LEGAL
Information security policy
Last updated: 22 April 2026
Introduction
CEDESA began its journey as an entity in 2012 as a software project management consultancy that externally coordinated the development work of teams in order to achieve success in the delivery of systems. Following this, in 2015 the company CEDESA DIGITAL, SL was incorporated, at which point the team began to grow in order to launch a new line of services with its own in-house team. LAPSOWORK, SL forms part of this group as a SaaS human resources management product.
The company's promoter, founder and sole shareholder is Juan Jesús Merino Carretero, a senior computer engineer and holder of a degree in computer law, with extensive experience in project engineering and cybersecurity.
The code of ethics currently upheld at CEDESA DIGITAL is based on and aligned with the code of ethics approved by the ACM (Association for Computing Machinery) and the IEEE-CS as the standard for teaching and practising software engineering.
8 principles of the code of ethics
- Society.
- Client and employer.
- Product.
- Judgement.
- Management.
- Profession.
- Colleagues.
- Self.
Objectives
- To respond to the needs and expectations of our stakeholders, especially our clients.
- To effectively manage and control the processes involved and the analysis of risks.
- Compliance with the applicable legislation on quality and information security.
- To appropriately determine and protect the assets relating to the information of the client, the company and its stakeholders.
- To prevent loss, misuse, financial losses or the interruption of business processes.
- To adapt to the economic and technological evolution of the market.
- To raise awareness, train and motivate staff in the implementation of the integrated management system.
- To continually improve.
Regulatory framework
The regulatory framework includes compliance with Spanish and European Union legislation, notably:
- Reglamento (UE) 2016/679 (RGPD).
- Ley Orgánica 3/2018, on the Protection of Personal Data and guarantee of digital rights.
- Real Decreto 311/2022, regulating the Esquema Nacional de Seguridad.
- Ley 34/2002, on Information Society Services and Electronic Commerce (LSSICE).
- Legislation on intellectual property.
- ISO/IEC 27001 and ISO/IEC 27002 standards (information security).
- UNE-EN ISO 9001 standard (quality management).
Risk management
CEDESA has defined procedure PG14 for the assessment, detection, evaluation and treatment of security risks. This procedure includes:
- Periodic identification of assets, threats and vulnerabilities.
- Analysis of the impact and likelihood of the risks detected.
- Definition of mitigation measures and compensating controls.
- Review of the risk treatment plan in the security committees.
Incident management
A security incident management procedure is in place. In the event of a security breach affecting personal data, the Agencia Española de Protección de Datos (AEPD) will be notified within a maximum of 72 hours from becoming aware of it, and the affected individuals will be notified if there is a high risk to their rights and freedoms, in accordance with articles 33 and 34 of the RGPD.
Responsibility and review
Management approves and reviews this policy annually. All employees, collaborators and suppliers are required to comply with it. Questions and notifications relating to this policy should be addressed to the Data Protection Officer at [email protected].
Signed: Management.
Information Security Policy (Ed. 01) Public PDF version of the Information Security Policy. Download PDF