GENERAL INFORMATION
Document Control
Security classification: Public
Version: 1.0
Edition date: 6 March 2026
File: PSI_Pública_OMMNIO_v1
Code: PSI-PUB-002

Document Review
Prepared by: Audea — 6 March 2026
Reviewed by: Security Officer — 9 March 2026
Approved by: Security Committee — 9 March 2026

Version Control

INFORMATION SECURITY POLICY

1. Introduction

This document establishes the Information Security Policy (ISP) of The Ommnio Communications, S.L., (hereinafter OMMNIO), as a provider of technology services and as a non-qualified trust service provider in accordance with Regulation (EU) No 910/2014 (eIDAS), with the objective of ensuring the protection of information and associated assets within the framework of the provision of its OmmnioSign advanced electronic signature service.

The ISP summarises the principles and guidelines adopted by OMMNIO to ensure the confidentiality, integrity and availability of information, and reflects the organisation's commitment to the security and continuity of its services. This policy is framed within compliance with the regulations applicable to OMMNIO's activity as a trust service provider, including Regulation (EU) No 910/2014 (eIDAS), Directive (EU) 2022/2555 (NIS2), Law 6/2020 regulating certain aspects of electronic trust services, and Regulation (EU) 2016/679 (GDPR).

2. Commitment to information security

OMMNIO's Management recognises the importance of identifying, protecting and appropriately managing its information assets, including those of clients, employees and technological infrastructure, preventing unauthorised access, loss, alteration or improper disclosure of information.

OMMNIO is committed to developing, maintaining and continuously improving its Information Security Management System (ISMS) in accordance with applicable international best practices.

OMMNIO's Management assumes responsibility for ensuring that information security is managed effectively and consistently with the organisation's objectives. Its principal responsibilities include:

• Defining and periodically reviewing information security goals and priorities, aligned with the company's strategy and context.
• Identifying, assessing and managing risks to information and assets, considering possible threats and their potential impact.
• Establishing and implementing control measures to minimise significant risks, ensuring they are maintained within acceptable levels.
• Monitoring the effectiveness of implemented controls and measures, making adjustments and improvements where necessary.
• Ensuring compliance with legal, regulatory and contractual requirements related to information security.
• Ensuring the protection of personal data processed in the context of service provision, in accordance with Regulation (EU) 2016/679 (GDPR), designating a Data Protection Officer (DPO) as the point of contact for the exercise of data subjects' rights.
• Promoting a security culture through awareness and continuous training programmes aimed at employees and third parties involved in the provision of services.
• Providing the necessary resources for the implementation and maintenance of the ISMS, including qualified personnel, financial resources, processes, technological tools and adequate infrastructure.

Information security management is founded on the following essential principles:

• Availability: ensuring that information and associated resources are accessible to authorised users when required.
• Confidentiality: ensuring that only authorised individuals are able to access information.
• Integrity: maintaining information as complete, accurate and traceable, preventing unauthorised alterations.
• Authenticity: ensuring reliable linkage between information, its origin and the identity of the parties involved.
• Non-repudiation: ensuring that actions performed on information, in particular the electronic signing of documents, cannot be denied by their authors.

3. Information security objectives

OMMNIO establishes its information security objectives on a periodic basis, taking into account the organisation's context, the risks associated with information and the commitments made to clients and interested parties.

These objectives reflect the company's commitment to protecting information and associated assets, ensuring they are managed in a secure, reliable manner and in accordance with applicable legal and contractual obligations.

The achievement of these objectives is monitored and evaluated on an ongoing basis through the tracking of implemented security practices, incident review, system review and staff training. This makes it possible to identify opportunities for improvement and strengthen the resilience of services against potential risks.

OMMNIO maintains a continuous improvement approach, ensuring that objectives adapt to changes in the environment, to evolving risks and to the requirements of its clients, promoting confidence in the provision of its technology services.

The information security policy is established in a manner consistent with OMMNIO's business strategy and objectives, ensuring that the security of network and information systems supports the reliable and secure provision of the technology services offered by the organisation.

4. Administration of the Security Policy

This policy is administered by OMMNIO as part of its Information Security Management System.

Updates and revisions are carried out through internal document management and change management procedures, ensuring that roles and responsibilities are clearly defined and that the policy is implemented effectively throughout the organisation.

5. Scope and field of application

This policy applies to all activities related to the provision of the OmmnioSign advanced electronic signature service by OMMNIO, including information management, technological infrastructure, authentication mechanisms and the chain of evidence associated with the service.

Compliance with this policy is mandatory for all OMMNIO personnel, as well as for third parties participating in the provision of services.

6. Communication

This policy is published on OMMNIO's website and made available to employees, collaborators, clients and relevant interested parties. Its content is incorporated into the organisation's training and awareness programmes, as well as into the contractual documentation of the service where applicable. For detailed information on the practices of the electronic signature service, interested parties may consult the Service Practice Statement (SPS) and the Terms and Conditions available publicly.