Security policy

Genomcore SL, company owner of the registered trademark Made of Genes (hereinafter, the Company), establishes the protection of its information assets as a fundamental priority for the proper service provision within the context of personalized health and bio-health data management. The Company is aware of the importance of securing the information within its business activities and customer satisfaction; and as part of a business continuity strategy, risk management and the consolidation of a security culture, the Company implements an Information Security Management System (ISMS) that meets the requirements of the UNE ISO/IEC 27001:2014, ISO/IEC 27017:2021, ISO/IEC 27018:2020 and stakeholders.

The Company recognizes the importance of identifying and minimizing the risks of its information assets and develops and implements a security management model in order to prevent the loss, disclosure, modification and unauthorized use of information, both on-premises and in the cloud, thus helping reduce operational and financial costs, ensuring legal compliance, contractual, regulatory and business requirements. The goal is to guarantee the security of the information by preserving its availability, ensuring that only authorized users access the information and its associated assets, its confidentiality, its accessibility (limited to authorized users), its integrity, ensuring that the information remains unchangeable and traceable, especially regarding personal data and sensitive personal data.

The Security Policy is supported by a number of policies, records, controls and procedures that guide the correct handling, custody and protection of information, based on the control objectives of the international standards UNE ISO 27002:2014, ISO/IEC 27017:2021, ISO/IEC 27018:2020. The development, maintenance and continuous improvement of the ISMS is supported by the results of a process of continuously evaluating the over the information assets of its services, including the storage, analysis and management of genetic data, clinical information and other highly sensitive personal information.

The Company’s Management is committed to:

1. Establish objectives on Information Security management, the use and provision of Cloud Services, the management of Personal Data, as well as the necessary actions for its development.

2. Establish the risk analysis system, assessing impacts and threats, including those specific of cloud services and personal data management.

3. Implement the necessary actions to reduce unacceptable risks, according to the Security Committee’s criteria.

4. Implement the necessary controls its monitoring methods.

5. Comply with legal, regulatory and contractual security requirements applicable to the Company, especially regarding the management and privacy of personal and genetic data of our customers.

6. Guarantee each client that its information will be processed in accordance with the confidentiality, integrity and availability of a bio-health information management system.

7. Create awareness regarding information security, train our personnel and external collaborators involved in the use or management of information systems.

8. Apply disciplinary measures to workers who fail to comply with Security policies, in accordance with the collective labour agreement, within the applicable legal framework.

9. Implement a policy for safe development including change management, software security requirements and code quality, both internal and external.

10. Provide the necessary resources to guarantee the Company’s business continuity.

The Company’s information security goals are grouped around the following work blocks:

• Protect files and databases, either locally or in the cloud.

• Protect private information including passwords, certificates and cryptographic keys.

• Protect the source code repositories hosting the Company’s products and services, of the company’s products and services, and its quality.

• Protect the Company’s IT infrastructure, including facilities, buildings and rooms.

• Protect the cloud-based virtual resources, including life cycle management and required access controls.

• Protect cloud-based services and resources through specialized service providers.

• Protect networks and communication channels used internally or publicly, locally and in the cloud.

• Protect the Company’s passive assets and the User’s service data, locally and in the cloud.

• Research, regulation and compliance of service providers, whether physical or cloud services.

• Training and supervision of personnel and collaborators with access to the Information Systems.

• The communication of relevant facts, including security breaches, from customers of on-premises and cloud services.

• Support the investigation of relevant events, including security breaches to clients, authorities and stakeholders.

• Ensure business continuity through contingency and redundancy plans at multiple levels.

• Comply with legal and regulatory requirements.

The Company’s management appoints the Information Security Officer as the person responsible for maintaining this Security Policy, providing advice and guidance for its implementation, who can be contacted at security@genomcore.com.

This policy applies to the Company’s personnel, collaborators and suppliers responsible for the Company’s assets, in order to maintain confidentiality, integrity and availability of the information. Users must report information security incidents using the Company’s protocols.

This Information Security Policy may be reviewed and modified, as provided by the Security Committee, in accordance with its requirements.  This policy is communicated to third parties in order to involve them in the continuous improvement of the system.