Tecnología en sus Manos SL (TCMAN), to address issues related to information security, issues the following Information Security Policy within the framework of the Information Security Management System (ISMS) implemented in the organization, in accordance with the international reference standard ISO/IEC 27001:2022.

The purpose and objective of this policy is to protect the organization’s information assets from all threats (internal or external, deliberate or accidental), ensuring operational continuity, minimizing damage resulting from incidents, maximizing investment returns, and taking advantage of industry opportunities. It should be noted that the scope of the ISMS is “the information system that supports the design and development, marketing, implementation, and maintenance of asset maintenance management software.”

TCMAN’s Senior Management has approved this Information Security Policy, which is mandatory for all personnel, contractors, suppliers, and third parties who access or manage information and systems. It is TCMAN’s policy to ensure that:

• Information and systems identified as vulnerable to cyberattacks will be protected, ensuring confidentiality, integrity, and availability.

• Applicable regulatory, legislative, and policy requirements will be met, including the GDPR, the LOPDGDD (Spanish Data Protection Act), the LSSI-CE (Spanish Law on Data Retention), the Data Retention Law, Royal Decree 311/2022 of the ENS (National Institute of Statistics and Census), the NIS II Directive, and other sector-specific regulations; Legislative updates will be reviewed periodically.

• Security controls and measures will be based on a risk management process, carried out periodically and documented, that supports the selection of controls and risk treatment.

• Contingency and recovery plans for cybersecurity incidents will be developed, maintained, and tested to ensure business continuity.

• Cybersecurity training and awareness will be available and mandatory for all staff, tailored to different roles and responsibilities.

• All information security breaches, whether actual or suspected, will be immediately reported and investigated by the Information Security Officer, in accordance with established incident management procedures.

• Third-party collaborators (suppliers, manufacturers, etc.) will be supervised in relation to their own security commitments and policies, ensuring compliance with the controls required by TCMAN.

• The ISMS will be continuously improved through internal audits, management reviews, and the updating of controls based on the results of risk analysis and changes in the environment.

• Additional procedures have been established to support this policy, including incident management, access control, backup, malware control , password management and encryption, and asset inventory and classification.

• A formal procedure is in place for handling exceptions and for applying disciplinary measures for non-compliance with this policy.

The role and responsibility of the Information Security Officer is to manage information security, advise on policy implementation, and coordinate incident management and corrective measures.

The owner of this policy is responsible for reviewing it periodically—at least once a year or in the event of significant changes in the legal, technological, or risk environment—and for communicating any updates to senior management.

All department heads are responsible for implementing this policy in their respective areas, and each TCMAN employee is responsible for complying with the policy, as well as with the procedures and regulations derived from it.