Skip to content
Legal

Information Security Policy

Esquema Nacional de Seguridad (ENS) — Red Lemon Technologies, S.L.

Version
03
Approval date
08/04/2026

1. Approval and entry into force

This text was approved on 8 April 2026 by the Management of RED LEMON TECHNOLOGIES, S.L. This Information Security Policy enters into force on its approval date and will remain in force until replaced by a new Policy.

2. Introduction

RED LEMON TECHNOLOGIES, S.L. relies on its information systems to achieve its objectives. These systems are managed with due diligence, applying risk-proportionate measures to protect the authenticity, traceability, integrity, confidentiality, and availability of information and the continuity of services.

Security is integrated throughout the entire lifecycle, with a preventive approach, continuous monitoring, and agile incident response, including in planning and procurement.

3. Scope

The information system of Red Lemon Technologies, S.L. that supports the provision of managed cybersecurity services to clients. It encompasses the set of processes, information, users, services and assets involved in the delivery of those services.

Categorised under the Spanish National Security Framework (ENS) at Medium level. This scope is defined in accordance with the current Statement of Applicability.

4. Mission and objectives

  • Guarantee Confidentiality, Integrity, Availability, Authenticity, and Traceability of information and continuity of services.
  • Implement security measures proportionate to risk, with security by default.
  • Ensure traceability, least privilege, and duty of confidentiality.
  • Deploy physical security adequate to the risks.
  • Protect communications security and data in transit.
  • Control acquisition, development, and maintenance throughout all lifecycle phases, ensuring security by design.
  • Monitor compliance with security measures in service delivery and when integrating new components.
  • Manage incidents (detection, containment, mitigation, resolution, and prevention of recurrence).
  • Protect personal data in compliance with GDPR/LOPDGDD.
  • Continuously monitor the system and drive ongoing improvement.

5. Guiding principles

  • Strategic scope and organisation-wide commitment.
  • Integral security (technical, human, organisational, and physical).
  • Risk-based management and proportionality.
  • Prevention, detection, response, and preservation.
  • Defence in depth (layered security).
  • Continuous monitoring and periodic reassessment.
  • Security by default and by design.

6. Regulatory framework

  • Royal Decree 311/2022, of 3 May (ENS).
  • GDPR (Regulation (EU) 2016/679) and LOPDGDD (Organic Law 3/2018).
  • LSSI (Law 34/2002).
  • eIDAS (Regulation (EU) 910/2014).

7. Security organisation

Information Security Committee: roles and responsibilities

Given the size and structure of RED LEMON TECHNOLOGIES, S.L., the company's Management acts as the Information Security Committee, supported by an external consultant for specialist advisory tasks.

Under the ENS framework, the Information Security Committee is formed by:

  • Information Owner (RINFO)
  • Services Owner (RSER)
  • Security Officer (RSEG)
  • System Owner (RSIS)
  • Data Protection Officer (DPO)
  • Company Management.

Due to staffing constraints, the roles of RSEG, RSIS, RINFO, RSER, and DPO are currently held by the Director of RED LEMON TECHNOLOGIES, S.L., who holds accredited DPO training, with review and oversight procedures established to ensure proper information security management.

The Committee's main responsibilities include:

  • Supervising risk analyses and the evolution of security indicators.
  • Reviewing security and data protection incidents and their management.
  • Monitoring the Statement of Applicability (SoA) and the degree of implementation of ENS measures.
  • Approving and following up internal and external audits and corrective actions.
  • Reviewing and validating continuity and recovery plans (BCP/DRP).
  • Evaluating critical suppliers and ensuring they meet ENS requirements.
  • Proposing changes to the Security Policy and escalating relevant issues to Management (in this case Management itself acts as the decision-making body).
  • Resolving disagreements between responsible parties.

Roles: functions and responsibilities

RINFO/RSER/RSEG/RSIS/DPO: In RED LEMON TECHNOLOGIES, S.L., the functions of RINFO, RSER, RSEG, RSIS and DPO are assumed by the Director, who holds accredited DPO training, with support from an external consultant for specialist advisory tasks.

Appointment and succession procedures

The security roles established under ENS (Security Officer – RSEG, System Owner – RSIS, and Services/Information Owner) are appointed by Management.

Due to organisational size, certain roles may be assumed by the same individual, with independence of judgement ensured through periodic reviews and Management involvement in relevant decisions.

Appointments are reviewed at least every two years or sooner if relevant changes occur, and succession arrangements are documented for prolonged or critical absences.

Conflict resolution

In the event of disagreements between designated officers (RSEG, RSIS, RINFO/RSER), these will be resolved by the Management of RED LEMON TECHNOLOGIES, S.L. Where appropriate, specific provisions may be established for services subject to special regulations.

8. Personal data processing

RED LEMON TECHNOLOGIES, S.L. processes personal data in accordance with the Record of Processing Activities. Risks are assessed and, where appropriate, action plans are developed to address them; an external consultant provides specialist advisory support and assistance with implementing measures. Management sets the reference valuation by information/service type, promotes cross-cutting investments, and coordinates risk treatment plans.

9. Risk management

All systems subject to this Policy will carry out risk analyses:

  • Annually;
  • When information or services change;
  • Following a serious incident or critical vulnerability;
  • Upon relevant changes to GDPR/DPIA requirements.

Management of RED LEMON TECHNOLOGIES, S.L. will set reference valuations by information and service type and promote cross-cutting investments. Data protection risks will also be taken into account. Specialist advisory functions in the areas of security and data protection are performed by an external consultant supporting the Security Officer. Risk treatment plans will likewise be coordinated.

10. Policy development and associated standards

This Information Security Policy complements and is part of RED LEMON TECHNOLOGIES, S.L.'s broader policy framework covering different areas, including: Access Control Policy, Backup Policy, Password Management Policy, Remote Work Policy, and others.

Policies will be made available to the staff members who need to know them.

11. Staff obligations and training

All staff must be aware of and comply with this Policy and its associated standards.

Annual awareness training will be provided to all staff, along with mandatory prior training before assuming responsibilities for use, operation or administration. Training is compulsory during onboarding and upon changes of role or responsibilities.

12. Third parties / service providers / suppliers

Where services are delivered to third parties or involve third-party information, this Policy and the applicable standards will be shared, always respecting data protection regulations where RED LEMON TECHNOLOGIES, S.L. acts as data processor.

Contracts with third parties will require ENS compliance, the inclusion of security clauses, incident notification contacts, audit rights, and specific requirements for cloud services and, where applicable, for AI.

If a third party fails to meet any of these requirements, the Security Officer will produce a risk report with the support of the external consultant. Management will decide whether to proceed with the engagement, accepting the identified risks.

13. Security incident management

RED LEMON TECHNOLOGIES, S.L. will maintain a procedure for the swift management of security events and incidents that threaten information and services, coordinated with other applicable regulations (e.g. GDPR), with notification to competent authorities where required.

This procedure will be integrated with others relating to security incidents that may arise from other applicable regulations (such as data protection law), in order to coordinate the response from different regulatory perspectives and report to supervisory bodies without undue delay and, where necessary, to law enforcement or the courts.

Management, in its capacity as Security Officer (RSEG) and System Owner (RSIS), with the support of the external consultant, will be responsible for activating and coordinating this procedure.

14. Approval, review, and replacement of the Policy

The Management of RED LEMON TECHNOLOGIES, S.L., in its capacity as Security Officer and System Owner, may introduce adjustments to this Policy when inefficiencies are detected and will review it at least once a year.

Substantial changes or those affecting principles or responsibilities will require Management's express approval.

Replacement of the Policy will be proposed by Management with the support of the external consultant and communicated through established channels to all interested parties.