One of the aspects that has always distinguished Validated ID in the sector of providing trust services has been our vocation towards maximum legal certainty, which is why we have designed a robust service that guarantees not only legal compliance but also, submitting to technical standards that allow our clients to rest with absolute confidence that they are protected now and in the future.

1. Introduction

This legal security of our services is reflected at the organizational level in the commitment, as a trusted service provider, to the highest standards of legal technical security and quality, as witnessed by our certifications such as qTSP, ISO 9001, ISO 27001, ENS or HDS, among others and in strict compliance with current regulations in all its aspects, whether the specific regulations that regulate the provision of these trust services, such as those related to privacy and protection of personal data or even those purely commercial aspects.

2. Technical and organizational measures

Validated ID maintains appropriate technical and organizational measures in accordance with Article 32, GDPR, to ensure an appropriate level of protection in relation to the risk of processing. The following technical and organizational measures have currently been implemented at Validated ID. These measures are monitored and adapted to cutting-edge developments on a continuous basis.

The processing of personal data of the Data Controller will be carried out following in all cases the regulations in force on the matter, applying the corresponding technical and organizational measures according to the type of data processed.

In accordance with the above, theData Processor guarantees that it has implemented all the necessary measures for the processing of personal data owned by the Data Controller, in accordance with the measures described in the table below.

In any case, the File Controller may, at any time and without the need for any justification, request any information related to the security measures implemented, including certifications, adherence to codes of conduct, policies or any other type of internal documents of the File Manager.of the Treatment that allow the Controller to be certain that the obligations of the RGPD and the contract signed between the parties are respected.
‍
Measurement description

• Identification and authentication in treatment systems: Denying unauthorized persons  access to any processing systems linked to the processing of personal data.
• Media management:  Implementation of measures aimed at preventing the reading, modification, copying or theft of media without authorization.
• Data  access control: Ensure that authorized personnel have access only to data corresponding to their role or user profile.
• Communications  control: Measures aimed at verifying and identifying which people have been provided with the data, or who have been able to access it through the company's telematics  systems (communication systems or cloud storage, VPN, etc.).
• Modification log: Measures  that allow identifying what data has been modified, by whom, and at what  time.
• Control in the transfer of information: Security measures implemented in the transfer of  media containing personal data.
• Systems and data recovery: Measures aimed at guaranteeing that, in the event of  interruption, disabling in any form or destruction of the systems intended  for data processing, they and the data can be recovered (Backups, disaster recovery protocols, etc.)
• Integrity:  Implementation of an incident management system that allows errors to be identified, and in any case, personal data cannot be compromised (or corrupted) due to a malfunction of the systems.

Description of its implementation by the Data Processor

• Access  to the environment by username and password and for privileged users, forced  access by 2FA.
• IP  access control. It can only be accessed from the countries we stipulate.
• External  USB media is prohibited by policy and blocked by GPO.
• Profile  management and periodic review of them through AD and access management.
• Access  to systems through VPN by personal certificate.
• Administrator  activities recorded and correlated by corporate SIEM
• External  USB media is prohibited by policy and blocked by GPO.
• Georedundant  CPD (Primary in the Netherlands, secondary in Ireland).
• Periodic  service backups.
• Partially  tested disaster recovery protocols.
• We  have an internal incident management and processing tool. Security Committee  for the management and monitoring of security-related issues as well as the  evolution and treatment of incidents. In the event that the incident affects  Personal Data, it is taken into account, from the initial moment, to the DPO.

3. Security measures implemented

All business operations are aimed at secure data processing, in compliance with legal provisions within the European regulatory environment and with the recommendations of data protection supervisory authorities.

Data storage at Validated ID offices is deliberately and completely avoided. All backups are stored in specialized CPDs under high availability standards.

Validated ID offices have access possibilities to the data groups necessary for the implementation of product-related tasks in the relevant departments. A comprehensive concept of roles and rights has been implemented to always align access rights with the principle of the least privileged user account. The concept of data protection in the offices and with respect to clients of employees in the respective departments is continuous, to prevent all unauthorized access to databases andIT infrastructure.

These measures are described ingreater detail below:

1. Encryption measures

Measures or processes through which clearly readable text or information becomes illegible, for example by becoming not easily interpretable or a sequence of characters (encrypted text) with the help of encryption procedures (cipher systems).

2. Measures to ensure confidentiality

Measures that deny physical access to computer systems and data processing systems used to process personal data to unauthorized persons, as well as to confidential files and data carriers:

• Physical access to Validated ID offices:
  • Additional door security through electronic tokens.
  • Office security through surveillance equipment (alarm system, exterior video surveillance).
  • Monitoring of the building by a manager.
  • Front desk staff during regular business hours.
  • o  In general terms there are no external visitors; clear rules for screening visitors.
• Physical access control to the data center.
• CPD located in Azure, Microsoft's private location under its access and audit policies.
• Access control systems:
  • Access authorizations for all data processing systems.
  • Computer systems and end-user devices require authentication through password procedures, for example, personal and individual login each time the System is accessed.
  • System enforcement of standards for individual passwords in accordance with the password policy.
  • Access lists.
    • Logging login attempts and terminating the login process after a set number of failed attempts.
  • Regular update of antivirus and anti-spyware filters.
  • Firewalls; additional intrusion detection and prevention; vulnerability scans and active security patches in the data center.
• Data access control
  • Authorization concepts (profiles, roles, etc.) including documentation.
  • Restriction of authorizations through group and hierarchical authorizations according to the principle of least privilege.
  • Installation and documentation of user accounts carried out only by internal IT and based on authorization concepts.
  • Evaluation/registration; Automatic monitoring processes for logging and reporting anomalies.
  • Interfaces to block input and output (e.g. USB sticks, strict port control) on all systems that process personal data.
  • When an employee leaves the company, their user account, including all authorizations, is immediately deleted; This is always checked against the documentation of the authorizations assigned to said employee.
• Separation control
  • Authorization concepts.
  • Separation of clients from the computer application side.
  • Strict separation of development, integration, pre-production systems from production.

3. Measures to ensure integrity

Measures to ensure that personal data cannot be read, copied, modified or deleted by unauthorized persons when transferred electronically or when transported or stored on data carriers, and measures to examine and establish the recipients to whom personal data should be transmitted.

• Data transmission control
  • All employees have the obligation to comply with data protection regulations.
  • Data transmission is carried out over encrypted networks or tunnel connections; In principle data is always transmitted using server-side SSL/TLS encryption.
  • Transportation processes under individual responsibility.
  • Encryption methods and certificates that detect modifications made during transport.

4. Measures toensure availability and resilience

The data is located in CPD owned by Azure, with high availability and ease of movement between centers so that if one is affected, another can occupy its workload.

5. Digital signatures

Format. The digital signatures applied are in PADES B-LT format. LT stands for "Long Term." This means that the signature can be validated after the certificate expires because the certificate revocation information is embedded, as well as timestamps.

Algorithms. Digital signatures are made using:

• RSA
• SHA-512

Certificates. An OTC (One time certificate) is issued for each biometric signature performed.

By default, VIDsigner uses Firma Profesional as the TSP for OTC issuance, but can be configured to use OTC from other TSPs.

Duration. Single-use certificates are issued with a duration of 24 hours. This ensures that it cannot be used for another purpose.

Since the signature format is PADESB-LT, the signature remains valid after the certificate expiration date.

Time stamps. PADES B-LT contain a timestamp to ensure the time at which the signature was made and that the certificate has not been revoked at that time.

The RFC-3161 (TimeStamp Protocol)standard is used to request and create time stamps.

By default, VIDsigner uses its own stamps and issues them as QTSP, although it can also be configured to useTimeStamps from other TSPs.

4. Treatment assignment contract

The regulation of the relationship between the controller and the processor must be established by means of a data processing contract, the content of which is regulated in art. 28 RGPD. The contract must be in writing, including in electronic form. In this sense, the relationship between Validated ID-Partner-Client can give rise to multiple casuistry, which would require the drafting of custom-made assignment contracts, although Validated ID incorporates as an annex to its Terms andConditions of Service a generic standard assignment contract that allows the legal protection of the parties.

Establishes the conditions under which Validated ID will process personal data, for which the end client will be the Controller and in which Validated ID will be the Processor or Subprocessor, depending on the case.

5. Data communication

In general, personal data will not be communicated to third parties, except under legal obligation, which may include communications to Public Entities, Tax Agency, Judges and Courts.

In relation to the data collected by VALIDATED ID as Data Controller, they will be stored on servers owned by the Data Controller in the territory of the European Union. They will not be assigned or transferred to third parties, nor will transfers be made to third countries, except in the cases detailed in section 1) and in a generic manner:

Public Administrations. Public Entities, Tax Agency, Judges and Courts and, in general, competent authorities, when VALIDATED ID SL has the legal obligation to provide them.

External service providers. For the correct provision of the service, VALIDATED ID obtains the services of third parties that must access personal data under our responsibility. This is a processing order in which the aforementioned data are processed in the name and on behalf of VALIDATED ID Las a consequence of its provision of services, only contracting services from companies that guarantee compliance with data protection regulations.

VALIDATED ID SL follows strict criteria for selecting service providers to comply with its data protection obligations and undertakes to sign the corresponding data processing contract with the service providers through which it will impose, among others, the following obligations: apply appropriate technical and organizational measures; process personal data for the agreed purposes and taking into account only the documented instructions of VALIDATED ID SL; and delete or return the data to VALIDATED ID SL once the service has been provided.

VALIDATED ID informs that in accordance with what was indicated above, the following entities will be Subprocessors:

• MICROSOFT IRELAND OPERATIONS LIMITED for the provision of cloud computing (AZURE) and email (OUTLOOK) services, (VAT No. IE8256796U, and registered office at Atrium Building Block B, Carmenhall Road, Sandyford Industrial Estate, Dublin 18, Ireland) on its servers located in the territory of the EU (The Netherlands).
• SALESFORCE, Inc. for the provision of CRM services in relations with customers, suppliers and marketing actions, on its servers located in the EU territory.
• INSTASENT MOBILE ADVERTISING S.L. for the provision of SMS sending services with OTPin the signature channels that require it in their signature processes, withCIF 87413829 and registered office at C/ Gran Vía, 28, 28013 Madrid, in its servers located in EU territory.
• LLEIDANETWORKS SERVEIS TELEMÀTICS S.A. for the provision of SMS sending services with OTP in the signature channels that require it in their signature processes. Provided with CIF A25345331 and registered office at Calle Tellez, 56 - LOC C, Madrid, on its servers located in EU territory.
• TWILIO for the provision of SMS sending services with OTP, as well as the sending of emails for access to documents in the signature channels that require it in their processes. Provided with CIF and registered office at 101 Spear Street, Suite100, San Francisco, CA 94105, on its servers located in EU territory.
• ZENDESK INC for the provision of the service of technical incident management through tickets, with registered office at 1019 Market Street, San Francisco, CA 94103, UnitedStates, on its servers located in EU territory.
• INTERCOM R&D Unlimited Company for the provision of real-time web chat service.Provided with CIF, and registered office at 3rd Floor, Stephens Court, 18-21Saint Stephen's Green, Dublin 2, on its servers located in EU territory.
• UANATACA S.A. for the provision of trust services issuance/custody of digital certificates. Provided with CIF A66721499 and with registered office at Calle Riera de Can Todà no24,6o1a, 08024 in Barcelona, on its servers located in EU territory

VALIDATED ID will not sell, trade or otherwise transfer the personal data collected to third parties, nor will it make any international transfer of data outside the EU.