Information Security Policy

3.1. General Principles of Information Security

Women Empowered Certification S.L. gives priority interest and maximum support to the protection of information due to its strategic nature and as a means to ensure business continuity.

This Policy, therefore, pursues the adoption, implementation, and continued operation of protocols and procedures that consider the preservation, at least, of the three basic components of information security:

​

• Confidentiality: Ensure that only duly authorized persons access data and systems.

• Integrity: Ensure the accuracy of information and systems against alteration, loss, or destruction, whether accidental or intentional.

• Availability: Guarantee that information and systems can be used in the manner and time required.

This Policy will be considered in the execution of all phases of the information life cycle: generation, distribution, storage, processing, transportation, consultation, and destruction, and the systems that process them (analysis, design, development, implementation, operation, and maintenance).

Information security is the responsibility of all staff of the Organization, so this Policy must be known, understood and assumed by all levels of the Organization.

The Policy must be communicated to the entire Organization and be available to interested parties.

Relationships with third-party collaborating companies must always be protected by due guarantees in the use and processing of information.

In addition, Women Empowered Certification S.L. establishes the following basic principles as fundamental information security guidelines that must always be kept in mind in any activity related to the processing of information:

​

• Strategic scope: Information security must have the commitment and support of all management levels to be integrated with the rest of the strategic initiatives, forming a coherent and effective framework.

• Comprehensive security: Information security will be understood as a comprehensive process made up of technical, human, material, and organizational elements.  Information security must be considered as part of normal operations, being present and applied throughout the entire process of design, development, and maintenance of information systems.

• Risk management: Risk analysis and management will be an essential part of the information security process. Risk management will allow the maintenance of a controlled environment, minimizing risks to acceptable levels.

• Proportionality: The establishment of protection, detection, and recovery measures must be proportional to the potential risks and the criticality and value of the information and services affected.

​

Continuous improvement: Security measures will be periodically re-evaluated and updated to adapt their effectiveness to the constant evolution of risks and protection systems.

​

3.2. Identification of the person responsible

​

Name of the company: Women Empowered Certification S.L.

Name of the domain www.wegenderlab.com

CIF: B76226216

Domicilio social: Calle Capitán Eliseo López Orduña, 14, 35014, Las Palmas de Gran Canaria, España

​

Every user of the information systems is responsible for the appropriate use they make of them and for complying with the controls and recommendations established in the corresponding protocols prepared in a manner aligned with this Policy.

​

3.3. Information security objectives

To contribute to minimizing and controlling the risks of the Organization, Women Empowered Certification S.L. will define a series of achievable and measurable objectives, which will be reviewed annually to be aligned with the company's strategy.

These objectives will be in line with the fundamental information security principles and guidelines set out in point 3.1. General Principles of Information Security.

​

3.4. Security policy enforcement

In order to apply the principles set out in this Policy, the definition, preparation, implementation, and maintenance of action plans or continuous improvement actions is required. Likewise, the organization will have a series of analogous documents that cover other aspects of security, as they currently are:

​

• Data protection policy for the information processed and stored on the website and the mentioned domain

• Strong password policy, including guidelines on periodic modification, suggested format, and two-factor authentication as an additional security measure (generating access codes)

• Policy for updating tools in use to carry out activities, ensuring their frequency and reducing the risk of exposure to cyber threats, activating automatic updates of operating systems on company computers and devices

The development of these policies and other plans and actions, as well as their updating, will be based on formal risk analysis processes, risk evaluation, and management criteria or objective business needs, which allow the implementation of the ideal solutions.

​

Likewise, the necessary information security management standards will be defined, in accordance with recognized international standards, to ensure the effective and efficient monitoring of security actions as well as the continuous security review and improvement processes.

​

3.5. Normative compliance

Women Empowered Certification S.L. (WE Gender Lab) is committed to ensuring compliance with current legislation arising from the protection and security of information considering its object, company name, and business purpose, as well as by reason of the information technology services that it provides. provides or could provide, including services related to pilot processes (which include the diagnosis of equality in the company and the creation of results dashboards for clients and/or collaborating companies).

In this sense, the requirements of the applicable laws in the treatment and security of information will be identified and the appropriate and reasonable mechanisms and measures for compliance will be established.

​

Women Empowered Certification S.L. will ensure compliance with higher-ranking standards (laws, standards, and legal provisions) that are applicable due to the nature and purpose of the business, taking precedence, when applicable, over the guidelines contained in this Information Security Policy and even over Client requirements associated with the provision of contracted services. Regulations that come from supranational organizations of which Spain is a member and community and/or extra-community regulations will also be considered, based on the areas of service provision.

3.6. Classification and processing of information

​

The information must be classified according to its importance for the organization and must be treated according to said classification, under the provisions of the regulations on the classification and processing of information.

​

3.7. Privacy of the information

Women Empowered Certification S.L.  must ensure the privacy of personal data with the aim of protecting the fundamental rights of natural persons, especially their right to honor, personal and family privacy and their own image, by establishing measures to regulate the processing of data. 

The organization must comply with current legislation on the protection of personal data depending on the jurisdiction in which it is established and operates (for example, Organic Law 3/2018, of December 5, on Data Protection and Guarantees of Digital Rights in the case of Spain) and must include the necessary measures to comply with the regulations.

Appropriate measures must be implemented to ensure the privacy of information in all phases of its life cycle.

​

3.8. Treatment of data and information

 

3.8.1. Security of data

All data collected during the activity carried out by the Organization, especially those collected during the pilot and testing processes of the WE Gender Lab solution, are treated with maximum confidentiality and protection.

The Organization will implement appropriate technical and organizational measures to ensure the security of data against unauthorized access, disclosure, alteration, or unauthorized destruction, both during transmission and storage.

All authorized personnel of the organization who have access to the indicated information will be duly trained in information security and will maintain the confidentiality and security of the data at all times.

3.8.2. Data Storage

​

The data collected during the activity carried out by the Organization, especially those collected during the pilot and testing processes of the WE Gender Lab solution, will be stored safely on protected servers, located in the European Union, complying with security standards. established by current regulations.

The data collected through the data collection forms will be incorporated into an automated processing of personal data for which WE Women Empowered S.L. is responsible. This entity will process the data confidentially and exclusively to manage the relationship with its clients and develop the aforementioned activity.

In this sense, the data will be stored through Google Drive by the Terms and Conditions of Service of said platform, in line with the security and privacy requirements established by European regulations.

​

3.8.3. Treatment of data

The data collected is used exclusively to carry out the software pilots requested by client companies, as well as the main activity of the Organization. The data is processed to generate personalized reports that are delivered to client companies exclusively for their internal use and to improve their internal processes.

The purpose of said processing is, therefore, to send newsletters or dashboards of results, which include business policies and practices related to the management and measurement of gender equality within the company; informing about possible measures to implement, viable initiatives, or additional resources that the company can hire. Likewise, the data will be used to process requests or any type of request made by the user through any of the contact forms made available to them; as well as to create aggregated content for future reports; or to send communications related to initiatives, conferences, events (national and international) and services, as well as publications, activities, calls and other news from the sector. Always with the ultimate goal of helping the company, client, or collaborator, to improve internal processes to gender equality.

​

3.8.4. Data Retention

​

 

The data collected is kept for the time necessary to fulfill the purpose for which it was collected and in accordance with applicable legislation. The data will be retained for the period necessary to comply with legal and regulatory requirements, as well as for internal audit purposes.

​

 

Exceptionally, data may be retained for longer periods for research and statistical purposes, with corresponding encryption and subject to appropriate technical and organizational measures, as provided for by the applicable law in this case (GDPR, article 5).

​

The data conservation criteria are established under the legal provision that requires retention for tax and accounting reasons and the time necessary for the purposes described unless opposition to the processing or cancellation of the data is exercised.

​

 

Likewise, WE Women Empowered S.L. will cancel, delete, and/or block the data when it is inaccurate, incomplete or is no longer necessary or relevant for its purpose, by the provisions of data protection legislation.

 

3.8.5. Access to data

Client companies have exclusive access to their own data through their personal area on our website (www.wegenderlab.com).

The Organization implements authentication and access control measures to ensure that only authorized users can access data pertaining to your company.

3.8.6. Rights that assist client/user companies

The User has the right to withdraw consent at any time, as well as to exercise the rights of access, rectification, portability and deletion of their data and to limit or oppose their processing.

3.8.7. Contact information to exercise your rights

To exercise your rights, send an email to any of the co-controllers indicated below:

• Generic email: hello@wegenderlab.com

• Other emails: maria@wegenderlab.com; alejandra@wegenderlab.com

​

The User must specify which of these rights they request to be satisfied and, in turn, must be accompanied by a photocopy of their DNI or equivalent identification document. If you act through a representative, legal or voluntary, you must also provide a document that proves your representation and identification document. If you want to have a model for which you can: Use an official model from the Spanish Data Protection Agency (AEPD).

3.9. Asset Management

The information assets necessary to provide the business processes of Women Empowered Certification S.L. must be identified and inventoried. Additionally, the asset inventory must be kept updated.

The classification of assets must be carried out based on the type of information to be processed, in accordance with the provisions of section 3.6. Classification of information.

Asset configurations must be updated periodically to allow tracking of these and facilitate correct updating of information.

3.9.1. Personal device management

Women Empowered Certification S.L. will allow the policy known as BYOD (Bring Your Own Device), which allows employees to use their personal resources or mobile devices to access resources or information.

​

Additionally, users must take into account a series of requirements established in this Policy: 

• The same security measures and configurations must be applied to BYOD devices that process information in the same way as other devices.

• The user will be responsible for BYOD equipment

• Users must keep their personal BYOD device updated where they process information of any type from Women Empowered Certification S.L. Likewise, they must have security applications installed through software

• Any incident that may affect the confidentiality, integrity, or availability of these devices must be reported to the security manager.

3.9.2. Information life cycle management

Women Empowered Certification S.L. will adequately manage the life cycle of the information so that incorrect uses can be avoided during any of the phases.

The life cycle of an information asset consists of the following phases:

​

1. Creation or collection: This phase deals with records at their point of origin. This could include its creation by a member of Women Empowered Certification S.L. or receiving information from an external source. Includes correspondence, forms, reports, computer input/output, or other sources.

2. Distribution: is the process of managing information once it has been created or received.

3. Use or access: This is carried out after the information is distributed internally, and can generate business decisions, generate new information, or serve other purposes, such as the creation of results dashboards; action plans or recommendations reports, among others. 

4. Storage: This is the process of organizing information in a predetermined sequence and creating a management system to ensure its usefulness.

5. Destruction: Establishes practices for the elimination of information that has met defined retention periods. The information retention periods must be based on the regulatory, legal, and legal requirements that affect Women Empowered Certification S.L.

 

3.9.3. Backup management

​

 

Backups of information, software, and systems must be made and verified periodically. As a general rule, the frequency with which backups will be made will be determined based on the sensitivity of the applications or data, by the information classification criteria. 

 

Backups must receive the same security protections as the original data, ensuring their correct conservation, as well as adequate access controls.

​

As a general rule and whenever possible, information in backup copies should be required to be encrypted. A retention period must be established for backup copies until their destruction once the period of existence has ended.

​

3.10. Physical and environmental security

​

The physical spaces where the information systems of Women Empowered Certification S.L. are located. They must be adequately protected by perimeter access controls, surveillance systems, and preventive measures so that the impact of security incidents (unauthorized access to information systems, theft, or sabotage) and environmental accidents (fires, floods, etc.) can be avoided or mitigated. power outages, etc.).

 

3.11. Security at work in the cloud and on devices

Women Empowered Certification S.L. will maintain a work policy in the cloud or cloud computing that establishes appropriate security measures for the confidentiality, integrity, and availability of the information.

The work in the cloud of Women Empowered Certification S.L. is done on the indicated Google Drive servers, so this Policy is added to Google's own Privacy Policy, which can be found here.

Women Empowered Certification S.L. ensures that such or future Providers monitor the environment for unauthorized changes, and that allows the establishment of authentication and access control levels for administrators and the operations they perform.

All information systems of Women Empowered Certification S.L. that process or store information they own must have the appropriate security measures that optimize their appropriate level of maturity (monitoring, change control, reviews, etc.).

Likewise, networks must be managed, controlled, and monitored appropriately, to protect against threats and maintain the security of the systems and applications that use the network, including network access controls, thus protecting all information. that is transferred through these elements and/or environments.

Regarding the security and transmission of information and data through the Organization's website, refer to the Privacy Policy of the website itself (available here) and that of our Service Provider -Wix- in this regard (available here).

​

3.12. Telecommunications security

​

The network architecture of Women Empowered Certification S.L. must have prevention, detection, and response measures to avoid gaps in the internal and external domains.
 

3.13. Security in relationships with suppliers

​

Special attention must be paid to evaluating the criticality of all services that may be outsourced so that those that are relevant from the point of view of information security can be identified, either due to their nature, the sensitivity of the data they need to be addressed or the dependency on business continuity.
 

3.14. Incident Management

The staff of Women Empowered Certification S.L. has the obligation and responsibility to identify and notify the company's security officer of any incident or crime that could compromise the security of its information assets.

Procedures will be implemented for the correct management of detected incidents, such as response procedures, which define the categorization of incidents, analysis of their impact on the business, and escalation.

3.15. Revisions and updates

​

This security policy will be reviewed and updated periodically to ensure its effectiveness and continued compliance with applicable legal and regulatory requirements.

​

Women Empowered Certification S.L. is committed to maintaining the security and privacy of the data of its clients and/or collaborators as an absolute priority, following the global business strategy.

​

3.16. Audit

​

The information systems, in whole or in part, will periodically undergo internal audits in order to verify their correct functioning, determine degrees of compliance, and recommend corrective measures for continuous improvement.

​

3.17. Continuous improvement

​

Women Empowered Certification S.L. considers it essential to ensure continuous improvement, therefore, it will define actions that improve the organization's performance in terms of the availability, integrity, and confidentiality of information.