Introduction and Purpose

For the protection and proper use of information, the UAX Group establishes the guideline that each entity of the UAX Group implements an Information Security Management System (ISMS) based on the ISO 27001 standard.

The ISMS provides a reference framework to guarantee the appropriate use of information and the secure management of processes, promoting continuous improvement and ensuring compliance with applicable legal, regulatory and contractual requirements.

This Policy represents the basis of the ISMS and defines the essential principles, rules and procedures for information security within the UAX Group, with the aim of preserving the confidentiality, integrity, availability and traceability of information.

The requirements set out in this Policy represent the minimum required; however, each entity of the UAX Group may develop a more detailed or advanced policy, according to its needs and level of maturity in information security.

2. Objective

The purpose of this Policy is to establish the basic principles and rules for information security management, ensuring:

• Confidentiality: Exclusive access to systems and assets containing corporate information only to authorised persons, guaranteeing adequate control mechanisms.
• Integrity: Accuracy and reliability of the information, avoiding unauthorised alterations by means of controls, as well as audit records that allow evidence and supervision of the correct management of the information.
• Availability: Information accessible to authorised users when required.
• Legal compliance: Alignment with current legislation at all times, including the protection of personal data.
• Continuous improvement: Periodic evaluation and updating of policies, procedures and controls to adapt to new threats, organisational, technological or regulatory changes.

The UAX Group Management assumes the commitment to support the implementation of the organisational, technical and control measures necessary to comply with this policy.

3. Scope

This policy applies to:

• All UAX Group employees, suppliers and third parties handling UAX Group information.
• All systems, devices and information assets, whether in-house or external, that process UAX Group data.

For the purposes of the Policy, "UAX Group" refers to all those entities that form part, under the terms of article 42 of the Code of Commerce, of the group of companies whose parent company is Guadarrama Proyectos Educativos, S.L.

4. Information Security Principles

• Commitment of the organisation: The entire UAX Group community must be committed to information security.
• Integrated security: Security must be considered in all processes, systems and activities of the UAX Group, including suppliers and outsourced services.
• Risk management: Continuous risk assessment using recognised methodologies (ISO 31000, Magerit or COBIT), applying appropriate controls and ensuring documented recording, treatment and follow-up.
• Proportionality: Application of security measures in accordance with the risk of the assets.
• Continuous improvement: Periodic review and updating of security measures and procedures.
• Security by design and by default: Consideration of security from the conception of systems and processes.
• Shared responsibility: All users must ensure information security, through awareness programmes and incident reporting.

5. Roles and Responsibilities

• Executive Committee: Provides support and leadership in the implementation of information security.
• Chief Information Security Officer (CISO): Coordinates, verifies and documents compliance with the ISMS and legal and regulatory obligations.
• Data Protection Officer (DPO): Ensures compliance with regulations on personal data protection.
• Users: Comply with the policy and report incidents.
• Suppliers and third parties: Ensure compliance with security requirements and applicable regulations through contracts, confidentiality clauses and specific agreements, guaranteeing that they comply with the security standards of the UAX Group.
• Information Security Committee: To lead, supervise and coordinate all ISMS-related activities within the organisation.

Risk Management

Risk analysis and management is a fundamental axis of the ISMS. Methodologies of recognised prestige or widely accepted in the market, such as ISO 31000, Magerit and COBIT, shall be adopted,

All risks must be recorded, assessed, addressed and documented, including acceptance criteria, responsible parties and evidence of follow-up.

The review of the risk analysis shall be carried out at least once a year or in the event of serious incidents or significant changes in information systems.

7. Training and Awareness

The UAX Group shall implement an ongoing information security training and awareness programme for employees and third parties with access to critical information.

Records of attendance, content and evaluations shall be maintained to ensure evidence of compliance and effectiveness.

8. Policy Maintenance and Review

The policy shall be reviewed annually by the CISO, and whenever regulatory or technological changes or relevant incidents occur.

All reviews shall be documented, indicating date, responsible parties and changes made to maintain audit evidence.

9. Compliance and Sanctions

Failure to comply with this policy may result in disciplinary, contractual or legal sanctions depending on the severity of the breach.

Sanctions will be applied following documented procedures, ensuring proportionality and evidence for external and internal audits.

10. Approval, distribution and updating

This Policy was approved by the Board of Directors of Guadarrama Proyectos Educativos at its meeting on March 3, 2026, coming into force from the moment of its approval.

This Policy is an easily accessible document for all Members of the UAX Group, available at all times through the employee portal, in the corporate documentation section. In addition, it will be sent by e-mail at least once a year, and whenever updates are made.

The CISO will ensure the correct application of the Policy, monitoring it annually and carrying out the necessary reviews and updates.