0.- Introduction

Redsys is a technology solutions, communications and I+D company in the payment solutions sector.

Our IT and operational capacity allows us to authorise, process and settle a large volume of card transactions carried out every day in Spain, in real time and securely.

Redsys' mission is to provide quality, flexible, innovative and sustainable payment services.

One of Redsys' main contributions to the Spanish financial sector is the establishment of a largely on-line authorisation system. This system allows terminals to connect directly to the issuer to request authorisation in real time. In this way, a higher level of transaction security is guaranteed, making Spain's fraud levels one of the lowest in the world.

In addition to the financial sector, Redsys offers its processing services to the healthcare sector through Redsys Salud, which provides services to all the players that form the healthcare business ecosystem: health insurance companies, hospitals, clinics, doctors...

Redsys Salud provides innovative, secure and versatile technological services to these players, such as electronic invoicing, online appointments, identification of the insured via mobile phone, the e-prescription system (electronic prescription) or video-medical consultation.

1.- Redsys commitments.

Redsys Board of Directors hereby acknowledges that risk is inherent to its business and that risk management is fundamental to achieving its objectives and successfully executing its strategies.

It therefore undertakes to maintain the level of risk within the limits it considers acceptable, in order to guarantee at all times the confidentiality, integrity and availability of the information and personal data processed, as well as the continuity of the business services provided by the company, paying special attention to critical services, to ensure the provision of quality, flexible, innovative, efficient and sustainable payment services over time, making Redsys a leader in the markets where we serve our clients, by representing the best option in the provision of payment services.

1.1.- Policy objectives.

In order to make Redsys' commitments clear, this policy aims to:

• Protect the information and personal data of Redsys and its clients, together with the technologies used for its transmission, processing or storage, against internal or external threats, whether deliberate or accidental, in order to ensure its confidentiality, integrity and availability.
• Identify existing risks and those that may appear, dealing with them in a planned manner, so that they produce the minimum impact on the business should they materialise.
• Extend the risk culture, bringing greater value to the business. Integrate the risk-opportunity vision, through the definition of the strategy and the amount of risk that the organisation assumes, and the incorporation of this variable into strategic, tactical and operational decisions, both at a technical and organisational or procedural level.
• Avoid interruptions in the services provided by Redsys as a result of incidents or, at least, minimise the impact and recovery time, especially in business-critical services and those services that are essential for society.
• Continuously improve the effectiveness, efficiency and quality of services and the management system.
• Comply with the regulatory and legal requirements and contractual obligations applicable to Redsys and ensure compliance by third parties and data processors to whom activities are delegated.
• Ensure that services are aligned with customer needs.
• Ensure due diligence and demonstrate the principle of proactive responsibility for data protection based on continuous improvement.
• Establish an ongoing training and awareness programme to ensure that all staff and collaborators are aware of their duties and obligations regarding risk management, information security, business continuity and service management, in particular the risks associated with the information they handle in their work and the mechanisms to be employed to protect it.
• Consideration of security and business continuity as an integral part of each stage of the system lifecycle, from conception to decommissioning, through the definition of requirements in planning, development or acquisition decisions and operational activities.

2.- Scope.

This Policy affects all services provided by Redsys, including Redsys Salud, and all processing of information and data of a personal nature in Redsys services, including Redsys Salud, whether it is information of its own, of its clients or of third parties involved in the provision of the service and regardless of the form in which it is transmitted, processed or stored, or the medium in which it is found.

Any person who works in or for Redsys or who need access to Redsys information and/or systems must comply with provisions of this Policy, as well as with all the regulations deriving from it.

When Redsys provides services or manages third party information, it shall inform them of this Policy. To this end, coordination channels and procedures for action in the event of incidents or security breaches shall be established.

When Redsys uses third-party services or provides them with information, it shall inform them of this Policy and of the regulations that apply to such services or information, which they are obliged to comply with, and shall supervise the level of compliance established. Procedures shall be established for dealing with incidents and mechanisms for monitoring the compliance of third parties.

3.- Foundations and Principles.

In defining this policy, the Board of Directors takes the following basic principles as a basis:

• Risk management: Risks are identified and analysed and risk mitigation actions are undertaken based on the organisation's need for risk reduction. The measures applied must be proportionate to the risk.
• Integral security: Security is considered as a globalising process, encompassing physical, logical, organisational and human aspects, making it possible to define a single protection strategy.
• Identification, protection, detection, response and recovery: not all measures are aimed at the same objectives.
  • Identification measures provide knowledge of assets and functions to manage the organisarion's risks.
  • Protective measures are intended to prevent incidents from occurring or to minimise their occurrence.
  • Detection measures serve to identify potentially dangerous events. They must be accompanied by response measures.
  • Response measures address the detected event, minimising any damage that may have occurred.
  • Recovery measures allow for the restoration of information or services that may have been affected by an incident
• Security in depth: Successive layers of protection must be in place so that an incident is not able to develop its full damaging potential should it occur. To this end, the lines of defence must consist of measures of an organisational, physical and logical nature.
• Quality managements: Service improvement and evolution plans are planned and their level of quality and efficiency is measured. The evolution strategy has to meet Redsys' business needs and customer expectations.
• Periodic reassessment of measures: to verify that they continue to be appropriate, both to the risks identified and to new risks that are identified, and that they remain effective, at least annually.
• Segregation of duties: separation of responsibilities to avoid conflicts of interest that may be detrimental to security.
• Continuous improvement: the comprehensive security process in place is constantly updated and improved on an ongoing basis.

4.- Directives.

Through this Policy, the Board of Directors of Redsys establishes the following guidelines and is committed to their implementation:

• The Board of Directors must ensure that the competencies in the areas of risk, information security, privacy, business continuity and service management are assigned to one or more groups that function as a steering body with which the commitment of the Board of Directors is made clear through the provision of the resources and powers necessary to carry out its functions.
• Definition and implementation of the appropriate organisation, distribution of responsibilities and effective allocation of the necessary resources to comply with this Policy in all processes carried out in Redsys and in the management of its assets.
• Risk, security, quality and business continuity management as continuous improvement processes, through the implementation and maintenance of an Integrated Management System (IMS) that includes Risk, Security, Privacy, Business Continuity and Service management, based on ISO 31000, ISO 27001, ISO 27701, ISO 22301 and ISO 20000 standards.
• Risk assessment and risk management for all new projects. Review, at least annually, of existing processes and systems or when there is a major change in infrastructure or when a major incident occurs.
• Risk assessment and risk management of personal data processing. Review, at least annually, of the processes and systems linked to data processing or when there is a major change in the infrastructure or when a serious incident occurs.
• The service levels established for each of the services shall be documented and shall specify the levels to be met. These service levels shall be supported by appropriate mechanisms to ensure compliance and shall be made known to customers. All staff shall ensure that the services provided comply with these service level agreements.
• All services provided by Redsys shall be properly budgeted and accounted for. Their costs shall be financially controlled and any deviations detected shall be appropriately corrected.
• Holding regular meetings with clients to identify their needs, monitor the level of satisfaction with the services provided, and identify any changes or requests for improvement in the services offered, as well as any complaints that may be lodged in relation to the same.
• Definition, implementation and review of the organisational, procedural and technical controls necessary to guarantee the confidentiality, integrity and availability of the information managed at Redsys, as well as the flow of information to and from the outside world.
• Definition, implementation and review of the organisational, procedural and technical controls necessary to guarantee compliance with the privacy regulations applicable to the processing of personal data managed at Redsys, as well as delegates in charge of processing.
• Unambiguous user identification for access to systems and information and assignment of permissions based on the principles of "least privilege" and "need to know" . Assign special privileges (administrator, root or similar) in a restricted and controlled way and never by default.
• Monitoring of the use of information systems for the rapid detection of malicious activity or anomalies in the levels of service provision, as well as to evaluate the effectiveness and efficiency of the controls implemented.
• Immediate notification by all users to the Security Development department of any confirmed or suspected security breach or anomalous behaviour that could affect the service.
• Application of a consistent and effective approach to incident management, including the recording of incidents, together with the method of resolution adopted, in the corporate tool defined for this purpose.
• Correct and efficient communication of incidents that may cause interruptions in the services provided by Redsys, both to the interested parties and to the affected parties. Compliance with security requirements in terms of personal data protection in accordance with current legislation in this area and card data processing (PCI), as well as those arising from laws, regulations (Payment Schemes, European Central Bank) or contractual obligations that are applicable to Redsys.
• All problems identified, both as a result of preventive identification activities and those generated as a result of incident management, will be properly analysed to identify the underlying cause of the error and the necessary solutions will be applied to correct or mitigate its effects.
• Definition and development of a holistic security process and an integral protection strategy for information systems aimed at guaranteeing, in appropriate terms, the continuity of Redsys services that are critical for the business or essential for society.
• Approval and execution of a global and periodic continuity test plan that minimises the risk of unavailability of Redsys' critical services.
• Adequate registration and maintenance of the configuration items (CIs) and the characteristics necessary for the management of the services shall be carried out, identifying the relationships of the CIs with each of the services. Periodically on a planned basis, the accuracy of the configuration information shall be verified and any mismatches identified shall be corrected.
• Any changes to services shall be initiated by a formal change request and authorised in accordance with the Redsys Change and Delivery Management Policy and Procedure.
• Periodic audits to verify the correct functioning of the management systems and security, privacy and continuity controls, determine the degree of compliance and establish the improvement actions and corrective measures necessary for compliance with the policies and procedures.

5.- Liabilities for non-compliance.

The carrying out of any activity that implies a breach of this Policy and which is regulated by the corresponding legislation, will result in the application of the corresponding legal responsibilities.

In the event of a breach of this Policy not regulated by legal provisions, this action will be dealt with by Redsys Board of Directors, and the sanctions provided for in the Redsys disciplinary regime and the applicable agreement will be applied.

In the case of personnel from third party companies, the measures provided for in the contract will be applicable and will be effective against the legal entity.