1. INTRODUCTION

Through this document, QUANTRUE, SL (hereinafter "the company") informs its personnel (hereinafter "users") of the mandatory regulations affecting the use of information system resources and components, both automated and non-automated (paper-based), as well as the personal data and information stored and processed within these systems.

All users of the company's information system are required to read and accept the regulations established herein and commit to their compliance.

Staff functions and obligations

The functions and obligations of each user or user profile with access to personal data and information systems will be clearly defined and documented in the system.

2. DEFINITIONS

• Temporary files: work files created by users or processes that are necessary for occasional processing or as an intermediate step during processing.
• Incident: any anomaly that affects or could affect data security.
• Information Security Management System (ISMS) Responsible, hereinafter System Responsible: person formally assigned the function of coordinating and controlling applicable security measures.
• Information system: set of files, processes, programs, media and, where applicable, equipment used for processing personal data.
• Processing system: manner in which an information system is organized or used. Based on the processing system, information systems may be automated, non-automated or partially automated.

3. INFORMATION CONFIDENTIALITY

Contracts signed between the company and its clients include clauses regarding information confidentiality. The company's employees and suppliers who are users of the company's information systems must be aware of these clauses, and it is the client company's responsibility to inform them. In addition to the specific clauses of each contract, all users must comply with the Confidentiality Commitment that the company has with its clients. Users have the duty to protect the information they access as a result of tasks assigned by the company.

Once the contractual relationship with the company ends, users agree not to use the information or knowledge obtained during the contractual relationship for their own benefit or that of third parties. Furthermore, all information belonging to the company or its clients must be returned or destroyed.

4. NOTIFICATION OF SECURITY INCIDENTS AND PERSONAL DATA INCIDENTS

Employees are required to notify by email any security incident or personal data incident, communicating it directly and immediately to the System Responsible for proper management.

5. RULES FOR USE OF USER IDENTIFIERS AND PASSWORDS

Each user is solely responsible for maintaining the confidentiality of their user identifiers and passwords, and therefore sharing them with third parties is prohibited. In case of violation of this prohibition, the user will be solely responsible for actions taken by those who use them without authorization.

Changing the passwords assigned to each user for performing their functions within the Organization (workstations, mobile devices, etc.) is prohibited, and these may only be modified by the System Responsible.

6. RULES FOR USE OF COMPUTER EQUIPMENT

• Workstation computers must be locked whenever left unattended for any reason to prevent third parties from accessing resources and applications authorized for the legitimate user (automatic lock).
• Altering computer equipment configuration and connecting external devices (mobile devices, modems, USB drives, etc.) without prior authorization from the System Responsible is prohibited.
• Using information storage media other than those installed and configured by the company for such purposes (such as CDs, DVDs, USB drives or any other type) is prohibited.
• Changing the login password on workstations and/or laptops without prior authorization and knowledge of the System Responsible is prohibited.
• For laptop computers, all precautions must be taken to prevent their loss or theft, and if this occurs, it must be reported immediately to the System Responsible to take appropriate security measures.
• If a user anticipates not using their laptop for an extended period, they must deposit it in the company's facilities.
• The use of test equipment, if needed, requires prior communication and authorization from the System Responsible.

7. APPLICATION INSTALLATION AND CONTENT STORAGE

• Using applications or storing content unrelated to the company's activities is prohibited. Using software without proper authorization may constitute various liabilities and may also incur legal or criminal responsibility.
• Software programs intended for installation or actually installed on computer equipment, as well as content stored on them, are property of the company or other legitimate third-party owners who have transferred ownership or usage licenses to the company. Only personnel designated by the System Responsible may install and configure, or authorize the installation and configuration of, applications and software approved and authorized by the company.
• All company computers have the corporate antivirus program installed, which cannot be modified or deactivated. However, users must exercise maximum diligence when executing files from unknown sources. In case of doubt, users must refrain from executing the file or program and contact the System Responsible directly.

8. PHYSICAL SECURITY AND CLEAN DESK POLICY

Physical access to company facilities is restricted to external personnel, except for personnel with prior authorization from Management, always respecting established security access controls.

At the end of the workday, computers must be turned off. If they need to remain on, the screen must be locked. Additionally, users must ensure that materials and documentation used in performing their functions are properly stored.

Papers to be discarded must be destroyed in the document shredder available at the company headquarters.

9. RULES FOR USE OF MOBILE DEVICES

• Mobile resources provided or authorized by the company are any devices provided by the company under the control of established information security policies. Users are obligated at all times to use these resources reasonably and appropriately.
• Connecting any type of personal storage mobile device to the company's personal computers and servers is prohibited.
• Mobile resources made available to company users are subject to:
  • The company's authority to manage or administer mobile lines based on work needs.
  • The company's ownership of the numbers assigned to mobile resources.
  • The policy of preselecting outgoing calls for communications with preselected third parties (clients and/or suppliers).
• Users in possession of a company mobile resource will be custodians and responsible for its secure use and custody from the moment of receipt, ensuring:
  • Its use is primarily for work purposes.
  • Occasional personal use is reasonable, rational and moderate, within the framework established by current regulations and this document, without interfering with productivity in completing daily tasks and assigned responsibilities.
  • Immediate communication to the company in case of loss or theft of the device. Outside working hours, users must directly contact the corresponding telecommunications operator to immediately restrict the line and notify the company as soon as possible.
• Users are solely and fully responsible for the entire content of messages sent through their mobile phones, as well as data provided to third parties.
• Users of mobile resources enabled for Internet and email access are subject to the corresponding general access and usage rules for these services in the company.
• For mobile messaging services (SMS/MMS/PUSH) or any type of instant messaging, the following is prohibited:
  • Creating, storing or exchanging content that violates copyright and copy laws.

10. EMAIL USAGE RULES

• Email service must always be used for activities related to the function performed within the company, in accordance with current regulations and the rules of this document, considering that users using it are acting in their own name as well as in the name and representation of the company.
• Modifying the fixed configuration of the email client implemented by the System Responsible is prohibited.
• If a user receives an email message intended for another person, they must notify the sender and then delete it. This applies only to senders considered reliable.
• Sending messages to multiple recipients in an open list (To: field) is prohibited unless required for work organization and management reasons.
• If a user receives inappropriate content in their email, they must inform their supervisor or report it directly to the System Responsible.
• Exchanging trade secrets or other confidential information belonging to the company outside cases expressly authorized by position and work development is prohibited.
• Email may not be used to send or reply to message chains. It may also not be used for commercial or profit-making purposes for the user's benefit.
• Intercepting, accessing and unauthorized use of other users' mailboxes, messages or email addresses without their authorization is expressly prohibited.
• If a user will be absent from their workstation due to vacations, leaves, sabbaticals, voluntary days or any other reason, they must notify the System Responsible to generate the appropriate autoresponse and possible email redirection to another user for organizational reasons.
• Configuring access to personal non-corporate email accounts in the email client is prohibited.
• Users must delete all emails whose retention over time is not absolutely essential. This rule applies to both received and sent emails.
• To avoid any suspicion of computer virus entry or other threat, users must comply with the following regulations and immediately inform the System Responsible:
  • Never execute an executable file attached to an email.
  • Never open email messages from unknown sources.
• Subscribing to mailing lists, magazines, newspapers, blogs, chats, publications, newsgroups or similar services is prohibited. Subscriptions will only be allowed if directly related to company activities and with prior authorization from the System Responsible.

11. INTERNET USAGE RULES

• Modifying the fixed configuration of the Internet browser implemented by the System Responsible is prohibited. This includes IP and DNS addresses, whose configuration may not be altered under any circumstances except with justified request.
• Using Internet services and content contrary to the general conditions of use governing each website is prohibited.
• Using the Internet as a means to commit illegal acts or acts contrary to current legislation, morality, good customs and public order is prohibited.
• Internet access and use may not be used for commercial or profit-making purposes for the user's benefit.
• Internet services may only be used for personal purposes when such use guarantees compliance with current regulations, follows the rules set forth in this document and the following rules:
  • Occasional, reasonable, rational and moderate use within the framework established in this document and without engaging in prohibited uses.
  • Does not interfere with productivity, daily task resolution and assigned responsibilities.
  • Does not damage the company's reputation.
  • Does not affect the performance of the company's information system.

12. RULES FOR PROCESSING PERSONAL DATA

Users are informed of all the company's GDPR regulations. Users are obligated to comply with the regulations established by the company and GDPR in processing personal data.

• Professional secrecy regarding known personal data, regardless of processing medium, may never be broken, even after the relationship with the company ends.
• Paper documents and electronic media must be stored in a secure location (cabinets or restricted access rooms) 24 hours a day.
• Documents or electronic media (CDs, USB drives, hard drives, etc.) containing personal data must not be discarded without ensuring their effective destruction.
• Each workstation is the responsibility of its authorized user, and therefore both screens and printers or other devices connected to it must be physically located in places that guarantee their confidentiality and restricted access to authorized personnel.
• If printers are shared with other users not authorized to access printed data, those responsible for each workstation must remove documents as they are printed.

The following actions are prohibited and may only be performed with prior authorization (Authorization Registry) from the System Responsible.

• Providing third parties access to information, including automated and non-automated files, both logically and physically
• Moving media or documents containing personal data outside company premises
• Performing work outside the locations where files are stored
• Sending information contained in data files through any type of information transmission system
• Making any type of copy of files to which the user has access, on any type of media
• Accessing and attempting to access unauthorized data and resources
• Using outside company premises any external storage media that has been used to store personal data.
• Storing or processing personal data on portable devices or outside company premises
• Executing data recovery procedures

13. MONITORING AND CONTROL OF USER TOOL USAGE

The company has the right to monitor, control and supervise that work tools and instruments (automated or not) are used in accordance with the provisions of this document, as well as other company regulations and applicable current legislation. Therefore, users are aware that there are no expectations of privacy, confidentiality or secrecy regarding communications or actions performed using the work tools and instruments made available to them by the company, even when these are technological.

The company may access, control and monitor all technological means made available to users and, in particular, without limitation, Internet and email use, always in accordance with applicable law and respecting the principles of proportionality, rationality and suitability, in order to:

• Verify compliance with the provisions of this document and other applicable current regulations.
• In the case of employment relationships established between users and the company, monitor, control and verify employees' compliance with their labor obligations and duties in accordance with Article 20.3 of the Workers' Statute, showing due consideration for their dignity and, where applicable, taking into account the actual capacity of employees with disabilities.
• Take legal actions or claim against users who engage in prohibited conduct, in accordance with applicable current regulations and laws, and to demonstrate such conduct before judicial bodies or other authorities.

14. INFORMATION ABOUT PROCESSING OF USER PERSONAL DATA

In accordance with GDPR, the company informs users that their personal data derived from the application of these regulations will be stored for the purpose of managing and fulfilling the purposes described in this document.

In exceptional cases arising from duly accredited needs or interests (such as when there are well-founded suspicions that user behavior seriously harms the business interests of the company and/or its clients, employees, suppliers or other third parties or that such behavior may constitute labor, commercial, civil, administrative or criminal offenses) the company will process user data for the purpose of conducting detailed control and monitoring, by reviewing electronic files, email messages stored on their equipment (and resources comprising it) or sent from it, and identifying calls made from telephone terminals and/or data transmission devices.

Specifically, and in accordance with the aforementioned purposes, users are informed that their personal data may be transferred when necessary, as well as when legally required, to competent Public Administrations regarding control, inspection and sanctioning authority, such as Labor Administration Bodies and the Spanish Data Protection Agency, as well as Courts and Tribunals and the Public Prosecutor's Office. Likewise, the company must report and bring to the attention of Security Forces and Bodies, as well as competent Courts, any information and data that may reveal the alleged existence of a misdemeanor and/or crime under Organic Law 5/2010, of the Penal Code.

The aforementioned processing is mandatory and essential for the indicated purposes and in compliance with applicable current regulations. In any case, the company guarantees that it will be carried out with full respect for user privacy and in accordance with the principles of necessity, legitimacy, transparency, proportionality, minimal interference, accuracy, security and confidentiality, processing only data necessary for the purposes stated in this communication.

Finally, users are informed that their data may be made available to third parties, when such access is necessary to provide a service to the company in relation to the indicated processing purposes or other purposes inherent to work processes and company activities. In such cases, the company will adopt the measures established in current regulations to ensure that third-party service providers only process data in accordance with the company's instructions and will not apply or use it for different purposes, nor communicate it to other persons.

15. TERMINATION OF RELATIONSHIP WITH USER

Upon termination of the relationship with the company, the departing user's access rights will be revoked. In such case, this authorization must be issued by the company.

When a user ends their relationship with the company, they must cease use, return and leave intact all tools, means, systems, information and work instruments, as well as files and documents they have accessed by reason of their functions.

16. DOCUMENT UPDATE

An updated copy of these regulations is available in the company's Shared Documents folder, which any user can access using their computer. If a relevant change occurs, the System Responsible will notify users by sending an email.

17. USER NON-COMPLIANCE WITH OBLIGATIONS

Any non-compliance with the regulations and policies established by the company may result in appropriate sanctions and legal actions by the Organization in accordance with applicable current Regulations and laws.

In other cases, the company will follow the provisions of the corresponding contract with the user, as well as civil, commercial and labor codes to determine the scope of non-compliance and its consequences for the user.