Security policy

The management of GENOMCORE S.L., the company that owns the MADE OF GENES trademark (hereinafter, ‘the Company’), determines that the protection of information assets is fundamental and imperative for the correct provision of its services in the context of personalised health and biomedical data management. Being aware of the importance of good information security management for its business and for customer satisfaction, and as part of a strategy aimed at business continuity, risk management and the consolidation of a security culture, the Company has decided to implement an Information Security Management System (ISMS), which complies with the requirements of the standards UNE ISO/IEC 27001:2014, ISO/IEC 27017:2021, ISO/IEC 27018:2020 and its stakeholders.

The Company recognises the importance of identifying and minimising the risks to which its information assets are subject, developing and implementing a security management system to prevent a loss, disclosure, modification and unauthorised use of information, both in local systems and in the cloud, thus helping to reduce operational and financial costs, and guaranteeing compliance with legal, contractual, regulatory and business requirements. These aim to guarantee information security by preserving its availability, ensuring that authorised users have access to their information and associated assets when they require it, as well as their confidentiality, making sure that only those who are authorised can access information and its integrity, which guarantees that the information remains unchanged and traceable, especially when it comes to sensitive personal data.

The Information Security Policy is supported by a range of specific policies, records, regulations and procedures that oversee the proper information management, safe-keeping and protection, and that are based on the control objectives of the international standards UNE ISO 27002:2014, ISO/IEC 27017:2021, ISO IEC 27018:2020. The development, maintenance and continuous improvement of the ISMS will be based on the results of a process of continuous risk assessment on the Company’s information assets that participate in the provision of its services, including storage, analysis and management of genetic data, clinical information and other highly sensitive personal information.

The Company’s management is committed to:

1. Periodically establish objectives on information security management, the use and provision of cloud services, personal data management, as well as the necessary actions for their development.

2. Lay down the risk analysis system, assessing the impact and threats, including those specific to cloud services and personal data management.

3. Implement the necessary actions to reduce the identified risks that are considered unacceptable, according to the criteria established by the Safety Committee.
   

4. Apply the necessary regulations and their corresponding monitoring methods.

5. Comply with the legal, regulatory and contractual security requirements assumed by the Company, especially with regard to the management and privacy of our clients’ personal and genetic data.

6. Guarantee to each client that their information will be processed in accordance with the fundamental requirements of confidentiality, integrity and availability typical of a biomedical information management system.
   

7. Promote awareness and guarantee training on information security for all our staff, as well as for external collaborators involved in the use or management of information systems.
   

8. When workers fail to comply with safety policies, apply disciplinary measures in accordance with the workers’ agreement, within the applicable legal framework and adjusted to the impact they have on the organisation.

9. Provide the required resources to ensure the continuity of the Company’s business.
   

The Company’s security objectives have been grouped in the following work areas:

• Protection of files and databases, be it locally or in the cloud.

• Protection of private information including passwords, certificates and cryptographic keys.
  

• Protection of the source code repositories of the Company’s products and services, as well as their quality.
  

• Protection of the IT infrastructure that supports the organisation, including facilities, buildings and rooms.
  

• Protection of virtual resources in the cloud, including the management of their life cycle and required access controls.
  

• Protection of resources and services located in the cloud through specialised service providers.
  

• Protection of networks and communication channels used internally or publicly, locally and in the cloud.
  

• Protection of the Company’s passive assets and the data of users of its services, locally and in the cloud.
  

• Investigation, regulation and compliance of service providers, whether that be physical or cloud services.
  

• Training and continuous supervision of employees and collaborators with access to information systems.
  

• Communication of relevant facts, including security breaches, of the customers of local services and in the cloud.

• Support to clients, authorities and affected parties for the investigation of relevant events, including security breaches.

• Guarantee of business continuity through contingency and redundancy plans at multiple levels.
  

• Compliance with legal and regulatory standards.
  

The Company’s management appoints the Information Security Manager as directly responsible for maintaining this policy, on account of providing advice and guidance for its implementation, who can be reached at security@genomcore.com

This policy applies to all Company personnel, and to all collaborators and suppliers with responsibility for the Company’s assets, in order to maintain confidentiality and integrity and ensure the availability of information. All users will have the obligation to report information security incidents following the guidelines established by the Company.

This Information Security Policy may be revised and modified as determined by the Security Committee in compliance with the periodic update requirements. This policy is disclosed to the interested parties in the interest of involving them in the continuous improvement of the system.