Technical and Organizational Security Measures

Description of the technical and organizational measures implemented by Quibim to ensure an appropriate level of security and protection of personal data (the “Security Measures”), taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of data subjects.

 

Confidentiality and access control

  • Access to personal data by unauthorized persons is to be prevented. To this end, Quibim’s internal Clean Desk Policy prevents from leaving personal data exposed to third parties. Electronic media and paper documents shall be stored in a secure place (closed cabinets or restricted access rooms). When absent from the workstation, the screen will be locked, or the session will be closed.
  • Physical access control is established to prevent unauthorized access to data processing systems. Quibim has implemented an automated access control system, an alarm system and other safeguards, such as security locks or a protocol for logging visitors.
  • Documents or electronic media (CDs, pen drives, hard disks, etc.) containing personal data will not be disposed of without guaranteeing their destruction. Nevertheless, employees shall generally not use any external storage device in accordance with Quibim’s internal Corporate-owned Device Policy and standard operating procedure (or “SOP”) regarding asset management.
  • No personal data or personal information will be communicated to third parties without following the procedures established in applicable personal data protection regulations. Special care will be taken not to disclose personal data during telephone inquiries, in e-mails, or similar.
  • A password management system is in place to ensure quality passwords are in place and, therefore, to guarantee the appropriate confidentiality and security of personal data stored in electronic systems, in accordance with Quibim’s internal Password Policy and best practices in cybersecurity SOP. Two-authentication factors must be provided for access to systems and platforms where technically possible.
  • The confidentiality of passwords must be guaranteed, preventing them from being exposed to third parties. In no case shall passwords be shared or left written down, and access by persons other than the user shall not be allowed.
  • A formal user registration and de-registration process is implemented to enable assignment and revocation of access rights for all user types to all systems and services. The allocation and use of privileged access rights is restricted and controlled. Access rights are removed upon termination of employment, upon termination of the provision of services or adjusted upon change.
  • When it is necessary to extract personal data outside the premises where it is processed, either by physical or electronic means, end-to-end encryption methods are used to guarantee the confidentiality of personal data in the event of improper access to the information.
  • Quibim uses cryptographic techniques to protect the confidentiality, integrity, and authenticity of information during its storage and/or transmission. Specifically, encryption techniques are used for the following techniques: remote access via VPN, communications between developed apps and servers, encryption of information at rest (databases and storages) on the Microsoft Azure storage system using Azure Storage Service Encryption (256-bit Advanced Encryption Standard (AES) encryption), electronic signature certificates, laptop encryption or backup encryption.
  • Data access control is established in accordance with Quibim’s internal policies (namely, the Access Management Policy and the access control SOP), requiring, among other measures, the logging of access to applications, specifically when entering, changing, and deleting data.
  • Separation of processing of data collected for different purposes is implemented with the separation of development, testing and production environments (all client integrations are developed and tested in a test environment, and updates are only released to production after sufficient testing), the physical separation of systems, databases and data carriers, and the determination of database rights.
  • When a security breach of personal data occurs, such as, for example, theft or improper access to personal data, the Spanish Data Protection Agency shall be notified within 72 hours about such security breaches, including all the information necessary to clarify the facts that had given rise to the improper access to personal data. The notification will be made by electronic means through the electronic headquarters of the Spanish Data Protection Agency at the address: https://sedeagpd.gob.es.

 

Integrity

  • As per Quibim’s internal Access Management Policy, access management SOP and access control SOP, there are to be as few administrator user accounts as possible following the need-to-know and least privilege principles.
  • When personal data is accessed by different persons, for each person with access to personal data a specific username and password will be mandatory. All users shall use a unique identifier to access all systems and applications.
  • Devices and laptops used for the storage and processing of personal data are kept updated to the latest available versions.
  • A hardware and software asset inventory is in place to identify assets associated with information systems to determine accountability and ownership of assets.
  • Transmission control is implemented, where applicable, by using a Virtual Private Network (VPN), logging accesses and retrievals, and deployment over encrypted connections like HTTPS or email encryption.
  • Entry control is implemented with event logs, which record user activities and information security events. Logging facilities and log information are protected against tampering and unauthorized access. System administrator and system operator activities are logged, and the logs are protected and regularly reviewed.
  • The integrity of data is ensured with the management and individualized control of every change, allocating individualized rights to enter, change and delete data on the basis of an authorization concept, the technical logging of the input, modification and deletion of data and appropriate traceability measures of input, modification and deletion of data by individual usernames, among others.
  • Any changes made to the source code are reviewed by Static Code Analysis prior to being put into production to ensure, among other aspects, that there are no critical vulnerabilities or security hotspots in it.

 

Availability and resilience

  • All computers and devices where the automated processing of personal data is carried out have an antivirus system or analogous measures that guarantee, as far as possible, the theft and destruction of personal information and data, detecting, preventing, and recovering control against malware.
  • In order to avoid undue remote access to personal data, a firewall system, which is regularly updated, is deployed in all laptops and devices (under Quibim’s management) where personal data is stored and/or processed.
  • Encrypted backup copies of all business, development and production information contained in Quibim’s cloud service provider’s infrastructure (hosted by Microsoft Azureâ) are taken regularly in accordance with Quibim’s internal backup procedures. Azure Backup and Azure Site Recovery services are employed to ensure a disaster recovery plan for Azure file share storage. These services enable the Geo-Redundant Storage (GRS) option to allow the storage of backups in a separate region from their source data. This allows the use of the backup in the event of a regional outage or failure. It also allows to separate backups from source data for added security.
  • Application files and production data are backed up in accordance with established backup policies.
  • A Business Continuity Plan is in place to ensure the required level of continuity for business operations during an adverse situation that may impact business continuity. As part of the Business Continuity Plan, an emergency plan specifies the procedures and actions to reestablish the operations of the essential services in the shortest possible time and under the best possible conditions.

 

Data subjects’ rights

All of Quibim’s employees know their obligations concerning the processing of personal data and are informed about the procedure for addressing the rights of data subjects. Quibim’s internal GDPR rights management policy clearly defines the mechanisms by which the rights can be exercised, acknowledging that the data controller shall respond to the data subjects without undue delay.

  • For the right of access, the interested parties will be provided with a list of the personal data in Quibim’s possession together with the purpose for which they have been collected, the identity of the recipients of the data, the storage periods, and the identity of the person responsible to whom they can request rectification, deletion, and opposition to the processing of the data.
  • For the right of rectification, the data controller will proceed to modify the data of the interested parties that were inaccurate or incomplete according to the purposes of treatment.
  • For the right of erasure, the data of the interested parties will be deleted when the interested parties express their refusal or opposition to the consent for the processing of their data, and there is no legal duty to prevent it.
  • For the right of portability, data subjects must communicate their decision and inform the data controller, where appropriate, about the identity of the new data controller to whom to provide their personal data.
  • For the right of objection, the data of the interested parties will no longer be processed according to the purposes for which objection of processing is requested by the data subjects.
  • For the right of not being subject to automated individual decision-making, the data controller will inform of the lack of processing of the data subject’s data in this regard, providing appropriate evidence.

 

Procedures for regular review, assessment, and evaluation

  • Quibim has been granted the following certifications:
    • ISO/IEC 27001:2013 and UNE-EN ISO/IEC 27001:2017 – Information Security Management System
    • ISO 13485:2016 and EN ISO 13485:2016 – Quality Management system
    • National Security Scheme (Esquema Nacional de Seguridad) according to Spanish Royal Decree 311/2022
    • Cyber Essentials Scheme
  • All software is developed under Quibim’s Quality Management System, certified under ISO 13485.
  • An annual review is carried out, through independent internal audits, of all secure development provisions, established under the ISMS framework, and Quibim will periodically review the effectiveness of the Security Measures herein.
  • Quibim conducts post-market surveillance activities regularly to monitor the safety and performance of all of Quibim’s products and services.
  • All employees are trained regularly on data protection and are obliged under confidentiality and data secrecy obligations, which survive the termination and expiration of employees’ employment relationship with Quibim.
  • Quibim enters into data processing agreements with all contractors outlining their data protection and security requirements, with a prior hiring process that involves due diligence concerning data security.
  • In accordance with articles 37, 38, and 39 of GDPR, Quibim has appointed a Data Protection Officer (dpo@quibim.com) that monitors Quibim’s compliance with Data Protection Legislation.

 

Quibim may update or modify this Security Measures from time to time, provided such updates and modifications do not result in the degradation of the overall security.