Security Policy

Last Review: January 18th, 2024

The Management of GENOMCORE S.L. (hereinafter, the “Company”), establishes as fundamental and a priority the protection of its information assets for the proper provision of its services in the context of personalized health and bio-health data management. Aware of the importance of good information security management for its business and customer satisfaction and as part of a strategy aimed at business continuity, risk management and the consolidation of a security culture, the Company implements an Information Security Management System (ISMS) applying the requirements of the UNE ISO/IEC 27001:2023, UNE-EN ISO/IEC 27017:2021, UNE-EN ISO/IEC 27018:2020 and its stakeholders.

The Company recognizes the importance of identifying and minimizing the risks to which its information assets are subject, developing and implementing a security management model to prevent the loss, disclosure, modification and unauthorized use of information, both in local systems and in the cloud, thus helping to reduce operating and financial costs, ensuring compliance with legal, contractual, regulatory and business requirements. These aim to guarantee the security of information by preserving its availability, ensuring that authorized users have access to the information and its associated assets when required, its confidentiality, ensuring that only those who are authorized can access the information and its integrity, ensuring that the information remains unchanged and traceable, especially when dealing with personal data and data of a sensitive nature.

The Information Security Policy is supported by a set of specific policies, records, controls and procedures that guide the correct handling, custody and protection of information and are based on the control objectives of the international standards UNE-EN ISO/IEC 27001:2023, UNE-EN ISO/IEC 27017:2021, UNE-EN ISO/IEC 27018:2020. The development, maintenance and continuous improvement of the ISMS will be supported by the results of a process of continuous assessment of the risks acting on the information assets of The Company involved in the provision of its services, including the storage, analysis and management of genetic data, clinical information and other highly sensitive personal information.

 

The Company’s Management is committed to:

  1. Periodically establish objectives on the management of Information Security, the use and provision of Cloud Services, the management of Personal Data, as well as the necessary actions for their development.

  2. Establish the systematic risk analysis, assessing the impact and threats, including those specific to Cloud Services and Personal Data management.

  3. Implement the necessary actions to reduce the identified risks that are considered unacceptable, according to the criteria established by the Security Committee.

  4. Implement the necessary controls and their corresponding monitoring methods.

  5. Comply with the legal, regulatory and contractual security requirements assumed by the Company, especially with regard to the management and privacy of our customers’ personal and genetic data.

  6. To guarantee to each client that their information will be processed in accordance with the fundamental requirements of confidentiality, integrity and availability of a bio-health information management system.

  7. Promote awareness and guarantee training in information security to all our own personnel, as well as to external collaborators involved in the use or management of information systems.

  8. When workers fail to comply with security policies, apply disciplinary measures in accordance with the workers’ agreement, within the applicable legal framework and sized to the impact they have on the organization.

  9. Implement a secure development policy that includes change management, software security requirements and code quality, both internal and external.

  10. Provide the necessary resources to guarantee the continuity of the company’s business.

 

The Company’s security objectives are grouped around the following work blocks:

  • Protection of files and databases, either locally or in the cloud.

  • Protection of private information including passwords, certificates and cryptographic keys.

  • Protection of the source code repositories of the company’s products and services, as well as their quality.

  • Protection of the IT infrastructure supporting the organization, including facilities, buildings and rooms.

  • Protection of virtual resources in the cloud, including their life cycle management and required access controls.

  • Protection of resources and services located in the cloud through specialized service providers.

  • Protection of networks and communication channels used internally or publicly, locally and in the cloud.

  • Protection of the company’s passive assets and the data of the users of its services, locally and in the cloud.

  • The vetting, regulation and compliance of service providers, whether physical or cloud services.

  • Training and continuous supervision of employees and collaborators with access to information systems.

  • The communication of relevant facts, including security breaches, from customers of on-premises and cloud services.

  • Supporting the investigation of relevant events, including security breaches, to customers, authorities and affected parties.

  • Ensuring business continuity through contingency plans and redundancy at multiple levels.

  • Compliance with legal and regulatory standards.

 

The Company’s management appoints the Information Security Officer as the person directly responsible for maintaining this policy by providing advice and guidance for its implementation, who can be contacted by e-mail at security@genomcore.com.

This policy applies to all Company personnel, as well as to collaborators and suppliers with responsibility for Company assets, in order to maintain the confidentiality, integrity and ensure the availability of information. All users are required to report information security incidents using the guidelines established by the Company.

This Information Security Policy may be reviewed and modified as provided by the Security Committee in accordance with the periodically established review needs. This policy is communicated to interested parties in order to involve them in the continuous improvement of the system.