Corporate Policy

INTRODUCTION

The Redsys Group is made up of different companies whose corporate purpose is mainly focused on providing the market with technological solutions, communications and R&D in the means of payment and healthcare sectors. These companies are:

• Redsys Servicios de Procesamiento, S.L.: Redsys operates in the means of payment sector and is the national benchmark in the provision of operational and IT services related to the use of cards and other means of payment.

  A leader in the payment processing sector in Spain, Redsys' IT and operational capabilities enable it to authorise, process and settle a large volume of card transactions that take place every day in Spain, in real time and in a secure manner.

  Redsys' mission is to provide quality, flexible, innovative and sustainable payment services, operating throughout the entire transaction lifecycle, from acquiring to authorisation, as well as providing client care and fraud services.

  One of Redsys' main contributions to the Spanish financial sector is the establishment of a largely on-line authorisation system. This system allows terminals to connect directly to the card issuer to request authorisation in real time. In this way, a higher level of transaction security is guaranteed, making Spain's fraud levels one of the lowest in the world.

• Redsys Salud, S.L.: in addition to the financial sector, Redsys Group offers its processing services to the healthcare sector through Redsys Salud, which provides services to all the actors that make up the healthcare business ecosystem: health insurance companies, hospitals, clinics, doctors...

  Redsys Salud provides innovative, secure and versatile technological services such as electronic invoicing, online appointments, identification of the insured via mobile phone, the e-represcription system (electronic prescription) or video-medical consultation.

• Redsys Servicios de Procesamiento Latinoamérica, S.A.C. (Peru) and Redsys Servicios de Procesamiento Colombia, S.A.S. (Colombia): both companies focus on the provision of network management services, including the provision (through rental, purchase and sale or any other similar legal business) of point-of-sale terminals or other similar or analogous devices, as well as the provision of installation, maintenance and/or support services in relation to such devices and systems, in addition to the provision of any other type of service ancillary or related to the above, among other activities of great importance in the international means of payment sector.
• Gestora Patrimonial Calle Francisco Sancha 12, S.L. (GEFRASAN): the Company's corporate purpose is the acquisition, holding, administration, management, leasing, operation, disposal by any title and disposal of all kinds of real estate or rights over them, whatever their purpose, for its own account and without intermediation, the provision of services related to means of payment, as well as other administrative and auxiliary services, and the holding and administration of rights, obligations, bonds, fixed-income or equity securities, public or private, shares and holdings in all kinds of companies.

It may carry out these activities both in Spain and abroad.

REDSYS GROUP COMMITMENTS

Redsys Group management hereby recognises that risk is inherent in its business and that risk management is fundamental to achieving its purposes and successfully executing its strategies.

Therefore, it undertakes to maintain the level of risk within the limits it considers acceptable, in order to guarantee at all times the confidentiality, integrity and availability of the information and personal data processed, as well as the continuity of the business services provided by the company, paying special attention to those that are critical, to ensure the provision of quality, flexible, innovative, efficient and sustainable payment services over time, making the Redsys Group a leader in the markets where it serves its clients, by representing the best option in the provision of payment services.

POLICY OBJECTIVES

In order to demonstrate the Redsys Group's commitments, the purpose of this Policy is as follows:

• To protect the information and personal data of the Redsys Group and its clients, together with the technologies used for its transmission, processing or storage, against internal or external threats, whether deliberate or accidental, in order to ensure its confidentiality, integrity and availability.
• Identify existing and potential risks and address them in a planned manner so that they have the minimum impact on the business should they materialise.
• Extend the risk culture, bringing greater value to the business, and integrate the risk-opportunity vision through the definition of the strategy and the amount of risk that the organisation assumes, and the incorporation of this variable into strategic, tactical and operational decisions, both at a technical and organisational or procedural level.
• Avoid interruptions in the services provided by Redsys Group as a result of incidents or, at least, minimise the impact and recovery time, especially in business-critical services and those services that are essential for society.
• Continuously improve the effectiveness, efficiency and quality of services and the management system.
• Comply with the regulatory and legal requirements and contractual obligations applicable to the Redsys Group and ensure compliance by third parties and data processors to whom activities are delegated.
• Ensure that services are aligned with clients' needs.
• Ensure due diligence and demonstrate the principle of initiative-taking data protection responsibility based on continuous improvement.
• Establish an ongoing training and awareness programme to ensure that all staff and collaborators are aware of their duties and obligations regarding risk management, information security, business continuity and service management, in particular the risks associated with the information they handle in their work and the mechanisms to be used to protect it.
• Consideration of security and business continuity as an integral part of each stage of the system lifecycle, from conception to withdrawal from service, including the definition of requirements in planning, development or acquisition decisions, and operational activities.
• Ensure the optimal configuration, location, traceability and assurance of the environmental and physical security conditions for the proper functioning of the physical elements of the Redsys Group's IT system, which supports all the services provided by the group.

SCOPE

This Policy affects all the services provided by the Redsys Group, including all the companies that comprise it, as well as all processing of information and personal data in the Redsys Group services, whether it is information of its own, of its clients or of third parties involved in the provision of the service and regardless of the form in which it is transmitted, processed or stored, or the medium in which it is found.

Any person who works in or for Redsys Group or who needs access to Redsys Group's information and/or systems must comply with the provisions of this Policy, as well as with all the regulations derived from it.

When the Redsys Group provides services or manages third party information, it must inform them of this Policy. To this end, coordination channels and procedures for action in the event of incidents or security breaches will be established.

When the Redsys Group uses third-party services or provides them with information, it will inform them of this Policy and the regulations that apply to said services or information, which they are obliged to comply with, and will supervise the level of compliance established. Procedures will be established for action in the event of incidents and mechanisms for monitoring compliance by third parties.

FOUNDATIONS AND PRINCIPLES

In defining this policy, management takes the following basic principles as a basis:

• Risk management: Risks are identified and analysed and risk mitigation actions are undertaken based on the organisation's need for risk reduction. The measures applied must be proportionate to the risk.
• Comprehensive security: Security is considered as a globalising process, encompassing physical, logical, organisational and human aspects, making it possible to define a single protection strategy.
• Identification, protection, detection, response and recovery: not all measures are aimed at the same objectives.
  • Identification measures provide knowledge of assets and functions to manage the organisation's risks.
  • Protective measures are intended to prevent incidents from occurring or to minimise their occurrence.
  • Detection measures serve to identify potentially dangerous events. They must be accompanied by response measures.
  • Response measures address the detected event, minimising any damage that may have occurred.
  • Recovery measures make it possible to restore information or services that may have been affected by an incident.

• Security in depth: Successive layers of protection must be in place so that an incident is not able to develop its full damaging potential should it occur. To this end, the lines of defence must consist of measures of an organisational, physical and logical nature.
• Quality management: Plans for the improvement and evolution of services are planned and their level of quality and efficiency is measured. The evolution strategy has to meet the Redsys Group's business needs and client expectations.
• Periodic reassessment of measures: To verify that they remain appropriate, both with respect to identified risks and new risks that are identified, and that they remain effective. At least annually.
• Segregation of duties: Separation of responsibilities to avoid conflicts of interest that may be detrimental to security.
• Continuous improvement: The implemented comprehensive security process is constantly updated and improved on an ongoing basis.

GUIDELINES

By means of this Policy, the General Management of Redsys Group establishes the following guidelines and is committed to their implementation:

• Management should ensure that risk, information security, privacy, business continuity and service management competencies are assigned to one or more groups that function as a steering body to which the commitment of the Directorate General is made clear through the provision of the means and powers necessary to carry out its functions.

• Definition and implementation of the appropriate organisation, distribution of responsibilities and effective allocation of the necessary resources to comply with this Policy in all the processes carried out in the Redsys Group and in the management of its assets.

• Risk management, information security, quality and business continuity as continuous improvement processes, through the implementation and maintenance of an Integrated Management System (IMS) that includes Risk Management, Information Security, Privacy, Business Continuity and Service Management, based on ISO 31000, ISO 27001, ISO 27701, ISO 22301 and ISO 20000 standards.

• Risk assessment and risk management for all new projects. Review, at least annually, of existing processes and systems or when there is a major change in infrastructure or when a major incident occurs.

• Risk assessment and risk management of personal data processing. Review, at least annually, of processes and systems linked to data processing or when there is a major change in infrastructure or when a serious incident occurs.

• The service levels established for each of the services will be documented and will specify the levels to be met. These service levels must be supported by appropriate mechanisms to ensure compliance and must be made known to clients. All staff will ensure that the services provided comply with such service level agreements.

• All services provided by Redsys Group will be properly quoted and accounted for. Their costs will be financially controlled and any deviations detected will be appropriately corrected.

• Holding regular meetings with customers to identify their needs, monitor the level of satisfaction with the services provided, and identify any changes or requests for improvements to the services offered, as well as any complaints that may be lodged in relation to them.

• Definition, implementation and review of the organisational, procedural and technical controls necessary to guarantee the confidentiality, integrity and availability of the information managed by Grupo Redsys, as well as the flow of information to and from outside the company.

• Definition, implementation and review of the organisational, procedural and technical controls necessary to guarantee compliance with the privacy regulations applicable to the processing of personal data managed in Redsys Group, as well as delegates in charge of processing.

• The Management must ensure that it will only process personal data (both in its capacity as data controller and in its capacity as data processor) on the basis of lawful legitimacy in accordance with the provisions of the regulations applicable to this matter, requesting consent in the personal data collection processes that are applicable through the mechanisms defined for each activity.

• Unambiguous user identification for access to systems and information and assignment of permissions based on the principles of "least privilege" and "need to know"[1]. Assignment of special privileges (administrator, root or similar) in a restricted and controlled manner and never by default

• Monitoring the use of information systems for the early detection of malicious activity or anomalies in service delivery levels, as well as to assess the effectiveness and efficiency of the controls in place.

• Immediate notification by all users (any user) to the Corporate Security area of any confirmed or suspected security breach and/or anomalous behaviour that could affect the service.

• Application of a consistent and effective approach to incident management, including the recording of incidents, together with the method of resolution adopted, in the corporate tool defined for this purpose.

• Correct and efficient communication of incidents that may cause interruptions in the services provided by Redsys Group, both to the interested parties and to the affected parties. Compliance with security requirements regarding personal data protection in accordance with current legislation in this area and card data processing (PCI), as well as those derived from laws, regulations (Means of Payment Schemes, European Central Bank) or contractual obligations applicable to Redsys Group.

• All problems identified whether as a result of preventive identification activities or as a result of incident management, will be properly analysed to identify the underlying cause of the error and the necessary solutions will be applied to remedy or mitigate its effects.

• Definition and development of a holistic security process and an integral protection strategy for information systems aimed at guaranteeing, in appropriate terms, the continuity of Redsys Group services that are critical for the business or essential for society.

• Approval and execution of a global and periodic continuity test plan that minimises the risk of unavailability of the Redsys Group's critical services.

• Adequate registration and maintenance of the configuration items (CIs) and the characteristics necessary for the management of the services will be carried out, identifying the relationships of the CIs with each of the services. Periodically, in a planned manner, the accuracy of the configuration information will be verified, correcting any mismatches that are identified.

• Any changes to services must be initiated by a formal change request and authorised in accordance with the Redsys Group Change and Delivery Management Policy and Procedure.

• Periodic audits to verify the correct functioning of management systems and security, privacy and continuity controls, determining the degree of compliance and establishing the necessary improvement actions and corrective measures for compliance with policies and procedures.

[1] Each user will have access only to those resources they need to carry out their work and with the minimum possible permissions.

LIABILITIES FOR NON-COMPLIANCE

The performance of any activity that implies a breach of this Policy and which is regulated by the corresponding legislation, will result in the application of the corresponding legal responsibilities.

In the event of a breach of this Policy not regulated by legal provisions, this action will be dealt with by the Redsys Group Management, and the sanctions provided for in the Redsys Group disciplinary regime and the applicable agreement will be applied.

In the case of third party personnel, the measures provided for in the contract will apply and will be enforceable against the legal person.

• Procedure

  (1)* Redsys, S.L. is responsible for the use of cookies on its website for the following purposes:

  Technical cookies (strictly necessary):

  They are used to allow the user to browse the website and use the options or services that exist on it. They allow us to identify the session or control access to restricted areas.

  I accept the use of technical cookies

  Analysis cookies (from third parties):

  These cookies allow the monitoring and analysis of user behaviour on the website. The information collected through this type of cookies is used to measure the activity of the website in order to create browsing profiles with the aim of introducing improvements based on the analysis of the data on the use made by users of the service.

  I accept the use of third party cookies

  More information in our Cookie Policy

  Pressing "Save" will save the cookie selection you have made. If you have not selected any option, pressing this button will be equivalent to rejecting all cookies.

  (2)* Redsys Redsys is a diverse organisation committed to diversity. The language used in the contents of this website is intended to facilitate reading and understanding and should therefore in no way be considered discriminatory.