ODILO, as a company dedicated to the development of software for lending, sale, distribution and hosting of digital content and for management of electronic and physical archives is aware and assumes its commitment with quality according to the ISO 9001 reference standard, with information security according to the ISO 27001, ISO 27017 and high category of Spanish security framework (ENS), with the protection of personal data according to the ISO 27701, ISO 27018 standards and in compliance with the RGPD and Spanish LOPDGDD, as well as with business continuity according to the ISO 22301 reference standard. Therefore, the Executive Management establishes the following principles:
- Ensure the satisfaction of our customers, including stakeholders interested in the results of the company, with everything related to the performance of our activities and their impact on society.
- Ensure data security in ODILO´s information systems, as well as in the information systems that support the services provided by ODILO to its clients.
- Ensure Business continuity in its services.
- Ensure the protection of personal data in its activities as data controller and data processor.
- Establish objectives and goals focused on the evaluation of performance in terms of quality, information security, privacy and business continuity, as well as the continuous improvement of our activities, regulated in the systems that develops this policy.
- Compliance with the requirements of the applicable legislation and regulations to our activity, the commitments acquired with clients, and all those internal rules or action guidelines to which ODILO is subjected.
- Maintenance of fluid communication both internally, between the different levels of the company, and with customers.
- Assess and guarantee the technical competence of the personnel, as well as ensuring their adequate motivation for their participation in the continuous improvement of our processes.
- Guarantee the correct state of the facilities and the adequate equipment, in such a way that they are in correspondence with the activity objectives and goals of the company.
- Guarantee a continuous analysis of all the relevant processes, establishing the pertinent improvements in each case, based on the results obtained and the objectives established.
- Ensure the continuous improvement of the systems that develop this policy.
Additionally, for cloud services (SaaS):
- Basic security requirements that are applicable to the design and implementation of the service will be identified.
- Risks from authorized internal personnel will be taken into account.
- Multi-client services (multi-tenancy) and client isolation (including virtualization) will be secured.
- Access to client assets by internal personnel will be controlled.
- Strong authentication will be implemented for Admin users.
- Customers will be informed regarding the location of the CPDs, and if they request so, changes in the infrastructure.
- Security will be implemented throughout the virtualization process with the use of certified tools.
- Both, access to the customer and customer information will be protected.
- Customer accounts will be managed throughout the complete cycle within ODILO.
- Providers, partners and specialized organizations (CERT) will be notified of security breaches and the necessary information will be shared to assist in the investigation of cyber incidents.
- It is ODILO´s policy to implement, maintain and monitor the quality and information security management systems indicated.
These principles will be assumed by ODILO Executive Management, who have the necessary means and will provide its employees with sufficient resources to comply with them, embodying them and making them publicly known through this Information Quality and Security Policy.
Signed.: Miguel Ángel Rodríguez
Head of Management