Overview

SALES LAYER TECH S.L. including all its subsidiaries (Sales Layer, Ltd. and Sales Layer, Inc.), hereinafter, referred to as SALES LAYER, COMPANY or ORGANIZATION, depends on ICT (Information and Communications Technology) systems to achieve its objectives. These systems must be managed with diligence, taking the appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity or confidentiality of the information processed or the services provided.

To defend against these threats, a strategy that adapts to changes in environmental conditions is required to ensure the continuous provision of services. This implies that the company must apply the minimum security measures required by regulations, standards and other stakeholders, in addition to others derived from the risk analysis, as well as carry out continuous monitoring of the levels of service provision, monitor and analyze the reported vulnerabilities, and prepare an effective response to the incidents to guarantee the continuity of the services provided.

The different departments must ensure that ICT security is an integral part of each stage of the system's life cycle, from conception to decommissioning, through development or acquisition decisions and operational activities. Security requirements and financing needs must be identified and included in planning, request for proposals, and bidding documents for ICT projects.

Departments must be prepared to prevent, detect, react and recover from incidents, in accordance with security regulations.

Prevention

The company must avoid, or at least prevent as much as possible, information or services from being harmed by security incidents. For this, the departments must implement the minimum security measures determined by regulations, standards and other stakeholders, as well as any additional control identified through an evaluation of threats and risks. These controls and security roles and responsibilities of all personnel, should be clearly defined and documented.

• Authorize the systems before going into operation.
• Regularly assess security, including assessments of configuration changes made routinely.
• Request periodic review by third parties in order to obtain an independent evaluation.

Detection

Given that services can be quickly degraded due to incidents, ranging from a simple slowdown to a stoppage, services must continuously monitor the operation to detect anomalies in the levels of service provision and act accordingly as established in control over the review of information security policies.

Monitoring is especially relevant when lines of defense are established. Detection, analysis and reporting mechanisms will be established regularly for those who are responsible to detect when there are significant deviations from the parameters that have been pre-established as normal.

Response

The organization must:

• Establish mechanisms to respond effectively to security incidents.
• Designate a point of contact for communications regarding incidents detected in third parties to whom it provides services.
• Establish protocols for the exchange of information related to the incident. This includes communications, in both directions, with the security incident response center (INCIBE-CERT).

Recovery

To ensure the availability of essential services, the security and technology departments formulate continuity plans for ICT systems. These plans should be an integral component of their overall business continuity strategy and disaster recovery plan.

Overview

• ISMS (SGSI in Spanish): These are the acronym for the Information Security Management System (regulated by the UNE-ISO/IEC 27001 Standard), which is a set of interrelated or interacting elements (organizational structure, policies, activity planning, responsibilities, processes , procedures and resources) used by an organization to establish and achieve information security policy and objectives, based on a risk management and continuous improvement approach.
• ICT (TIC in Spanish): It stands for Information and Communication Technologies. This concept refers to the theories, tools and techniques used in the treatment and transmission of information: computing, internet and telecommunications.
• Stakeholder: A person or group that has an interest in the performance or success of the organization.
• Confidentiality: Property of the information not to be made available or disclosed to unauthorized persons and/or companies.
• Integrity: Property or characteristic that the information asset has not been altered in an unauthorized manner.
• Availability: Property of the information to be accessible and usable at the time required by the authorized person and/or company.
• Asset: In relation to information security, it refers to any information or element related to its treatment (systems, supports, buildings, people...) that has value for the organization.
• Risk: The possibility that a particular threat could exploit a vulnerability to cause loss or damage to an information asset. It is usually considered as a combination of the probability of an event and its consequences.
• Threat: Potential cause of an unwanted incident, which can cause damage to a system or the organization.
• Risk analysis: Process to understand the nature of the risk and determine the level of risk.
• Risk treatment: Process of modifying the risk, through the implementation of controls.

Scope

This policy applies to all business processes of SALES LAYER TECH S.L, including all its subsidiaries (SALES LAYER, Ltd. and SALES LAYER, Inc.), as well as employees, contractors and third parties who have access to the company's information systems. It addresses all information, regardless of the form or format, which is created or used in support of business activities.

Mission, Commitment and Leadership

The mission is to enable marketing teams globally to create superior shopping experiences in both business-to-business and direct-to-consumer channels, while simultaneously ensuring the security and protection of information across all operations.

The top management is committed to provide the necessary resources for the establishment, implementation, maintenance and continuous improvement of the Information Security Management System (ISMS). To this end:

• Ensures that information security is aligned with business strategy.
• Ensures that security is part of all internal processes of the company.
• Communicates to the organization the importance of implementing and maintaining the ISMS to ensure the security of the organization and stakeholders.
• Ensures that the ISMS achieves the established objectives and promotes continuous improvement.
• Reviews and approves this policy
• The creation of an information security committee composed of leaders from various areas within the organization together with the security manager, who is responsible for overseeing and directing security initiatives.

Normative references

SALES LAYER is subject, by way of example and not limitation, to the following laws, standards and regulations:

• Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data and by which repeals Directive 95/46/EC (General Data Protection Regulation)
• Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights
• Law 34/2002, of July 11, on services of the information society and electronic commerce
• Royal Legislative Decree 1/1996, of April 12, Intellectual Property Law
• Law 10/2010, of April 28, on the prevention of money laundering and the financing of terrorism
• The Data Protection Act 2018
• ISO/IEC 27001 Standard on Information Security Management Systems
• The California Consumer Privacy Act of 2018 (CCPA)
• Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act)
• Computer Fraud and Abuse Act (CFAA)
• REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC

ISMS Security Objectives

This policy demonstrates the commitment of senior management and has the following objectives:

• Ensure compliance with applicable laws, regulations and standards, including ISO 27001.
• Comply with stakeholder security requirements.
• Adopt the principle of security by default, privacy by design and security by design.
• Manage the information security of all suppliers and third parties who have access to our information, ensuring they adhere to our security standards.
• Preserve the confidentiality, integrity and availability of the information across all company assets.
• Create a strong security culture throughout the organization by encouraging secure behaviors and making security everyone’s responsibility.
• Implement and maintain a security awareness program that enables employees to be aware of the risks the organization is exposed to, with regular updates and training activities every year.
• Provide senior management leadership to ensure that security objectives are established and aligned with business strategy.
• Assign general and specific information security responsibilities for defined roles.
• Ensure that a risk analysis is performed at least annually or when new emerging threats arise , develop a treatment plan, apply all necessary controls and monitor risks.
• Establish and maintain procedures for the prevention, detection, response and recovery of information in the event of a security incident.
• Establish a continuous improvement system to address any deviations, new risks, or changes in regulatory or information security requirements.
• Periodically review the ISMS documentation to adapt it to new security requirements or risks.

Risk Management

SALES LAYER knows that risk management is a critical component of its operations and that it ensures that its resources and stakeholders’ data is protected. SALES LAYER has defined a risk management procedure with the objective of ensuring that the Information Security Management System can achieve expected results, prevent and reduce undesired effects and achieve continuous improvement.

This analysis will be repeated:

• Regularly, at least once a year.
• When the information handled and/or the services provided change significantly, including new risks.
• When a serious security incident occurs or serious vulnerabilities are detected.
• When exist new projects or implementations of new or emerging technologies

SALES LAYER identifies all threats to which assets are exposed, the impact they may have if they materialize, the likelihood of recurrence and asset vulnerability. Based on this data, the organization performs an analysis of the potential risk and generates a Risk Treatment Plan to take action on its mitigation, acceptance, elimination or transfer.

The results of the risk management process are constantly documented, monitored and reviewed by the Security Committee.

Development of the Information Security Policy

The Security Officer is responsible for reviewing and updating this Security Policy at least annually. The Policy will be approved by the CEO of SALES LAYER and disseminated for the knowledge of all the stakeholders.This Policy will be developed through security regulations that address specific aspects. The security regulations will be available to all members of the organization who need to know them, particularly those who use, operate or manage the information and communications systems.

Valencia, Apr 15, 2024

Álvaro Verdoy
CEO SALES LAYER