Security Policy

INFORMATION SECURITY POLICY

The expansion of new technologies and openness to public networks provide DOCUTEN TECH, S.L. with new channels to reach customers and establish relationships with other entities, thereby enhancing its business processes. However, these new technologies and relationships increase the level of risk associated with the exposure of DOCUTEN TECH, S.L.’s information and communications.

Information is considered a strategic asset of DOCUTEN TECH, S.L. In this context, a reference framework has been established that defines guidelines for action, through a preventive, informative, reactive, and learning-based approach, to ensure that the integrity, availability, confidentiality, authenticity, and traceability of the information of DOCUTEN TECH, S.L., and of its customers, cannot be compromised.

The Information Security Policy of DOCUTEN TECH, S.L. constitutes the reference framework aimed at facilitating the definition, documentation, management, administration, and implementation of the security mechanisms necessary to address the implementation of the appropriate level of security for DOCUTEN TECH, S.L.’s information assets, including information assets within services provided as a Qualified Trust Service Provider.

The following Information Security principles and criteria are established:

  • The commitment of Senior Management to the continuous improvement of its activities, products, and services, including services as a Qualified Trust Service Provider, as well as commitment to the Information Security Management System itself.
  • The PSC information security policy will be reviewed at planned intervals, at least once a year, or whenever significant changes occur, to ensure its continued suitability, adequacy, and effectiveness. It will be approved by Senior Management, establishing the organization’s approach to managing its information security. Any change affecting the level of security provided must be approved by the company’s Senior Management.
  • Commitment to compliance with current legislation and regulations, as well as other information security requirements agreed with our customers, maintaining ongoing conformity with them. In this regard, DOCUTEN TECH, S.L. complies with European security standards for Trust Service Providers (TSPs), ensuring that all its certification services are provided in strict accordance with its Certification Practice Statement (CPS).
  • DOCUTEN TECH, S.L. assumes as a premise of its Information Security Policy the adaptation of both information systems and physical storage devices to municipal, regional, ministerial, and regulatory standards and/or regulations. Appropriate technical and organizational measures will be taken against unauthorized or unlawful processing of personal data and against accidental loss, destruction, or damage to personal data.
  • The objective is to provide employees, customers, and visitors with adequate security measures within DOCUTEN TECH, S.L.’s facilities and information systems. The security of the information that DOCUTEN TECH, S.L. collects, processes, stores, and transmits is essential to safeguard its assets and those of its shareholders.
  • DOCUTEN TECH, S.L. may limit access to its information, both by people and by physical or logical objects, for which an access control system has been established.
  • Security is an activity that concerns all employees and collaborators of DOCUTEN TECH, S.L., who must carry out their activities ensuring adequate protection of DOCUTEN TECH, S.L.’s assets, knowing, assuming, and applying the security rules and procedures.
  • The security of information, systems, and devices that collect, process, store, and transmit it is paramount to ensure business operational continuity. To guarantee the Confidentiality, Integrity, Availability, Authenticity, and Traceability of such information, the necessary Security Policies, Standards, Procedures, and Mechanisms have been established, as described in DOCUTEN TECH, S.L.’s Internal Regulatory Framework.
  • Information security must be considered part of normal operations and be present and applied from the initial design of processes and information systems.
  • DOCUTEN TECH, S.L. will maintain inventories of the information assets that support its services, their owners or custodians, and the risks associated with them, including assets associated with services as a Qualified Trust Service Provider. This inventory will be continuously updated, enabling ongoing analysis and assessment of suitability, adequacy, and effectiveness, as well as providing security mechanisms for change management.
  • The value of information will be identified by specifying methods for classifying it according to its level of importance to the organization, developing associated processes for its handling, storage, transmission, declassification, access, reproduction, and destruction according to its classification level.
  • In accordance with commercial requirements and applicable laws and regulations, DOCUTEN TECH, S.L. will notify changes to the information security policy and/or its services, including changes or the intention to cease providing services as a Qualified Trust Service Provider, when applicable, including notification to subscribers, interested parties, assessment bodies, supervisory bodies, or other regulatory authorities.

ISO 27001

Having successfully passed the external audit (conducted by the certification body EQA), DOCUTEN TECH, S.L. has an Information Security Management System certified in accordance with the UNE-EN ISO/IEC 27001 standard.

ISO 27001 is an international standard issued by the International Organization for Standardization (ISO) that describes how to manage information security within an organization. The core objective of ISO 27001 is to protect the confidentiality, integrity,
and availability of information.

To achieve this, potential issues that could affect information are identified (risk assessment), and the necessary measures are then defined to prevent such issues from occurring (risk mitigation or treatment).

This is the current version of the Information Security Policy, updated and approved by Docuten’s Management.