Information Security Policy

Last update: March 2025

  1. Purpose

The purpose of this policy is to establish the general guidelines and the commitment of Management to ensure that the company properly manages the security of the information it handles.

This policy serves as the reference framework for the Information Security Management System (ISMS), based on the ISO 27001 standard, implemented at JOTELULU. It also complies with the requirements of the National Security Scheme (ENS), the French Public Health Code, and the CISPE (Cloud Infrastructure Services Providers in Europe) Code of Conduct.

  1. Scope and Staff Obligations

This policy applies to all IT systems of JOTELULU and to all members of the organization, without exception.

All members are required to be aware of and comply with this Information Security Policy and the associated Security Regulations.

  1. JOTELULU’s Mission

JOTELULU is a cloud services platform with a mission to simplify cloud computing, making it accessible and affordable for IT companies and, ultimately, for small and medium-sized businesses (SMBs). Its primary goal is to enhance the competitiveness of technology companies by enabling them to offer cloud services in a simple and cost-effective manner.

JOTELULU’s philosophy is based on three fundamental principles:

  • 1. Simplicity: Developing products that are easy to deploy, manage, and maintain, minimizing the complexity of the cloud.
  • 2. Affordability: Creating solutions accessible to businesses of all sizes, ensuring that the cloud is not exclusive to large corporations.
  • 3. Profitability: Optimizing products so that IT companies can integrate the cloud as an essential and profitable part of their business.

Additionally, JOTELULU aims to become the best cloud platform for the IT channel, offering cloud services that IT companies can market under their own brand and pricing.

In this environment, security is a fundamental pillar for JOTELULU, reflecting its commitment to data protection and business continuity. High-security standards are essential to ensuring the trust of its users and the reliability of its services.

  1. Information Security Policy Statement

The Information Security Policy establishes the guidelines and principles defined by JOTELULU, S.L.U. (hereinafter, JOTELULU) to ensure the protection of information, compliance with defined security objectives, and the assurance of confidentiality, integrity, and availability of information systems. Additionally, it guarantees adherence to all applicable legal obligations.

JOTELULU’s management, fully aware of the importance of information security in the workplace, commits to the following principles regarding the Information Security Management System (ISMS):

  • a) Establish information security objectives that are always aligned with the company’s strategy.
  • b) Ensure that security requirements are integrated into the organization’s processes.
  • c) Provide the necessary resources for the management system.
  • d) Communicate the importance of effective information security management in compliance with ISMS requirements.
  • e) Ensure that the information security management system (ISMS) achieves its intended results.
  • f) Lead and support personnel to contribute to the effectiveness of the ISMS.
  • g) Promote continuous improvement of the security management system.
  • h) Support relevant roles in demonstrating leadership within their areas of responsibility.

To fulfill these commitments, JOTELULU’s management will ensure that all personnel comply with the security-related regulations, policies, procedures, and instructions established within the organization.

  1. Security Objectives

Through the development of its Information Security Management System, JOTELULU aims to ensure the following security objectives:

  • 1. Ensure the confidentiality, integrity, availability, traceability, and authenticity of information.
  • 2. Guarantee that security is an integral part of every stage of the system lifecycle, from conception to decommissioning.
  • 3. Comply with all applicable legal requirements.
  • 4. Implement the minimum security measures required by the ENS.
  • 5. Maintain a business continuity plan that enables the recovery of processes and activities in the shortest possible time in case of an incident.
  • 6. Manage risks that may impact the organization by establishing the necessary mechanisms for control and improvement.
  • 7. Train and raise awareness among all employees on information security matters.
  • 8. Meet the security expectations and needs of customers, employees, suppliers, management, and other stakeholders.
  • 9. Ensure that all employees are informed of their security roles and responsibilities and are accountable for fulfilling them.
  • 10. Ensure that departments are prepared to prevent, detect, respond to, and recover from incidents.
  • 11. Properly manage all incidents that occur.
  • 12. Continuously improve the ISMS and, consequently, the organization’s information security.
  1. HDS Security Objectives

In particular within the framework of the HDS (Hébergeur de Données de Santé) certification, the following specific objectives are set with regard to the health data that may be hosted by our partners:

1. Ensure the confidentiality of the health data hosted within the HDS Services, in particular implement appropriate methods, processes and policies to:

  • regulate access to hosted personal health data and to HDS resources into which health data is hosted;
  • prevent, identify and remedy vulnerabilities and limit the risk of unauthorized access to the health data and HDS resources;
  • erase or delete the health data at the end of the services (before to reallocate the resources to another client) and at the end of life of the hardware infrastructure.

2. Ensure the availability of the health data hosed within the services, in particular:

  • Define and share with the Clients appropriate Service levels objectives (notably Services availability, response time to Client’s requests and time to take in charge identified incidents impacting the availability of the HDS Services);
  • Implement the necessary organization and procedures notably within the support and products team to match the Services levels objectives;
  • Implement and test relevant services continuity plan to remediate any failure within the Service delivery;
  • Ensure the availability of the encryption keys when JOTELULU provides health data encryption functionalities to the Client;
  • Ensure the availability and integrity of the back-up when JOTELULU provides health data back-up services to the clients;

3. Enable the Clients to use the services in an appropriate and secure manner, in particular:

  • Provide a clear and accessible Services documentation and terms and conditions of use, presenting the characteristics of the services, the technical specifications, and the distribution of tasks and responsibilities between JOTELULU and the Clients;
  • Make JOTELULU Support team, aware of the specific HDS processes and conditions of services.
  1. Security Organization

Security Committee

To ensure the proper performance of the Management System and compliance with the established objectives and requirements, JOTELULU’s management has appointed an ISMS Manager and a Security Committee. The Security Committee is responsible for ensuring compliance with the guidelines set forth in this policy.

The committee is responsible for the following functions:

  • Approving and verifying compliance with information security policies.
  • Reviewing the results of system audits and any significant information security incidents.
  • Assigning specific roles and responsibilities within the Information Security System and ensuring that those assigned are aware of their duties.
  • Implementing necessary measures to ensure that personnel understand the security procedures relevant to their roles and the potential consequences of non-compliance.
  • Ensuring that information security needs are properly identified and integrated into the organization’s relevant processes.
  • Approving security objectives, ensuring they are measurable and have assigned responsibilities, resources, and deadlines.
  • Providing all necessary resources to support Information Security.
  • Establishing a strategic and consistent basis for decision-making to reduce or mitigate risks to acceptable levels for the company, its clients, and investors.
  • Ensuring the proper monitoring and management of identified risks, in alignment with risk management practices.

Roles: Functions and Responsibilities.

Role

Functions

Responsible at JOTELULU

Management

Ultimately responsible for the implementation of ENS.

Management

Information Responsible/

Responsable de la Información

Responsible for information protection and for defining the security requirements of the processed information.

Security Committee

Service Responsible/

Responsable del Servicio

Determines the security requirements of the provided services, according to the parameters of Annex I of ENS.
Ensures that security specifications are included in the service and system lifecycle, along with the necessary control procedures.

Security Committee

Security Responsible/

Responsable de la Seguridad

Makes security-related decisions to meet the requirements established by the Information and Service Responsibles.
Analyzes self-assessment and/or audit reports and submits conclusions to the System Responsible for corrective actions.

Head of Security

System Responsible/

Responsable del Sistema

Responsible for the operation of the information system, ensuring compliance with the security measures set by the Security Responsible.
Implements corrective actions based on self-assessment and audit reports, with support from Engineering and Infrastructure teams.

Head of Operations

Personal Data

JOTELULU processes personal data, which is documented in the Register of Processing Activities (RAT):

All information systems must comply with the security levels required by regulations according to the nature and purpose of the collected personal data.

Data Controller

The natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of processing.

As indicated in the RAT

Data Processor

The natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Data Controller.

As indicated in the RAT

Data Protection Officer (DPO)

 Ensures compliance with data protection regulations and acts as a liaison with supervisory authorities.

DPO

Conflicts between individuals, units, or governing bodies within the organizational structure of the Information Security Policy will be resolved by the common hierarchical superior, who may consult the Information Security Committee beforehand.

In case of conflict, the decisions of the Information Security Committee will take precedence.

Designation Procedure

The role of Information Security Manager will be assigned to the CISO/Head of Security. If the position becomes vacant, a new appointment will be proposed by the Security Committee.

The role of System Manager will be assigned to the Head of Operations. If the position becomes vacant, a new appointment will be proposed by the Security Committee from within the Engineering, Operations, or Infrastructure departments.

  1. Regulatory Framework
  • General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679 on personal data protection and free movement of such data.
  • Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD) – Organic Law 3/2018, aligned with the GDPR and European data protection regulations.
  • Directive (EU) 2022/2555, NIS2 – European directive on cybersecurity, pending transposition into national legislation under the Draft Law on Cybersecurity Coordination and Governance.
  • Royal Decree 311/2022, of May 3, regulating the Spanish National Security Framework (ENS).
  • Intellectual Property Law – Royal Legislative Decree 1/1996, protecting rights over computer programs and regulating their exploitation.
  • Law on Information Society Services and Electronic Commerce (LSSI-CE) – Law 34/2002, regulating e-commerce and digital services.
  • Occupational Risk Prevention Law (PRL) – Law 31/1995, applicable to workplace safety and health.
  • Industrial Property Laws – Regulations on industrial designs, trademarks, patents, and utility models (Law 17/2001, Law 24/2015, and Law 3/1991).
  • eIDAS Regulation – Regulation (EU) 910/2014 on electronic identification and trust services in digital transactions.
  • Legal Protection of Computer Programs Law – Law 16/1993, protecting software and combating software piracy.
  • French Public Health Code – Legislative framework regulating the organization of the healthcare system, health security, and data protection in France under the HDS certification.
  • CISPE Code of Conduct – Reinforcing data protection in the context of cloud services in Europe.
  • EU AI Act, approved by the European Parliament on March 13, 2024, and by the EU Council on May 21, 2024.

This regulatory framework will be reviewed at least once a year in collaboration with the legal department or whenever a significant change is published in the BOE, regional bulletins, official government websites, or in response to relevant alerts.

  1. Risk Management

All systems subject to this policy must undergo a risk analysis, assessing the threats and risks to which they are exposed. This analysis will be repeated:

  • Regularly, at least once a year.
  • When there is a change in the information handled.
  • When there is a change in the services provided.
  • When a serious security incident occurs.
  • When severe vulnerabilities are reported.

To ensure consistency in risk analyses, a reference assessment is established for the different types of information handled and services provided. The Security Committee will facilitate the allocation of resources to meet the security needs of various systems, promoting horizontal investments.

  1. Structuring of Security Documentation

The Information Security Policy is structured into the following hierarchically related levels:

  • 1. First Level: Information Security Policy, as outlined in this document, reviewed and approved by the Security Committee, and signed by the CEO.
  • 2. Second Level: Information Security Topic Specific, also reviewed and approved by the Security Committee and signed by the CEO.
  • 3. Third Level: Information Security Procedures and Technical Instructions. These are technical documents and controls aimed at addressing security-related tasks within the systems, governed by the ISMS.
  • 4. Fourth Level: Reports, records, and electronic technical evidence, published in our document management systems
  1. Review of the Information Security Policy

The Information Security Policy, along with the processes of the Management System, is regularly reviewed at planned intervals or whenever significant changes occur to ensure its continued suitability, effectiveness, and efficiency. In general, it is reviewed annually as part of the internal ISMS audit process.

Monitoring procedures are in place to provide insights into the proper performance of the ISMS.

Management also plays a key role in reviewing the system, conducting an in-depth analysis to identify potential improvements and deficiencies.

  1. Communication of the Information Security Policy

The management system policy is communicated at the time of onboarding, during awareness training, and internally through email and/or corporate channels.

The statement of this policy will be made available to external stakeholders of JOTELULU by publishing it in a shared document on the web.

  1. Information Security Regulations and Specific Aspects

This policy will be implemented through Security Specific Topics that address specific aspects of security. These regulations are available to all members of the organization, particularly those who use, operate, or manage information and communication systems.