At IO – IMMERSIVE OASIS, we have established a Quality Management System in accordance with the guidelines of ISO 9001:2015, through which we commit to generating trust among our clients.  To achieve this, we have based our approach on criteria of loyalty, satisfaction, and continuous improvement.

To fulfill this policy, at IO – IMMERSIVE OASIS, we set and commit to the following guidelines

1. Certify our organization in compliance with ISO 9001:2015 to gain recognition from our clients.
2. Increase and motivate the competence and performance of our employees.
3. Enhance the efficiency and overall performance of our company, based on process management, which includes a meticulous analysis of risks and opportunities as a critical process, places the user at the beginning and end of our work. This allows us to manage our activities and resources more effectively taking into account the needs and expectations of stakeholders, as well as their evolution.
4. Provide our clients with the best technical advisory and consulting services in the engineering sector to fully meet their requirements.

The assurance of compliance with these guidelines, along with our commitment to continuous improvement, ensures the fulfillment of our primary commitment:

CUSTOMER SATISFACTION.

Regarding INFORMATION SECURITY:

IO – IMMERSIVE OASIS bases its activities on the processing of different types of data and information, which allows it to execute its business processes.  The systems, programs, communication infrastructures, files, databases, archives, etc., constitute the main assets of IO – IMMERSIVE OASIS, such that damage or loss of these assets impacts the execution of its operations and may endanger the continuity of the organization..

As priority objectives, it should be:

• • • • Guarantee an efficient service to our clients, with a high level of quality and security, preserving their rights and their trust.

      • Protect the intellectual capital of the Organization to prevent its unauthorized disclosure or misuse.

To ensure this, the following Information Security Policy has been designed, with the following principles and objectives:

• • • • Information, both internal and that of our clients, has strategic value for the business and must be protected against unauthorized access and alterations, maintaining its confidentiality and integrity.

      • The source of the information must be reliable. The credibility of the information is determined by the authenticity of its source.

      • Information must be available, allowing authorized access whenever necessary.

• • • • The protection of information will be carried out through the application of control measures on the assets that store or process it: people, media, facilities, communications, systems, applications, etc. These measures must be proportional to the value of the asset being protected. The security controls applied will never exceed the cost of the assets they protect or the damage that could occur due to their absence.

      • Any technical or organizational means capable of safeguarding information must be coordinated and aligned with the business.

      • Information security is not just an internal act, so formal commitment from suppliers and collaborators regarding information security management must be obtained.

      • Information security is everyone’s responsibility. Every user is obligated to comply with the imposed requirements and to report any signs that may compromise it.

      • The continuity of critical business operations must be ensured.

      • Security requirements and their compliance must be periodically reviewed and verified.

      • The processing of information and the security measures applied must always be aligned with applicable laws, regulations, and standards.

To fulfill these principles and objectives of information security, the following must be done:

• • • • Define responsibilities in information security by generating the corresponding organizational structure.

      • Establish a system for classifying information and data to protect critical information assets.

      • Develop a set of rules, standards, and/or procedures applicable to management, employees, partners, external service providers, organizational assets, and operations on them, etc.

      • Specify the consequences of non-compliance with the Security Policy in the workplace.

      • Evaluate risks affecting assets to implement appropriate security measures/controls in accordance with the risk analysis and management methodology defined in the document “AR|IO-01 Risk Analysis and Management Methodology.”

      • Protect assets through controls/measures against threats that could lead to security incidents.

      • Mitigate the impact of security incidents as quickly as possible to minimize their effects and obtain evidence for identifying and proving security breaches.
      • Monitor and control information traffic through communication infrastructures or data transmission using optical, magnetic, or paper-based media.
      • Track and record logical and physical access to information and associated systems, ensuring identification of those accessing them.
      • Verify the effectiveness of security measures through internal security audits conducted by independent auditors.
      • Control security measures, assessing the number, nature, and impact of incidents.
      • Train users in security management and information and communication technologies.
      • Protect people in the event of natural disasters, fires, floods, terrorist attacks, etc., through emergency plans.

• • • • Observe legislation regarding data protection, intellectual property, labor, information society services, criminal law, etc., that affects the Organization’s assets.

      • Reduce the possibilities of unavailability through the proper use of the Organization’s assets.

Gijón, September 1, 2024

Gabriel Cerra – CEO of IO – IMMERSIVE OASIS.