Pursuit of Excellence 

At MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U., excellence is pursued not as a destination but as a path of continuous evolution, where each achievement opens the door to new growth opportunities. 

The Organization anticipates needs and creates lasting value that benefits both its team and its clients. 

It is proactive and responds to real environmental needs, improving expected results with effective, measurable solutions that exceed expectations. 

2.3.3. Team Spirit 

At MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U., communication is always in the plural, and everyone helps one another. 

Teamwork occurs at all levels, from development teams to management, across all departments and areas. 

The 5 “C’s” of teamwork in the Organization are as follows: 

• Communication: Dialogue among team members based on respect, freedom, and sincerity. 

• Confidence: Assurance in oneself and in the work performed by other team members. 

• Commitment: Voluntary fulfillment of individual responsibilities within the team. 

• Collaboration: Spontaneously helping and serving other team members. 

• Cohesion: Unity among all team members, prioritizing the group’s success over personal interests.

3. Objectives and Guidelines for Structuring Security Documentation

The security regulatory framework of MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. is organized in a three-level hierarchical structure, designed to ensure the Organization’s institutional consistency, agility in technical updates, and compliance with the basic principles and minimum requirements of the NIS 2 Directive and the ENS.

3.1. Objectives of the Documentation Structure

The objectives pursued by the Organization’s documentation structure are as follows:

• Systematic: Establish a clear regulatory framework covering all organizational, technical, and operational areas.

• Accessibility: Ensure that every member of the Organization can access the rules and procedures necessary to perform their functions.

• Maintainability: Facilitate the independent update of technical procedures without modifying high-level policies.

• Traceability: Enable auditing of regulatory compliance through solid documentary evidence.

3.2. Documentation Levels

The Organization’s security documentation is structured at the following levels:

• First Level: Information Security Policy. This is the present document. It defines the mission, objectives, legal framework, key roles, and security strategy. It is approved by the Organization’s Management and reviewed annually or upon significant changes.

• Second Level: Security Standards. These develop the principles of the Information Security Policy. They are tactical documents that define what must be done and the mandatory requirements for specific domains (e.g., Access Control Standards, Backup Standards, Supply Chain Security Standards, etc.).

• Third Level: Processes, Procedures, and Technical Instructions. These are operational documents detailing how specific tasks should be performed. They include configuration manuals, operation guides, and incident response plans. They are dynamic and technical in nature.

3.3. Guidelines for Management

The guidelines for managing the Organization’s security documentation are as follows:

• Approval: Each documentation level is approved by the competent authority (Security Officer, Information Security Committee, or Organization Management) according to its scope.

• Validity and Review: All documentation is reviewed periodically (at least every two years or when regulatory changes occur, such as the transposition of the NIS2 Directive) to ensure its validity.

• Confidentiality: Access to security documentation is restricted based on the need-to-know principle, especially regarding technical instructions and critical configurations.

• Version Control: All documents have version control and a change history to ensure the integrity and traceability of the security management system.

4. Guiding Principles of the Information Security Policy

MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U., for compliance with the articles of the NIS2 Directive covering the basic principles and minimum requirements regarding cybersecurity risk management measures, and to ensure approval by the governing bodies of the affected entities (mainly Articles 20 and 21), as well as their eventual transposition into Spanish law, and also the articles of Royal Decree 311/2022, of May 3, which regulates the ENS, has implemented various security measures proportional to the nature of the information and services to be protected, taking into account, as well, the category of the affected systems. The principles governing the set of adopted measures are specified below.

4.1. Security as an Integral Process and Security by Default

Security constitutes a process composed of all technical, human, material, and organizational elements related to the Organization’s Information Systems. The implementation and development of this Information Security Policy at MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. is guided by this principle, which excludes any action outside the scope of the policy.

Maximum attention is given to the awareness of the people involved in the process and their hierarchical supervisors, to minimize any risk that may affect the Organization’s security.

Systems are designed to ensure security by default as follows:

• The system must provide only the minimum functionality required for the Organization to achieve its objectives.

• Operational, administrative, and activity logging functions must be limited to what is strictly necessary, ensuring that they are only accessible by authorized individuals, locations, or equipment, and, where applicable, time restrictions and authorized access points may be enforced.

• In an operational system, functions that are unnecessary or irrelevant to the intended purpose must be eliminated or disabled through configuration control.

• Ordinary use of a system must be simple and secure, so that insecure use requires a conscious action by the users.

4.2. Periodic Reassessment and System Integrity and Updates

MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. has implemented controls and regular security evaluations (including routine assessments of configuration changes) to always know the state of system security in relation to manufacturer specifications, vulnerabilities, and relevant updates, reacting diligently to manage risk based on the security status.

Prior to introducing new elements, whether physical or logical, a formal analysis is always required.

Additionally, external reviews are periodically requested to obtain independent evaluations.

4.3. Personnel Management and Professionalism

All employees of MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. are required to know and comply with this Information Security Policy, as well as the rules, procedures, or guides that develop it. It is the responsibility of the Organization, through the Information Security Committee, to provide the necessary means to ensure that the information reaches all affected individuals.

4.4. Security Management Based on Analysis and Risk Management

All systems affected by this Information Security Policy, as well as all personal data processing activities, are subject to a risk analysis evaluating the threats and risks to which they are exposed.

This analysis is repeated:

• Regularly, at least once a year.

• When there is a significant change in the information handled or services provided.

• When a serious security incident occurs or serious vulnerabilities are detected.

The Security Officer is responsible for conducting the risk analysis, identifying existing gaps and weaknesses, and reporting them to the Information Security Committee.

4.5. Security Incidents: Prevention, Response, and Recovery

MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. has implemented an integrated process for detecting, responding to, and recovering from malicious code by developing procedures that cover detection mechanisms, classification criteria, analysis and resolution procedures, as well as communication channels to stakeholders and activity logging. This record is used for the continuous improvement of system security.

To prevent information and services from being compromised by security incidents, the Organization has implemented appropriate security measures to comply with the provisions of Article 21 of the NIS2 Directive, as well as additional controls, including those provided in the ENS, identified as necessary through a threat and risk assessment. These controls, as well as the security roles and responsibilities of all personnel, are clearly defined and documented.

MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. plans to incorporate into its policies any legislative developments specifying the requirements of Article 21, including possible regulatory developments, Specific NIS2 Compliance Profiles published under ENS compliance, and any other relevant elements for this Information Security Policy.

When a significant deviation from pre-established normal parameters occurs, detection, analysis, and reporting mechanisms are implemented to inform the responsible parties regularly.

MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. has established the following measures for responding to security incidents:

• Mechanisms to respond effectively to any security incident.

• A contact point for communications regarding incidents detected in other departments, areas, or organizations.

• Protocols for exchanging information related to the incident, including two-way communications with Emergency Response Teams or Community Emergency Response Teams (CERT).

• The necessary means and techniques to ensure the recovery of critical services to guarantee service availability.

4.6. Defense Lines and Prevention Regarding Interconnected Systems

MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. has implemented a multi-layered protection strategy consisting of organizational, physical, and logical measures, so that when one layer fails, the implemented system allows:

• Gaining time for an appropriate reaction to incidents that could not be prevented.

• Reducing the likelihood of the entire system being compromised.

• Minimizing the final impact on the system.

This strategy includes perimeter protection, particularly for connections, when necessary, to public networks.

In any case, the risks derived from system interconnection via networks with other systems have been analyzed, controlling the connection points.

4.7. Differentiated Role within the Organization

MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. has organized its security by involving all members of the Organization through the designation of different security roles with clearly differentiated responsibilities.

4.8. Authorization and Access Control

MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. has implemented access control mechanisms for Information Systems, limiting access to only those strictly necessary and duly authorized.

4.9. Facility Protection

MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. has also implemented physical access control mechanisms, preventing unauthorized physical access and damage to information and resources, using security perimeters, physical controls, and general protections in various areas.

4.10. Acquisition of Security Products and Contracting Security Services

For the acquisition of products and services, MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. ensures that these products and services have certified security functionality related to the purpose of acquisition, except in cases where proportionality requirements related to the assumed risks do not justify it, according to the Security Officer’s judgment.

4.11. Protection of Stored and In-Transit Information and Business Continuity

MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. has implemented mechanisms to protect stored or in-transit information, especially when located in less secure environments (laptops, mobile phones, tablets, storage media, external networks, etc.).

The Organization maintains system backups and has established mechanisms to ensure continuity of operations in case of loss of usual work resources.

Procedures have been developed to ensure the recovery and long-term preservation of electronic documents produced within MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U.’s scope of responsibilities.

Similarly, security mechanisms have been implemented according to the nature of the medium where documents are stored to ensure that all related non-electronic information is protected with the same level of security as electronic information.

4.12. Activity Logs

MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. has enabled user activity logs, retaining the necessary information to monitor, analyze, investigate, and document unauthorized or improper activities, allowing identification of the acting person at any time. All of this is solely intended to ensure compliance with the objectives of this Royal Decree, with full guarantees of the right to honor, personal and family privacy, image of those affected, and in accordance with data protection regulations and other applicable provisions.

5. Security Organization

The organization of Information Security at MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. is established as indicated below.

5.1. Security Roles or Profiles

To ensure compliance with and adaptation to the measures required by regulation, the following relevant security roles or profiles have been created within the organizational structure of MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U.:

• Security Officer

• System Owner

• Information and Service Owners

• Contact Person for Supplier Companies

The following section specifies the profiles within the Organization that occupy the roles indicated.

5.2. Information Security Committee

MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. has established an Information Security Committee as a collegiate body, which is composed of the following members:

• Chair: General Manager

• Secretary: People & Culture Director

• Members:
o Security Officer and Data Protection Reference Person: People & Culture Director
o System Owner: Information Technologies Systems Administrator
o Information and Service Owner: Product Director
o Information and Service Owner: Professional Services Director

The organization and functions of the Information Security Committee, as well as the functions of its members, are described in the roles and responsibilities definition document, for internal use within the Organization.

6. Development of the Information Security Policy

The Information Security Committee of MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. has approved the development of an Information Security Management System (ISMS), which has been established, implemented, maintained, and improved according to security standards. This system has been adapted and serves to manage the necessary controls to comply with the provisions of the NIS2 Directive, as well as to integrate the relevant controls as described in the ENS.

The Information Security Management System (ISMS) is documented and allows for generating evidence of the controls and compliance with the objectives set by the Information Security Committee. There is a document management procedure that establishes guidelines for structuring the system’s security documentation, its management, and access.

It is the responsibility of the Information Security Committee to conduct an annual review of this Information Security Policy, proposing improvements if necessary, for approval by the competent Management of the Organization according to the subject matter of MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U.

This Information Security Policy has been developed and complemented with the set of the Organization’s policies, documented in the repository that groups and defines all security processes related to the Information Security Management System (ISMS) of MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U.

This Information Security Policy has been developed through security regulations addressing specific aspects. The security regulations are available to all employees of MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U., particularly those who use, operate, or administer information and communication systems.

7. Awareness and Training

All employees of MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. affected by this Information Security Policy attend security awareness sessions at least once a year. Additionally, continuous awareness programs have been established to reach all employees, particularly new hires.

Individuals within the Organization who are responsible for using, operating, or managing systems receive ongoing training for the secure management of these systems. Such training is mandatory before assuming any responsibility, whether it is a first assignment or any subsequent change of responsibilities or job position involving different functions from those previously performed.

8. Processing of Personal Data

MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. collects Personal Data when it is adequate, relevant, and not excessive, and when it is related to the scope and purposes for which it was obtained. Likewise, the necessary technical and organizational measures are adopted to ensure compliance with current Data Protection regulations.

MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. processes Personal Data as described in the Record of Processing Activities (RPA).

MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. has assessed the risks related to the Personal Data processed, proposing an action plan to address those risks that exceed the authorized threshold. The Data Protection Officer is responsible for integrating the conditions of Personal Data processing into this Information Security Policy, as well as into all derived documents affecting the Information Security Management System (ISMS).

The risk analysis is periodically reevaluated, with the advice and supervision of the Organization’s Data Protection Officer, and, in any case, whenever a high-risk processing is detected, an impact assessment must be conducted if necessary. The implementation of the risk treatment plan is coordinated with any measures required concerning the Information Security Management System (ISMS), as well as with other security procedures or rules derived from Data Protection obligations, particularly in controlling supplier companies or responding to incidents and breaches of Personal Data.

9. Risk Management

A risk analysis is carried out on all systems subject to this policy, evaluating the threats and risks to which they are exposed.

This analysis is repeated:

• Regularly, at least once a year.

• When there are changes in the information handled.

• When there are changes in the services provided.

• When a serious security incident occurs.

• When serious vulnerabilities are reported.

• When there are modifications in the data protection risk analysis or in the impact assessments.

To harmonize risk analyses, the Information Security Committee has established a reference assessment for the different types of information handled and the different services provided. The Information Security Committee has facilitated the availability of resources to address the security needs of the different systems. In doing so, risks related to Data Protection have been considered, with the participation and input of the Organization’s Data Protection Officer, as well as any external support required, and coordination has been carried out between the Information Security Policy and other related documents, including the Record of Processing Activities (RPA).

The Information Security Policy, as well as all documents requiring explicit acceptance by employees to understand and agree to the security framework in which they must manage the information they access for the functions assigned to their position, is always available, and the explicit acceptance of the applicable regulations has been documented.

10. Third Parties

When MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. provides services to other entities, whether private or public, in which information or personal data of these entities is processed, it makes these entities aware of this Information Security Policy.

MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. has defined and approves the appropriate channels for coordinating information and procedures for responding to security incidents, as well as other security-related actions carried out in relation to other organizations.

When MAPEX MANUFACTURING SOFTWARE SOLUTIONS, S.L.U. uses third-party services or shares information with third parties, it makes them aware of this Information Security Policy and the applicable Security Regulations for these services or information. These third parties are subject to the obligations established in the said regulations and may develop their own operational procedures to comply with them. Specific procedures for communication and incident resolution are established. Third-party employees are expected to have adequate security awareness, at least at the same level as established in this Information Security Policy.

Similarly, when any aspect of this Information Security Policy cannot be met by a third party as required in the previous paragraphs, a report from the Security Officer is required, specifying the risks involved and how they will be addressed. Approval of this report is required from the Information and Service Owners before proceeding.

When the entity acquires, develops, or implements artificial intelligence systems, in addition to complying with current regulations on the matter, the Security Officer’s report is always obtained, consulting with the Information and Service Owners and, when necessary, the System Owner, including the perspective of the Data Protection Officer.

11. Approval and Entry into Force

Modifications to this policy that involve changes or adjustments necessary to adapt it to new circumstances or the development of service provision will be carried out by the Information Security Committee, which will review it at least once a year.

If the changes constitute a substantial modification of the principles or designated responsibilities, the Information Security Committee will propose the changes, which must be approved within its own governance framework.

The replacement of the Information Security Policy will be initiated by the Information Security Committee, and relevant stakeholders will be informed appropriately through the same channels used for its dissemination.

Last Update: April 7, 2026