Information security policy

Last update 19th January 2026

INFORMATION SECURITY POLICY

INTRODUCTION

This document sets out the General Information Security Policy of WORLD WIDE MOBILITY, S.L. (hereinafter, “WORLD WIDE MOBILITY”), understood as the set of basic principles governing the organisation’s approach to Information Security.

Information Security is understood as an integral process consisting of all technical, human, material and organisational elements related to information systems, excluding any isolated or temporary actions.

All other documents related to Information Security within WORLD WIDE MOBILITY shall be aligned with the guidelines contained in this General Information Security Policy.

The progressive digital transformation of society, the impact on strategic sectors such as finance, the evolving cybersecurity landscape and advances in applied technologies are producing significant international changes.

It has also become evident that information systems are increasingly exposed to cyber threats, with a notable rise in both the volume and frequency of cyberattacks as well as their sophistication, driven by agents with greater technical and operational capabilities. These threats occur in a context of high dependence on information and communication technologies and strong interconnection of information systems.

OBJECTIVE

The objective of this General Information Security Policy is to establish a common regulatory framework within WORLD WIDE MOBILITY allowing the identification, development and implementation of the technical and organisational measures necessary to ensure the security and protection of information, including personal data, as well as the information systems supporting the organisation’s activities.

COMMUNICATION

This document shall be published on the internal systems of WORLD WIDE MOBILITY and communicated to all relevant stakeholders, particularly internal personnel handling information assets.

Additionally, this policy shall be published on the WORLD WIDE MOBILITY website for external stakeholders.

MANAGEMENT COMMITMENT

Information, especially the personal data of employees, customers and suppliers, as well as the systems that support it, are strategic assets for WORLD WIDE MOBILITY, which seeks to protect them against threats such as errors, sabotage, terrorism, extortion, industrial espionage, privacy violations, service interruptions and natural disasters, in order to ensure efficient and effective achievement of defined business objectives.

Management undertakes to lead and promote security at all levels in accordance with the Security Policy and the objectives defined herein.

In particular, management commits to:

  • Comply with and enforce applicable legislation and other requirements (contractual, regulatory and customer) related to information security.
  • Maintain the effectiveness of the Information Security Management System (ISMS) and ensure its continuous improvement by periodically reviewing its performance, objectives and needs for change.
  • Provide the necessary resources and assign roles and responsibilities to implement, operate and improve information security processes.

POLICY

Scope

WORLD WIDE MOBILITY protects the resources involved in managing information related to the normal development of its functions, complying with applicable legislation, preserving confidentiality and privacy, and ensuring availability, integrity and retention.

These objectives also apply to the information systems used to carry out its activity.

WORLD WIDE MOBILITY seeks to establish conditions of trust in the use of electronic means and the continuous delivery of its services, adopting the necessary measures to protect the organisation’s information systems from threats to which they may be exposed, in order to guarantee the security of information systems, minimise risks and build the foundations to prevent, detect, respond to and recover from potential incidents.

This General Information Security Policy applies throughout the scope of WORLD WIDE MOBILITY, namely:

  • All resources, services and business processes of WORLD WIDE MOBILITY. In this way, it applies to all information systems involved in service delivery and to all support systems for the various functions and responsibilities of WORLD WIDE MOBILITY.
  • All employees, direct customers and suppliers of WORLD WIDE MOBILITY who use the systems described in the previous point.

INFORMATION SECURITY OBJECTIVES

The objectives to be achieved are:

In accordance with these objectives, this General Information Security Policy seeks the adoption of the following security principles, ensuring:

  • Availability: Information and systems are accessible when required.
  • Confidentiality: Only authorised persons may access information and systems.
  • Integrity: Accuracy and protection of information against unauthorised alteration or destruction.
  • Legality: Information is processed in compliance with applicable legal frameworks.
  • Training: Ensuring appropriate awareness and training in information security within the organisation.
  • Incident Management: Risk analysis and incident response mechanisms to prevent, detect, react and recover from security incidents.
  • Authenticity: Verification of identities of users, devices and entities accessing information systems.
  • Non-Repudiation: Ensuring actions or transactions cannot be denied once performed.

REGULATORY COMPLIANCE

This policy and its supporting documentation are aligned with applicable laws, regulations and standards affecting WORLD WIDE MOBILITY, regardless of any material or territorial scope.

For more information, see the document WWM_NOR_002_Cumplimiento requisitos legales.

RESOURCE ALLOCATION

Management of WORLD WIDE MOBILITY commits to guaranteeing, within its scope of functions and responsibilities, the provision of the resources necessary to implement and maintain information security processes and their continuous improvement.

This is done in order to achieve strategic objectives, disseminate, consolidate and ensure compliance with this General Information Security Policy, as well as to implement the appropriate distribution and publication mechanisms so that it can be known by the different users it affects.

ROLES AND RESPONSIBILITIES

Any user affected by this Policy shall be obliged to:

  • Comply at all times with this General Information Security Policy, and the organisation’s information security rules, procedures and instructions.
  • Take an active role in cybersecurity for any assets protected within the scope of this Policy.
  • Maintain professional secrecy and confidentiality regarding the organisation’s information.
  • Report, in accordance with the relevant regulations, suspicious or anomalous situations, security incidents, and non-conformities or security breaches of the organisation’s information systems and/or assets.

Overall responsibility for Information Security rests with the person assigned the functions of Information Security Management System (ISMS) Manager described in WWM_NOR_001_Roles y Responsabilidades de Seguridad de la Información.

Regarding non-compliance with this General Information Security Policy and other related documents, by anyone to whom it applies and who puts information security at risk in any of its dimensions, Management of WORLD WIDE MOBILITY reserves the right to initiate the corresponding actions according to internal codes and rules of conduct and the current legal framework.

INFORMATION SECURITY STANDARDS

This Information Security Policy is supported and complemented by a set of specific documents. These are the Information Security Standards and will be based on market best practices and aligned with the specific needs of WORLD WIDE MOBILITY.

INFORMATION CLASSIFICATION

All information shall be classified according to its importance to the organisation and shall be handled in accordance with that classification, as set out in WWM_NOR_006_Clasificación de la Información.

AUDIT

Information systems shall be subject to periodic internal or external audits to verify compliance and effectiveness of security controls.

SUPPLIERS AND THIRD PARTIES

Relevant acquisitions or services impacting information systems shall undergo risk analysis, and security requirements shall be formally agreed with suppliers.

Information security requirements for mitigating supplier-related risks must be agreed with the supplier and documented, following the established security standards that complement this policy.

RESPONSIBILITIES FOR NON-COMPLIANCE

Failure to comply with this Policy and the Standards derived from it shall be considered a serious offence, leading to the application of the disciplinary regime without prejudice to any other liabilities that may arise.

Similarly, any collaborating member, subcontractor or consultant who does not comply with this Policy will be subject to removal from WORLD WIDE MOBILITY facilities and termination of the relationship with the organisation.

EXCEPTION MANAGEMENT

Any exception to this Information Security Policy must be registered and reported to the ISMS manager of WORLD WIDE MOBILITY.

These exceptions will be analysed to assess the risk they could introduce to the organisation and, based on the categorisation of these risks, they must be assumed by the requester of the exception together with the business owners. The document WWM_Gestión de Excepciónes PSI shall be used as a template.

CLIMATE CHANGE

WORLD WIDE MOBILITY has analysed the services provided by the organisation and its usual operations for delivering them, finding no aspects that could affect climate change beyond those generated by air conditioning systems and vehicle emissions that serve the organisation, in both cases within the established legal requirements.

The requirements of interested parties have been analysed without finding any specifically related to climate change.

Based on both analyses, it is concluded that there is no need to apply measures beyond standard legal requirements.

APPROVAL AND REVIEW

The General Information Security Policy is formally approved by the governing bodies of the companies that make up WORLD WIDE MOBILITY, reflected in the corresponding minutes, and will remain in force until it is replaced by a new version.

Likewise, it will be reviewed annually and whenever significant changes occur that require it, in order to adapt it to new technical and/or organisational circumstances, avoiding obsolescence.

For these purposes, its suitability, timeliness and accuracy will be regularly reviewed. Any modifications that may arise will be proposed by the ISMS manager for validation.

ENTRY INTO FORCE

This Information Security Policy enters into force on the date of publication and internal distribution.