Information Security Policy (ENS)

Approval and Entry into Force

Text approved by the Management of EUREKA FERTILITY on 10 March 2026. This Information Security Policy is effective from that date until replaced by a new Policy.

Introduction

EUREKA FERTILITY depends on ICT (Information and Communication Technologies) systems to achieve its objectives. These systems must be managed with diligence, taking appropriate measures to protect them against accidental or deliberate damage that may affect the security —confidentiality, integrity, availability, traceability and authenticity— of the information processed or the services provided.

The objective of information security is to guarantee the quality of information and the continuous provision of services, acting preventively, monitoring daily activity and responding swiftly to incidents.

ICT systems must be protected against rapidly evolving threats with the potential to affect the confidentiality, integrity, availability, intended use and value of information and services. To defend against these threats, a strategy is required that adapts to changes in environmental conditions to ensure the continuous provision of services. This means that departments must apply the minimum security measures required by the National Security Framework, as well as continuously monitoring service delivery levels, tracking and analysing reported vulnerabilities, and preparing an effective response to incidents to guarantee the continuity of services provided.

Different departments must ensure that ICT security is an integral part of every stage of the system lifecycle, from conception to decommissioning, including development or acquisition decisions and operational activities. Security requirements and funding needs must be identified and included in planning, requests for proposals, tendering documents and contracts for ICT projects.

Personnel must be prepared to prevent, detect, react and recover from incidents.

Prevention

Departments must avoid, or at least prevent as far as possible, information or services from being harmed by security incidents. To do so, they must implement the minimum security measures determined by the ENS, as well as any additional controls identified through a threat and risk assessment. These controls, and the security roles and responsibilities of all staff, must be clearly defined and documented.

To ensure compliance with the policy, departments must:

  • Authorise systems before they enter operation.
  • Regularly evaluate security, including assessments of configuration changes carried out routinely.
  • Request periodic review by third parties in order to obtain an independent assessment.

Detection

Since services can degrade rapidly due to incidents, ranging from a simple slowdown to a complete halt, services must continuously monitor their operation to detect anomalies in service delivery levels and act accordingly. Detection, analysis and reporting mechanisms will be established that reach those responsible regularly and whenever a significant deviation from the preset normal parameters occurs.

Response

EUREKA FERTILITY shall:

  • Establish mechanisms to respond effectively to security incidents.
  • Designate a point of contact for communications regarding incidents detected in the organisation or in other bodies.
  • Establish protocols for the exchange of incident-related information. This includes communications, in both directions, with Emergency Response Teams (CERT).

Recovery

To guarantee the availability of critical services, ICT system continuity plans will be developed as part of the overall business continuity plan and recovery activities.

Scope

This Policy shall apply and be mandatory for the entire EUREKA FERTILITY organisation, its resources and the processes affected by the ENS, whether internal or external, linked to the entity through contracts or third-party agreements.

All members of EUREKA FERTILITY affected by the ENS scope have the obligation to know and comply with this Information Security Policy and the corresponding security regulations, it being the responsibility of EUREKA FERTILITY to ensure that this information reaches the personnel concerned.

Mission

The mission of EUREKA FERTILITY is to provide specialised online marketing and strategic consulting services for the assisted reproduction sector, ensuring the maximum visibility and reputation of our clients.

Aware of the sensitivity of the information we manage —affecting both the intellectual property of clinics and the privacy of potential patients—, our technical mission is to ensure the confidentiality, integrity and availability of all information assets. We are committed to offering a secure digital environment that protects the flow of data between clinics and their patients, strictly complying with the Spanish National Security Framework (ENS).

Management has established in the organisation an Information Security Management System based on Royal Decree 311/2022 of 3 May, which regulates the Spanish National Security Framework (ENS), addressing the following objectives:

  • Ensuring Confidentiality in lead generation: Ensuring that personal and health data of potential patients obtained through marketing campaigns and online forms are accessed only by authorised personnel, preventing any leakage that could affect the privacy of users.
  • Ensuring the Integrity of marketing strategies: Protecting the information and digital assets of our clients (assisted reproduction clinics) against unauthorised modifications, ensuring that advertising and published content is always truthful and aligned with healthcare regulations.
  • Maintaining Availability of digital services: Implementing security measures that ensure capture platforms and campaign management systems operate continuously, minimising downtime so as not to harm our clients' investment.
  • Specialised training on sensitive data: Continuously training the entire marketing and support team in security best practices and the handling of “special categories of data”, ensuring they understand the legal and ethical responsibility of managing information in the assisted reproduction sector.

Regulatory Framework

The regulatory framework governing EUREKA FERTILITY's activities, and in particular the provision of its electronic services to citizens, includes:

  • Royal Decree 311/2022 regulating the Spanish National Security Framework (ENS)
  • Information security, cybersecurity and privacy protection — Information security management systems. Requirements. (ISO/IEC 27001:2022)
  • Organic Law 3/2018 on the Protection of Personal Data and guarantee of digital rights (LOPDGDD)
  • Royal Legislative Decree 1/1996 approving the revised Intellectual Property Law, regularising, clarifying and harmonising existing legal provisions on the matter.
  • Royal Decree 1553/2005 regulating the national identity document and electronic signature certificates
  • Law 34/2002 on Information Society Services and Electronic Commerce (LSSI-CE)
  • Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter GDPR).

In addition to the general security regulations, EUREKA FERTILITY adapts its information security processes to the specific requirements of the health and assisted reproduction sector, including:

  • Law 14/2006 on Assisted Human Reproduction: Regarding the protection of user privacy and anonymity.
  • Law 41/2002 on Patient Autonomy: For the secure management of data that may form part of clinical records.
  • Healthcare Advertising Regulations: Ensuring that information systems supporting marketing campaigns comply with the ethical and legal principles required in the health sector.
  • LSSI-CE 34/2002: For security in electronic communications and information society services.

Information Security Committee

Information Officer Natalia Álvarez Hernández
Service Officer Pedro Perles Roselló
Security Officer Carlos González Bustos
Systems Officer Javier Sánchez-Moreno Giner

Roles: Functions and Responsibilities

Information Officer

  • Establish and approve the security requirements applicable to the service within the framework established in Annex I of Royal Decree 311/2022 of 3 May, following a proposal by the Security Officer and/or the Information Security Committee.
  • Accept the residual risk levels affecting the Service.
  • Approve the Information Security Policy.
  • Carry out the assessments referred to in Article 40 of the ENS (security categories) and, where applicable, subsequent modifications.
  • Receive information on incidents and the actions taken to resolve them.
  • Determine the criteria for assigning and modifying the required security level for each item of information, and be responsible for its documentation and formal approval.
  • Establish the security requirements and levels for information, taking the Security Policy into account.
  • Bear ultimate responsibility for any error or negligence leading to a confidentiality or integrity incident.
  • Approve the Business Continuity Plan.
  • Approve the information management system.
  • Provide financial resources for Information Security.

Service Officer

  • Establish and approve the security requirements applicable to the service within the framework established in Annex I of Royal Decree 311/2022 of 3 May, following a proposal by the Security Officer and/or the Information Security Committee.
  • Lead and direct the information security policy.
  • Provide financial resources for Information Security.
  • Carry out the assessments referred to in Article 40 (security categories) and, where applicable, subsequent modifications.
  • Be informed of incidents and the actions taken to resolve them.
  • Establish the security requirements and levels for the service, taking the Security Policy into account.

Security Officer

  • Determine the security category of the system, based on the assessments of the Information Officer and the Service Officer.
  • Draft and approve the Statement of Applicability, taking into account the requirements of the Information Officer and the Service Officer.
  • Maintain the security of the information handled and the services provided by ICT systems within the scope of responsibility.
  • Determine the decisions to meet the security requirements of information and services, supervise the implementation of the necessary measures to ensure those requirements are met, and report on these matters.
  • Formalise and approve the measures selected from Annex II in the Statement of Applicability, including compensatory or supplementary surveillance measures and their correspondence with the aforementioned Annex II measures.
  • Verify that information security measures have been properly implemented by the Systems Officer.
  • Analyse first-, second- and third-party audit reports relating to systems within the scope of competence, and present conclusions to the Systems Officer and, where applicable, to the Information Security Committee.
  • Explicitly approve changes that imply a HIGH-level risk prior to their implementation for data protection measures set by the controller or processor, with the advice of the DPO.
  • Participate in drafting and proposing the Information Security Policy and the procedures, regulations and instructions in application of the ENS.
  • Analyse risks before deploying artificial intelligence systems in the entity, taking into account the assessments of the Information Officer, the Service Officer and, where applicable, the Data Protection Officer, and supervise their deployment.
  • Promote training and awareness in information security within the scope of responsibility.
  • When the system processes personal data, the Security Officer shall gather the data protection requirements.
  • Carry out or promote periodic self-assessments or audits to verify ENS compliance.
  • In the management of cyber incidents, together with the entity's responsible parties, classify their severity in accordance with Guide CCN-STIC 817, acting as the point of contact with competent authorities in security matters and, depending on the roles assigned in the Policy, notifying CCN-CERT as applicable. When notification to the reference CSIRT is required, it shall be carried out without undue delay and immediately, without prejudice to the gradual submission of expanded information.
  • Verify that the established security measures are adequate for the protection of information handled and services provided.
  • Analyse, complete and approve all documentation related to system security.
  • Monitor the security status of the system, which may be provided by specific elements such as security event management tools and audit mechanisms implemented in the system.
  • Support and supervise the investigation of security incidents from notification to resolution.
  • Prepare the periodic security report for senior management of the entity, including the most relevant incidents of the period.
  • The Security Officer shall collaborate with the entity's Data Protection Officer in managing incidents that affect personal data and, where applicable, notifying supervisory authorities and the affected persons.

Systems Officer

  • Suspend access to information or service provision if serious security deficiencies are identified.
  • Develop, operate and maintain the information system throughout its lifecycle.
  • Draft the necessary operational procedures.
  • Define the topology and management of the Information System, establishing usage criteria and available services.
  • Ensure that specific security measures are properly integrated within the general security framework.
  • Provide advice to the Security Officer on determining the System Category.
  • Collaborate, when required, in the development and implementation of security improvement plans and, where applicable, continuity plans.
  • Carry out the functions of system security administrator:
    • Manage the authorisations granted to system users, in particular the privileges granted, including monitoring the activity carried out in the system and its correspondence with what is authorised.
    • Approve changes to the current configuration of the Information System.
    • Ensure that the established security controls are strictly complied with.
    • Ensure that the approved procedures for handling the Information System are applied.
    • Register and deregister users.
    • Maintain the register of media entry and exit.

Designation Procedures

Overall responsibility for information security shall rest with the Security Officer, with ultimate responsibility held by the Information Security Committee and Management as the highest authority of the information security management system. Appointments shall be reviewed every 2 years or when a position becomes vacant.

Information Security Policy

It shall be the mission of the ICT Security Committee to carry out an annual review of this Information Security Policy and to propose its revision or maintenance. The Policy shall be approved by the Management of EUREKA FERTILITY and disseminated so that all affected parties are aware of it.

Personal Data

EUREKA FERTILITY processes personal data. The security document COD. 105 RECORDS OF PROCESSING ACTIVITIES, accessible only to authorised persons, lists the affected files and the corresponding data controllers. All EUREKA FERTILITY information systems shall comply with the security levels required by regulations for the nature and purpose of the personal data recorded in that Security Document.

Risk Management

All systems subject to this Policy shall carry out a risk analysis, evaluating the threats and risks to which they are exposed. This analysis shall be repeated:

  • Regularly, at least once a year.
  • When the information handled changes.
  • When the services provided change.
  • When a serious security incident occurs.
  • When serious vulnerabilities are reported.

To harmonise risk analyses, the ICT Security Committee shall establish a reference assessment for the different types of information handled and the different services provided. The ICT Security Committee shall promote the availability of resources to meet the security needs of the different systems, encouraging cross-cutting investments.

Development of the Information Security Policy

This Information Security Policy is complemented by EUREKA FERTILITY's security policies in different areas:

  • POL-01 Access Control Policies
  • POL-02 Password Policy
  • POL-03 Acceptable Use of Assets Policy
  • POL-04 Cryptographic Controls Policies
  • POL-05 Development Policy
  • POL-06 Acceptable Use of Cloud Services Policy

Security regulations shall be available to all members of EUREKA FERTILITY who need to know them, particularly those who use, operate or administer information and communication systems.

This Policy shall be developed through specific security regulations addressing particular aspects.

The Information Security Policy shall be available on the organisation’s website.

Staff Obligations

All members of EUREKA FERTILITY are obliged to know and comply with this Information Security Policy and the Security Regulations, it being the responsibility of the ICT Security Committee to ensure the necessary means are in place for the information to reach those concerned. All members of EUREKA FERTILITY shall attend a security awareness session at least once a year.

A continuous awareness programme shall be established for all members of EUREKA FERTILITY, particularly new joiners. Persons responsible for the use, operation or administration of ICT systems shall receive training for the secure handling of systems to the extent they need it to carry out their work. Training shall be mandatory before taking on a responsibility, whether it is a first assignment or a change of post or responsibilities.

Third Parties

When EUREKA FERTILITY provides services to other organisations or handles their information, they shall be made aware of this Information Security Policy, channels for reporting and coordination between the respective ICT Security Committees shall be established, and action procedures for responding to security incidents shall be put in place.

When EUREKA FERTILITY uses third-party services or transfers information to third parties, they shall be made aware of this Security Policy and the Security Regulations pertaining to those services or information. That third party shall be subject to the obligations established in those regulations and may develop its own operational procedures to satisfy them.

Specific reporting and incident resolution procedures shall be established. It shall be ensured that third-party personnel are adequately aware of security matters, at least to the same level as established in this Policy.

When any aspect of the Policy cannot be satisfied by a third party as required in the preceding paragraphs, a report shall be required from the Security Officer specifying the risks incurred and how to address them. Approval of this report by the responsible parties for the affected information and services shall be required before proceeding.