Information Security Policy

At JULIÀ INTERNACIONAL, a Spanish multinational group specializing in mobility and tourism services, information security is an essential pillar for ensuring the continuity, reliability and resilience of the services we provide, as well as for protecting the trust of our customers, employees, partners, suppliers and other stakeholders.

The Information Security Policy establishes the general framework for protecting JULIÀ INTERNACIONAL’s information, systems and technological services, ensuring controlled access, confidentiality, integrity, availability, authenticity, traceability and preservation of data, information and services, in accordance with current legislation, the National Security Framework, ENS, ISO/IEC 27001:2022, the GDPR, the LOPDGDD, NIS2, where applicable, and all other applicable legal, regulatory, contractual and normative requirements.

This policy is based on the following commitments:

· Integrating information security into the strategy, processes and life cycle of information systems, from their planning and design to their operation, maintenance, review and improvement.

· Applying this policy to information systems, technological infrastructure, corporate devices, communications, services provided by third parties, cloud services and internal or external users who interact with JULIÀ INTERNACIONAL’s systems.

· Establishing a security organization based on defined roles and responsibilities, including the Information Security Committee and the roles of Information Owner, Service Owner, Information Security Officer and System Owner.

· Structuring, managing and controlling system security documentation, ensuring its availability, review, authorized access and consistency with the documentary framework of the Information Security Management System.

· Managing security risks on an ongoing basis, applying measures that are proportionate to the criticality of the information, services, systems and assets affected.

· Applying a protection strategy based on lines of defense, continuous monitoring and periodic reassessment, in order to adapt security to the evolution of risks, threats and the organization’s needs.

· Protecting information assets through appropriate organizational, technical and physical controls, including measures for the prevention, detection, response and recovery from security incidents.

· Ensuring that access to information and systems is limited to authorized users, processes, devices and third parties, in accordance with the principles of least privilege, need to know and traceability.

· Maintaining the integrity, updating, secure configuration, monitoring, activity logging and detection of malicious code in systems, in accordance with the established security procedures.

· Protecting information stored and in transit, as well as technological systems, communications, outsourced services and cloud services.

· Requiring suppliers and third parties to meet security requirements aligned with this policy, establishing coordination, supervision and communication mechanisms where appropriate.

· Ensuring compliance with applicable requirements regarding personal data protection, information security, service continuity and cybersecurity.

· Maintaining security incident management mechanisms, with procedures for detection, analysis, communication, response, recovery and post incident review.

· Promoting staff awareness, training and responsibility in the secure use of information, systems and technological services.

· Maintaining impact analyses, continuity measures and recovery mechanisms that allow the provision of critical services to be preserved in the event of interruptions or relevant incidents, in accordance with the applicable requirements.

· Reviewing, auditing and continuously improving the Information Security Management System, adapting it to the evolution of risks, threats, regulatory requirements and the organization’s needs.

Information security is the responsibility of all persons who are part of JULIÀ INTERNACIONAL or who collaborate with the organization. Management approves this policy and promotes the resources, responsibilities and mechanisms necessary for its implementation, review and continuous improvement.

This policy is effective from its approval by the Management of JULIÀ INTERNACIONAL in January 2026.