Business Continuity Policy

  1. Objective: Define the guidelines to be followed, before, during and after an interruption in the operations of MYDOCUMENTA, that respond assertively and opportunely to events that affect the services of the Company, as well as manage the continuity and restoration of its processes, seeking the minimum impact on operations.
  2. Statement of policy: MYDOCUMENTA is committed to ensuring that all critical business processes operate properly, under the principles of universality, continuity, timeliness, quality and reliability, through the implementation of a business continuity plan. For the implementation of the Business Continuity Plan, the following are key elements: safeguarding human life, protecting the environment, protecting the Company's assets, and the continuity of operations. The Business Continuity Committee is created as the governing body in this area, under the coordination of the Directors, the Manager of the Integrated Management System (IMS) and the IT Manager. Priority is given to the allocation of human, financial and material resources to ensure compliance with this policy and the execution of the business continuity plan. Key personnel will be assigned and trained to manage business continuity, with the firm conviction and commitment to comply with current regulations, as well as with the requirements of our clients and their role in Spanish society. For the purposes of developing the Business Continuity Plan, ISO 22301 will be taken as a reference, in order to ensure continuous improvement and have a regulatory framework that allows access to the best practices already defined in this standard, used at world level.
  3. Scope: Business continuity is a transverse axis, and therefore the present policy is applicable in all the dependencies of the Company, whose function is critical in providing the services; it also applies to third parties through contracts or service agreements, and to all Company personnel involved in business processes that have been identified as critical.
  4. Responsibilities: The subordinate owners of the Company are responsible for carrying out the actions that make the personnel aware of their responsibility in the prevention of incidents.

  5. Business Continuity Committee:

    1. To ensure the implementation of this business continuity policy, as well as formulate and manage its modifications, and submit them for approval to the Board of Directors.
    2. To validate the critical business processes that should be considered in the Business Continuity Plan, as well as the estimation of the maximum time that the Company can bear after the interruption of the service, product of the incident that occurs.
    3. To ensure that Business Continuity Plans are formulated, evaluated and kept up to date by those responsible for the critical processes and disseminated to all officials, contractors and service providers. The business continuity plan is understood as a documented and proven plan that responds to an emergency in an appropriate manner, thus achieving the minimum impact on the operation of the business.
    4. Ensure that vulnerability and threat analysis is kept up to date, as well as the periodic risk assessment and its probability of occurrence in order to update business continuity plans.
    5. Ensure that the procedures for dealing with an incident, from the moment it is presented, up to the restoration or return to normality, both in terms of the internal and external actions of the Company, are documented and kept up to date and available.
    6. Ensure that the functions and responsibilities detailed in the business continuity plans are assigned to the appropriate personnel to attend the incidents. The same criterion will apply to the succession plan in case of incidents.
    7. Ensure that the personnel training plans are complied with, both the holder and the successor in the roles that must be performed in case of incidents.
    8. Ensure that, as part of the continuity plans, internal and external communication plans are developed and updated, to be applied when an incident occurs.
    9. Establish the mechanism to ensure that the opinion of the interested parties in the preparation of the plans is considered.
    10. Ensure that supplier assessment for critical processes is kept up-to-date and that stock requirements for critical processes are periodically evaluated.
    11. Ensure that continuity plans include detailed roles in the event of an incident and that the validation and effectiveness tests of these plans are performed, as well as control of the time required for the restoration of operations.
    12. Ensure that in the face of significant changes in business processes, the business continuity plan is updated.
  6. Independent evaluation: The Internal Audit will incorporate, within its Work Plan, according to its risk analysis, the control of compliance with the policy and the Business Continuity Plan. The Company may contract external services for an independent evaluation of the Business Continuity Plan, when required.
  7. Effectiveness of the policy: The validity of this Policy will be as from the approval by the Board of Directors.

Information Security Policy

  1. Objective: To establish MYDOCUMENTA's position regarding the availability, integrity and confidentiality of the information, which implies the protection against unauthorized use, disclosure or modification, damage or loss or other dysfunctional factors.
  2. Policy statement: MYDOCUMENTA is committed to information security by recognizing its strategic value in business management, implementing an information security management system that ensures compliance with the principles of Confidentiality, Integrity and Availability of information. The information will be available, without any alteration, to the persons authorized to access it, when it is needed, ensuring its safeguard regardless of whether it is stored, processed or transferred within or outside a defined scope. The Board of Directors declares that for the implementation and continuous improvement of this Policy, resources will be allocated to guarantee an adequate management in the documentary management that includes the control, storage and subsequent retrieval of the information produced and received in the Company.
  3. Scope: Applying to all areas of the Company, as well as to third parties through contracts or agreements to provide services and to all the Company’s personnel.
  4. Responsibilities: The Management shall ensure compliance with the information security policy and the implementation of the Information Security Management System.

  5. The responsibility for the application of information security measures defined by the General Management is the responsibility of the user of this information.

    Information Technology Directorate:

    1. Ensure that the information security policy is implemented, with the necessary technological and procedural tools.
    2. Exercise the operational coordination of the implementation of the information security policy, as well as to report on its compliance.
    3. The Information Technology Directorate will implement training and employee awareness programs on information security.
  6. Effectiveness of the policy: The validity of this Policy will be as from the approval by the Board of Directors.

Board of Directors
26 June 2017