Information Security Policy

1. Purpose and Scope

The purpose of this Information Security Policy is to describe the technical and organisational measures implemented by the Controller to protect the security, integrity, availability and confidentiality of the information managed through the Platform.

This policy applies to all systems, processes and technological environments used for the provision of the service.

2. Security Principles

The Controller adopts a risk-based approach, implementing adequate security measures to guarantee: (i) the confidentiality of information; (ii) the integrity of data; (iii) the availability of systems; (iv) the resilience of services.

3. Technical and Organisational Measures

The Controller implements security measures aligned with industry standards, including, but not limited to:

• Encryption of information in transit using secure protocols
• Protection of stored information
• Access control through authentication and authorisation
• Privilege limitation in accordance with the principle of least access necessary
• Systems monitoring and detection of unauthorised access
• Backup and incident recovery mechanisms
• Regular update of systems and dependencies
• Logical segmentation of environments

4. Access Control

Access to information is restricted exclusively to authorised personnel, under criteria of necessity, confidentiality and proportionality.

The Controller does not access User data as part of its usual operations, except in cases strictly necessary for the provision of the service, at the User's request or by legal requirement.

5. Technology Infrastructure

The Platform is supported by specialised third-party technology infrastructure, including database, authentication, storage and hosting services.

In particular, the Controller uses solutions provided by Supabase for database management, user authentication and storage, as well as hosting services provided by Hostinger.

Supabase implements security measures aligned with international industry standards, including, but not limited to: (i) SOC 2 Type II compliance for security, availability and confidentiality; (ii) encryption of data at rest using AES-256 standards; (iii) encryption of data in transit using TLS protocols; (iv) multi-factor authentication mechanisms (MFA); (v) role-based access control (RBAC); (vi) periodic backups and data recovery mechanisms; (vii) regular security testing and vulnerability analysis; (viii) protection against denial-of-service attacks (DDoS) and abuse mitigation mechanisms; (ix) continuous monitoring and security review tools.

Additionally, the infrastructure and hosting services used by the Controller apply physical and logical security measures in line with industry best practices, including access control, redundancy and availability.

The security measures implemented respond to a shared responsibility model between the Controller and the technology providers used.

6. Credential Security

User access credentials are managed through robust security mechanisms, including encryption techniques and protection against unauthorised access.

The User is solely responsible for maintaining the confidentiality of their access credentials, as well as all activities carried out through their account.

The User undertakes to:

• Use secure, strong and unique passwords
• Not share their credentials with third parties
• Avoid using the Platform from unsafe devices or networks
• Enable, when available, additional security mechanisms such as multi-factor authentication (MFA)
• Immediately notify the Controller of any suspected unauthorised use of their account

The Controller will not be liable for unauthorised access, loss of information or any damage arising from the improper use of credentials by the User, negligence in their custody, voluntary transfer of access to third parties, or breach of recommended security measures.

7. Security in Data Transmission

All information transmitted between the User and the Platform is carried out through secure connections, using appropriate encryption protocols.

8. Security Incident Management

The Controller implements internal procedures for the detection, analysis, management and response to security incidents that may affect the confidentiality, integrity or availability of information.

In the event of a security incident, the Controller will adopt the technical and organisational measures necessary to: (i) contain and mitigate its effects; (ii) analyse its origin and scope; (iii) restore the operation of the systems; (iv) prevent future incidents.

When the incident involves a personal data breach, the Controller will act in accordance with applicable data protection law, including notifying the competent supervisory authority and communicating to the affected Users where appropriate.

9. Security Limitations

The User acknowledges that, while the Controller implements adequate technical and organisational measures in accordance with industry standards to protect information, no technological system is completely secure, foolproof or invulnerable.

Consequently, the Controller does not guarantee the absolute absence of security incidents or total invulnerability of the Platform.

To the maximum extent permitted by applicable law, the Controller will not be liable for damages, losses or unauthorised access resulting from: (i) actions or omissions of third parties, including cyberattacks; (ii) vulnerabilities in external systems or infrastructure; (iii) improper use of the Platform by the User; (iv) the User's lack of diligence in protecting their credentials or devices; (v) the use of insecure networks or compromised devices; (vi) failures arising from technology providers or third-party services.

10. Responsible Use

The User undertakes to use the Platform diligently and not to perform actions that may compromise the security of the systems or of other users.

11. Relationship with Personal Data

Aspects related to the processing of personal data are governed by the Privacy Policy.

12. Updates

The Controller may update this Security Policy at any time to adapt it to technical improvements, regulatory changes or the evolution of services.

13. Contact

For any queries, requests, complaints, notifications or communications related to the Platform:

Email: hola@tresojotas.com