DAROGAWAY, S.L. has as one of its objectives to try to safeguard the security of information, whether personal or not, and for this purpose establishes a system of information security with the aim of ensuring the reduction of risks associated with it and cybersecurity, that the information is accessible only by those users who have a legitimate need to perform their functions, that it is protected, available and used for the purposes for which it was obtained. For this purpose, DAROGAWAY, S.L. defines the following strategic objectives:

• Minimise the risks of loss of confidentiality, integrity and availability of the information received, generated, processed and stored by DAROGAWAY, S.L.

• Support the areas of the company in securing the information assets that support business operations and information with personal data.

• Raise the awareness of employees in relation to information security in the performance of their duties.

• Maintain an Information Security and Cybersecurity programme that supports the organisation's strategic objectives and new business projects.

• Compliance with legal requirements, commitments acquired with customers and suppliers and all other regulations, internal rules or guidelines to which the company is subject.

• Continuously improve the Information Security system.

• Promote awareness and training in information security.

• To ensure the capacity to respond to emergency situations, re-establishing the functioning of critical services in the shortest possible time.

The Information Security Policy concerns all users and applies to all information created, processed or used by DAROGAWAY, S.L., regardless of the medium, format, presentation or place where it is located. All security measures adopted are aimed at protecting the information and information systems that support it, including applications, operating systems resources, telecommunications networks and media, and computer equipment, whether managed by DAROGAWAY, S.L. or by those companies or personnel expressly authorised for this purpose, such as those who have signed a contract for the provision of services or data processing with DAROGAWAY, S.L. or legally authorised assignees. The Information Security and Cybersecurity Policy is focused on trying to ensure the following three major scenarios:

• Compliance with confidentiality, which implies that critical, sensitive, private or personal information managed by the organisation is not stolen or accessed by unauthorised persons.

• Minimising the impact on availability, where the services provided by the organisation are inaccessible or unusable.

• To ensure the integrity of information systems, avoiding the corruption of data or systems of the organisation that affect the accuracy or integrity of information and processing, and which could also affect the availability of services.

The Information Security Policy will be developed by means of security regulations that address specific aspects and will be reviewed at least once a year and whenever there are relevant changes in the organisation, in order to ensure that it is in line with the organisation's own strategy and needs. This policy is applied in all DAROGAWAY, S.L. work centres and is implemented in an Information Security framework in accordance with the ISO 27001:2022 standard.