Heuristik

Information Security Policy

At Heuristik Technologies, S.L., we consider Information Security to be one of the fundamental pillars of our activity. The trust of our customers, users, collaborators and other stakeholders depends on our ability to protect the information we process and to provide secure, resilient technology services aligned with applicable legal, regulatory and contractual requirements.

Our activity takes place in environments where information may have high operational, technical and organizational value. For this reason, Heuristik maintains an ongoing commitment to protecting the information systems that support its services, applying measures aimed at preserving the confidentiality, integrity, availability, authenticity and traceability of information.

Security is understood not merely as a set of technical measures, but as an Integrated Framework for Governance, Risk Management, Operational Control, Training, Continuous Improvement and Regulatory Compliance. This approach enables Heuristik to anticipate, prevent, detect and respond to potential threats that may affect information, services or business continuity.

Our Commitment

Heuristik's Information Security Policy establishes the general principles, responsibilities and commitments that guide the protection of its assets, systems, services and information. This policy is aligned with recognized information security and cybersecurity frameworks and references, including the Spanish National Security Framework —ENS—, UNE-ISO/IEC 27001, the NIS2 Directive, the General Data Protection Regulation —GDPR—, the LOPDGDD (Organic Law 3/2018 of December 5 on Protection of Personal Data and Guarantee of Digital Rights) and other applicable regulations.

The objective of this framework is to ensure that information security is part of the design, operation, maintenance and evolution of Heuristik services. To this end, the organization applies a risk-based approach that is proportionate to the value of the protected assets and to the impact that an incident could have on customers, users, services or the organization itself.

Security Principles

Heuristik's security strategy is based on the following principles:

  • Confidentiality: protecting information against unauthorized access, disclosure or use.
  • Integrity: ensuring that information remains accurate, complete and protected against improper modification.
  • Availability: ensuring that systems and information are accessible when needed for service delivery.
  • Authenticity: strengthening trust in the identity of users, systems and operations performed.
  • Traceability: maintaining the ability to record, monitor and review relevant actions performed on systems and information.
  • Risk management: identifying, analyzing and treating security risks continuously and proportionately.
  • Continuous improvement: periodically reviewing controls, processes and procedures to adapt them to new threats, technological changes and regulatory requirements.

Protection of Information and Services

Heuristik applies organizational, technical and procedural measures designed to protect information throughout its life cycle. These measures cover both the systems that support services provided to customers and the internal processes required for their operation, administration, support, evolution and improvement.

Heuristik's main commitments include:

  • Protecting Heuristik information and information belonging to customers, users and authorized personnel.
  • Applying security controls appropriate to the criticality level of assets and services.
  • Maintaining continuous information security risk management.
  • Preventing unauthorized access, improper alterations, information loss or service interruptions.
  • Managing changes, updates and improvements to systems in a controlled manner.
  • Monitoring relevant security events and operational activity.
  • Maintaining incident response mechanisms.
  • Strengthening business continuity and service resilience.
  • Periodically reviewing the effectiveness of implemented controls.
  • Ensuring compliance with applicable legal, regulatory and contractual requirements.

Regulatory compliance

Heuristik maintains an active commitment to compliance with applicable regulations on information security, personal data protection, cybersecurity and the provision of digital services.

Our security framework takes as references the principles and requirements of ENS, ISO 27001, NIS2, GDPR and LOPDGDD, among other applicable standards and good practices. This alignment provides a solid foundation for security management, critical asset protection, incident management, third-party oversight and continuous improvement of the management system.

The organization regularly reviews its legal, regulatory and contractual obligations in order to keep its processes and controls up to date with regulatory changes or new requirements in the environment.

Personal Data Protection

Heuristik processes personal data responsibly, securely and in accordance with current regulations. The organization applies measures designed to ensure lawful, fair, transparent and secure processing of personal information, respecting the principles established by the GDPR and the LOPDGDD (Organic Law 3/2018 of December 5 on Protection of Personal Data and Guarantee of Digital Rights).

Personal Data Protection is integrated into the general Information Security Framework, applying controls aimed at preserving the confidentiality, integrity and availability of the data processed.

In addition, Heuristik maintains defined responsibilities for data protection and has internal mechanisms to monitor compliance with applicable obligations.

Risk, Vulnerability and Incident Management

Heuristik adopts a preventive and proactive approach to Security Management. To this end, the organization identifies and assesses the risks that may affect its systems, services and information, establishing measures to reduce them to acceptable levels.

Processes are also maintained for the detection, analysis, treatment and monitoring of security vulnerabilities and incidents. These processes make it possible to prioritize actions according to criticality, potential impact and the evolution of the threat context.

Incident Management is carried out in a documented and traceable manner, with the objective of containing potential impacts, restoring normal operations and extracting lessons that allow protection and response capabilities to be continuously strengthened.

Business Continuity and Resilience

Service availability and operational continuity are essential aspects for Heuristik. For this reason, the organization includes measures aimed at maintaining the resilience of its systems against incidents, failures, cybersecurity threats or other situations that may affect service delivery.

The continuity approach includes identifying critical assets and processes, defining preventive and corrective measures, and periodically reviewing the mechanisms established to ensure that services can be maintained or properly recovered in adverse situations.

Training and Awareness

Information security is a responsibility shared by the entire organization. Heuristik promotes an internal security culture through training, awareness and communication actions aimed at personnel.

The objective is for everyone involved in the design, operation, administration, support or use of systems to understand their responsibilities and act in accordance with established policies, procedures and good practices.

This awareness is especially relevant for roles that involve access to critical systems, sensitive information or administrative capabilities within the organization.

Relationship with Suppliers and Third Parties

Heuristik extends its security principles to relationships with suppliers, collaborators and third parties that may participate in service delivery or access the organization's information.

When a third party participates in relevant processes, it is required to comply with appropriate commitments regarding confidentiality, information protection, regulatory compliance and risk management. These requirements seek to ensure that collaboration with third parties does not compromise the level of security expected by Heuristik, its customers and users.

The organization pays particular attention to suppliers that may have an impact on critical services, sensitive information or processes relevant to business continuity.

Governance And Continuous Improvement

Heuristik maintains a security governance structure aimed at defining responsibilities, overseeing compliance with internal policies, reviewing risks, driving improvements and ensuring the correct application of established controls.

The Information Security Policy is reviewed periodically and whenever relevant changes occur in the regulatory, technological, organizational or threat context. This review keeps the security framework up to date and aligned with the evolution of the company, its services and its customers' needs.

Through this commitment, Heuristik reinforces its objective of offering secure, reliable technology solutions prepared for environments where information protection is critical.