Contact us

UNIFIT Information Security Policy

Last updated January 2026

Information security objectives

Seduni Torcar S.L., through the commitment of its Senior Management, establishes the following strategic objectives as a framework for its Information Security Management System (ISMS), in accordance with ISO/IEC 27001.
The organization must protect its information assets against threats that could compromise their confidentiality, integrity, and availability.

  • Confidentiality: Information must be accessible only to authorized personnel and systems.
  • Integrity: The accuracy and completeness of information and its processing methods must be safeguarded, preventing unauthorized modifications.
  • Availability: Authorized users must be guaranteed access to information and associated assets when required.

 

To achieve these objectives, the organitzation commits to:

  • Implement and maintain an ISMS based on a risk management approach, as described in the “PRO Risk Management Procedure“.
  • Comply with all legal, regulatory and contractual requirements applicable to information security.
  • Promote a security culture in which all staff share the responsibility for protecting information.
  • Promote the continuous improvement of the ISMS through the definition and monitoring of specific goals, managed through the “PRO Objectives and planning for their achievement“.

The CEO & Founder is ultimately responsible for ensuring that these objectives are integrated into business processes and have the necessary resources for their achievement.

Principios fundamentales de seguridad de la información

Risk-based approach:

  • Security is managed by identifying, assessing, and mitigating risks, ensuring that controls are proportionate to their impact.


Shared responsibility:

  • Information security is the responsibility of the entire organization, including management, employees, and third parties.


Regulatory compliance:

  • The organization will comply with all applicable legal, regulatory, and contractual requirements.

Governance and Policy Review

This policy is the highest-level document of the ISMS (Information Security Management System). Its management is governed by the following principles:

  • The CEO & Founder must approve this policy and any substantial modifications to it.

  • The ISO 27001 and 9001 Management Officer will be responsible for its publication, communication to all relevant personnel and stakeholders, and maintenance.
  • The policy must be reviewed annually as part of the management review process, detailed in the “Management Review Management Procedure” or whenever significant changes occur in the organization’s context or risk environment.
  • All personnel must confirm that they have read and understood this policy.
  • Document management of this policy will be carried out in accordance with the “Documented Information Management Procedure.

Acceptable use of assets

  • All information assets, including hardware, software, data, and cloud services, are the property of Seduni Torcar S.L. and must be used exclusively for authorized business purposes.
  • Specific rules governing staff conduct are detailed in the “Operational Security Policy” (POL) and the “Code of Conduct.”
  • Access to information and systems will be granted following the principle of least privilege, based on the roles and responsibilities defined in the “Roles and Responsibilities Procedure” (PRO).
  • All staff must formally accept responsibility for assigned assets by signing the “Asset Assignment Form (MOD)“, committing to comply with acceptable use policies.

Security event notification

  • All staff and external collaborators are obligated to immediately report any information security event, whether actual or suspected, as well as any identified vulnerabilities.

  • The primary channel for incident reporting is defined in the “PRO Information Security Incident Management Procedure.”

  • For situations requiring urgent attention, such as those described in the teleworking protocols, the CEO & Founder must be notified within 24 hours of becoming aware of the situation.

  • The ISO 27001 and 9001 Management Officer must ensure that all reported events are recorded and managed in accordance with the “PRO Findings and Events Management Procedure.

Política de escritorio y pantalla limpios

  • El personal deberá asegurarse de que la información sensible, tanto en formato físico como digital, no quede expuesta a personal no autorizado.
  • Las estaciones de trabajo y los dispositivos móviles deberán ser bloqueados siempre que el usuario se ausente de ellos.
  • Se deberá configurar el bloqueo automático de pantalla en todos los dispositivos corporativos tras un breve periodo de inactividad.
  • Al finalizar la jornada laboral, los documentos físicos que contengan información sensible deberán ser guardados en un lugar seguro y cerrado.

Off-Premises Asset Security

  • Company assets used outside the office, including teleworking equipment, must be protected with a level of security equivalent to that applied at the organization’s premises.

  • Each employee is responsible for the safekeeping and physical protection of their assigned assets, preventing theft, loss, or damage.

  • Remote work and the use of devices outside the company’s physical perimeter are governed by the “Operational Security Policy” (POL) and teleworking agreements.

  • Connecting to public or untrusted Wi-Fi networks to access corporate information is prohibited unless using a secure, encrypted connection approved by the organization. The protection of assets outside the premises is detailed in the “Physical and Environmental Security Procedure” (PRO).