Approved on 19 February 2026 · Version 01
AP Interactive Solutions S.L. has the mission of providing cloud infrastructure services, technical cybersecurity services (audits, pentesting, vulnerability management, incident response), custom software development and managed services for public and private clients, as well as the operation of its own SaaS platforms.
AP Interactive's objective is to be a benchmark in technical cybersecurity and cloud infrastructure services, meeting the requirements of security standards such as ISO 27001 and the Spanish National Security Framework (ENS), establishing continuous improvement in its Information Security Management System (ISMS) that minimises risks, complies with applicable regulations and reinforces the trust of our clients and strategic partners.
The purpose of this document is therefore to ensure that information — both our own and that of third parties — is protected to an appropriate level. This document applies to the entire scope of the ISMS; that is, to all types of information, regardless of format, whether paper or electronic documents, applications and databases, people's knowledge, etc.
AP Interactive depends on ICT (Information and Communication Technology) systems to achieve its objectives. These systems must be administered diligently, taking appropriate measures to protect them against accidental or deliberate damage that could affect the availability, integrity or confidentiality of the information processed or the services provided.
ICT systems must be protected against rapidly evolving threats with the potential to affect the confidentiality, integrity, availability, intended use and value of information and services. This means the organisation must apply the minimum security measures required by the National Security Framework, continuously monitor service levels, track and analyse reported vulnerabilities, and prepare an effective incident response to guarantee the continuity of the services provided.
General provisions:
The regulatory basis affecting AP Interactive's activities, as regards information security, is made up of the following legislation:
Maintenance of the regulatory framework is the company's responsibility and will be kept in an annex to this document, including the mandatory technical security instructions issued by the National Cryptologic Centre (CCN). The company is also responsible for identifying the CCN security guides applicable to improve compliance with the National Security Framework.
To achieve compliance with the articles of Royal Decree 311/2022, AP Interactive has implemented several security measures proportionate to the nature of the information and services to be protected, taking into account the category of the affected systems and the size of the organisation.
Security is a process made up of all the technical, human, material and organisational elements related to the system. The application of the ENS will be governed by this principle, which excludes any one-off action or circumstantial treatment. Maximum attention will be paid to the awareness of the people involved and their managers, so that neither ignorance, nor a lack of organisation and coordination, nor inadequate instructions become a source of security risk. Systems will be designed to ensure security by default:
The company has implemented regular security controls and assessments (including routine evaluation of configuration changes) to know the security status of systems at all times relative to manufacturer specifications, vulnerabilities and applicable updates, reacting diligently. Before new elements — physical or logical — are introduced, they will require formal authorisation. Periodic review by third parties will also be requested to obtain an independent assessment.
All members of AP Interactive within the scope of the ENS will attend a security awareness session at least once a year. A continuous awareness programme will be established, in particular for new joiners. Those responsible for the use, operation or administration of ICT systems will receive training for the secure handling of systems; this training is mandatory before assuming a responsibility. Given the company's size, training will be adapted to each member's specific role, being more intensive in secure development for developers and in risk management for the Security Officer.
All systems affected by this Policy, as well as all personal data processing, must be subject to a risk analysis. This analysis will be repeated:
The ENS Security Officer is responsible for ensuring the risk analysis is carried out, as well as for identifying gaps and weaknesses and bringing them to the attention of the Information Security Committee.
AP Interactive has implemented a comprehensive process for detecting, reacting to and recovering from security incidents, through procedures covering detection mechanisms, classification criteria, analysis and resolution procedures, communication channels to interested parties, and the logging of actions, which is used for continuous improvement. When a significant deviation from pre-established normal parameters occurs, the necessary detection, analysis and reporting mechanisms are activated. Reaction measures include:
The company has implemented a multi-layered protection strategy (organisational, physical and logical) so that when one layer fails, time is gained for an adequate reaction, the likelihood of the system as a whole being compromised is reduced, and the final impact is minimised. This strategy protects the perimeter, in particular when connecting to public networks; the risks arising from interconnection with other systems will be analysed and the connection point controlled.
The company has organised its security by designating different roles with clearly differentiated responsibilities, as set out in the "Security organisation" section.
The company has implemented access control mechanisms for the information system, limiting access to what is strictly necessary and duly authorised.
Since AP Interactive operates a 100% remote model, the protection of facilities is adapted to this context through:
When acquiring products, the company will ensure that such products have certified security functionality related to the purpose of their acquisition, except where proportionality requirements regarding the risks assumed do not justify it.
The company has implemented mechanisms to protect stored or in-transit information, especially in insecure environments (laptops, tablets, storage media, open networks, etc.). Systems will have backups and the mechanisms necessary to guarantee continuity of operations in the event of loss of the usual working means.
The company has enabled user activity logs, retaining the information needed to monitor, analyse, investigate and document improper or unauthorised activities, allowing the person acting to be identified at all times, for the exclusive purpose of complying with the ENS, with full guarantees of the right to privacy and in accordance with personal data protection regulations.
This Policy responds to the best-practice recommendations for Information Security set out in the International Standard ISO/IEC 27001 and the National Security Framework, as well as to compliance with applicable personal data protection legislation (GDPR). AP Interactive applies the following principles:
Since Information Security concerns the entire company, this Policy must be known, understood and assumed by all its members, as well as by any third party accessing the company's assets.
The organisation of Information Security at AP Interactive is established in the internal document “Job description”. To ensure compliance with the legally required measures, the following security roles or profiles have been created:
An Information Security Committee has also been established as a collegiate body that handles Information Security requests, reports regularly on the security status and advises on the matter.
Personnel management will be carried out taking into account the security criteria established in this Policy, safeguarding its requirements at all times, including the pre-employment, employment and contract- termination phases.
6.1.1 Training and awareness. AP Interactive will ensure that members receive an appropriate level of Information Security training and awareness, especially in confidentiality and information-leak prevention. Members are obliged to act diligently with respect to information.
6.1.2 Clean desk policy.
6.1.3 Remote work / teleworking. All members work from remote locations, so the following measures are established:
The equipment used for remote connection may be owned by the partners, but must meet: A) the ability to connect via VPN; B) an operating system updated with the latest patches; C) antivirus software installed; D) a personal firewall installed. The teleworking service will be monitored and controlled, logging both the connection and the activity. For more detail, the organisation has a Teleworking and Mobile Devices Policy.
The information assets needed to deliver AP Interactive's business processes will be identified and inventoried, keeping the inventory up to date. Assets will be classified according to the type of information handled. Each asset will have an owner responsible for managing it throughout its lifecycle, maintaining a formal record of authorised access, and ensuring it is inventoried, correctly classified and adequately protected.
6.2.1 Management of personal devices. Team members use personal equipment for daily work, and must comply with:
6.2.2 Information lifecycle management. The lifecycle of an information asset consists of the phases of: (1) creation or collection, (2) distribution, (3) use or access, (4) storage and (5) destruction. Retention periods will be based on regulatory, legal and business requirements; when retention is not required, information will be disposed of by means that guarantee its confidentiality during the destruction process.
6.2.3 Backup management.
An information classification model is defined to implement the technical and organisational measures needed to maintain availability, confidentiality and integrity. The full detail is in the internal document “Information Classification Policy”; a summary follows.
6.3.1 Types of information. Information is classified according to its medium: logical media (office tools, email or information systems developed in-house or by a third party).
6.3.2 Classification levels:
6.3.3 Management of privileged information. Confidential or restricted information will be handled with special care, with additional security measures, sent encrypted and via secure protocols.
6.3.4 Information labelling. Documents and materials (including annexes, copies, translations or extracts) will be labelled according to the classification levels, except for "Public use" information. Labelling will reflect the classification scheme, be easily recognisable, and be accompanied by guidance on its placement and on the permitted exceptions.
6.3.5 Information handling. Appropriate procedures will be developed for the correct handling of information according to its classification, keeping privileged information in custody throughout its lifecycle.
6.3.6 Information privacy. AP Interactive is committed to protecting the privacy of: clients' personal data (GDPR), employees' personal data (GDPR) and clients' confidential information (non-disclosure agreements, NDAs). For more detail, see the Privacy Policy.
An information leak is an uncontrolled outflow of information (intentional or not) that causes it to reach unauthorised people or its owner to lose control over access. AP Interactive defines procedures to prevent such situations and to act when a leak is reported. All members receive training on leak prevention, including: handling of high-criticality devices, network monitoring (detection of anomalous transfers), email use, oral transmission of information, use of mobile devices, control of removable devices and Internet use.
All of AP Interactive's information systems will have an access control system, focused on securing user access and preventing unauthorised access (including password protection). Access control is understood from a logical perspective. For more detail, the organisation has an internal “Access Control Policy”.
6.5.1 Access rights. Only the privileges necessary to perform each function will be granted, based on:
6.5.2 Logical access control. A password policy aligned with security best practices will be established, defining password requirements and renewal periods, detailed in the internal document “Acceptable Use Policy”, and known by all members.
AP Interactive will maintain a cloud working policy establishing the appropriate measures for the confidentiality, integrity and availability of information, depending on the service model:
All services that process or store the company's information will have appropriate security measures that optimise their maturity level (monitoring, change control, reviews, etc.). Networks will be managed, controlled and monitored appropriately to protect against threats, including network access controls.
The mandatory use of a corporate VPN, firewalls for data filtering, IDS/IPS for intrusion detection and prevention, TLS/SSL encryption for communications and multi-factor authentication (MFA) on critical services is established. Communications will be carried out exclusively over secure networks, with the use of unprotected public networks without a VPN being prohibited. All members will use only authorised channels and report any anomaly immediately.
All acquisition, development and maintenance of systems will meet minimum security requirements in line with industry best practices, including test management, change tracking and software inventory. AP Interactive will take information security into account in its selection, development and implementation processes for applications, products and services.
The criticality of all services that may be outsourced will be assessed to identify those relevant from a security standpoint. Selection processes, contractual requirements (including termination), service-level monitoring, data return and the supplier's security measures — which will be at least equivalent to those in this Policy — will be carefully managed. For more detail, the organisation has an internal “Procurement, Supplier and Third-Party Management Policy”.
Members are obliged to identify and notify the Security Officer of any incident or offence that could compromise the security of information assets. An incident response management procedure will be defined, with categorisation, business impact analysis and escalation. For more detail, the organisation has an internal “Incident Management Policy”.
AP Interactive will have a Business Continuity Plan to guarantee the continuity of its essential or critical services in possible crisis scenarios. This Plan will be updated and tested periodically, and complemented by a Disaster Recovery Plan aligned with business continuity. The company will train its employees in Business Continuity, reviewing such training periodically.
Standards are established to ensure the secure creation, use, storage and destruction of the cryptographic keys that protect confidential information, covering their entire lifecycle. Responsibility for key management lies with the System Owner, who ensures that keys are accessible only to authorised users and systems, including key generation, distribution, storage, use, renewal, revocation and destruction.
AP Interactive will allocate the resources necessary to comply with all legislation and regulation applicable to its activity in the field of information security, establishing the responsibility for such compliance on all its members.
Periodic identification of technical vulnerabilities of systems and applications will be carried out, according to their exposure, applying the necessary corrective measures as soon as possible. Identification, management and remediation will follow a risk-based approach, taking into account the criticality and exposure of assets.
Any exception to this Policy must be recorded and reported to the Security Officer. Exceptions will be analysed to assess the risk they could introduce and, based on their categorisation, must be assumed by the requester together with the business owners.
Any violation of this Policy may result in the corresponding disciplinary actions in accordance with AP Interactive's internal process. It is the responsibility of all members to notify the Security Officer of any event or situation that could constitute a breach of the defined guidelines.
Approved on 19 February 2026. Version 01 · Implementation.
Prepared by the Security Officer · Reviewed and approved by Management — AP Interactive Solutions S.L.
Original document available as PDF: download signed PDF.