At Muñoz Arribas Abogados, information is a fundamental asset for the provision of services and effective decision-making. Therefore, there is an explicit commitment to protect it as part of a strategy focused on business continuity, risk management, and the consolidation of a security-oriented culture, based on the three fundamental pillars of information security:

• Confidentiality: Ensuring that only authorized users have access to information.
• Integrity: Preserving the completeness and accuracy of information.
• Availability: Guaranteeing that users can access the information they need when they need it.

These pillars ensure information security across physical, logical, and institutional domains.

Understanding confidentiality, integrity, and availability as a reference framework, and aligning them with business requirements, Muñoz Arribas Abogados establishes the following security objectives:

• Ensure that information assets receive an adequate level of protection.
• Classify information to indicate its sensitivity and criticality.
• Define protection levels and special handling measures according to classification.

To achieve these objectives, Muñoz Arribas Abogados adheres to the following Information Security requirements:

• Security in Human Resources Management, before, during, and after employment.
• Proper asset management, including information classification and media handling.
• Establishment of robust logical access controls to systems and applications, managing user permissions and privileges.
• Protection of facilities and physical environments through secure workspace design and equipment security.
• Operational security through protection against malicious software, backups, logging and monitoring, software control, technical vulnerability management, and appropriate system audit techniques.
• Communication security by protecting networks and information exchange.
• Ensuring security in the acquisition and maintenance of information systems, limiting and managing change.
• Secure software development by separating development and production environments and conducting appropriate functional acceptance testing.
• Control of supplier relationships by contractually requiring compliance with relevant security measures and acceptable service levels.
• Effective management of security incidents by establishing appropriate channels for reporting, response, and timely learning.
• Implementation of a business continuity plan to protect service availability during crises or disasters.
• Identification and compliance with applicable regulations, with special attention to intellectual property and personal data protection.
• Regular review of these information security requirements to ensure their compliance and effectiveness.

The Management of Muñoz Arribas Abogados, through this Security Policy, commits to managing information security to meet the established security objectives, implementing risk treatment plans resulting from the corresponding analysis of the organization’s information systems.

Madrid, June 2025

Information Security Officer