Information Security Policy

1. Approval and Effective Date

November 18, 2025

2. Our Mission

To efficiently digitize time management policies, adapting them to current realities to improve the employee-employer relationship.

3. Objective and Scope

The main objective of this policy is to establish a high-level Information Security Policy with basic rules for information security management, to offer a secure service where access to information is exclusive to authorized personnel, information is integral without manipulation, and is available at all times to authorized personnel.

Furthermore, this security policy is available to all our clients, Woffu staff, collaborators, and suppliers with whom we work jointly, so they can be informed about Woffu’s security and participate in the continuous improvement of our information security and privacy management system.

This policy applies to all members of the organization and to all functionalities of our SaaS (Software as a Service) Woffu.

Woffu Features

  • Vacations and absences
  • Attendance Control
  • Shifts
  • internal communication
  • Documents
  • Reports
  • Whistleblowing channel

All our suppliers must comply with our information security policies and procedures according to the service provided.

4. Security Requirements

  • Incorporate robust security measures, including network security, endpoint security, access control, vulnerability management, and encryption.
  • Maintain a supplier management process that ensures the security of information assets.
  • Adhere to a “Security by Design and by Default” approach by integrating security measures at every stage of your product development lifecycle.
  • Maintain a business continuity plan.
  • Ensure sufficient security throughout an employee’s lifecycle, including pre-employment requirements, security requirements during employment, and after employment termination.
  • Maintain an inventory of information and other security-related assets.
  • Establish security objectives annually from management.
  • Adhere at all times to the principle of least privilege for access to information assets.
  • Woffu locations must be protected based on the risk profile of the location, area, and assets, to minimize unauthorized access and ensure the security of both employees and company assets.
  • Non-compliance with this policy will result in disciplinary measures by the company, in accordance with current regulations, which may include, among others, dismissal or termination of contract.

5. Regulatory Framework

To protect information, we must at all times comply with the current provisions of the European Union and Spain regarding the security and privacy of personal data, and with international and national standards and best practices in Information Security adopted by Woffu.

  • Applicable Legislation:
    • Workers’ Statute, section 9 of article 34 referring to the daily work record and the retention of work records for four years, which shall remain available to workers, their legal representatives, and the Labor and Social Security Inspectorate.
    • REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
    • Organic Law 3/2018, of December 5, on Personal Data Protection and guarantee of digital rights (LOPDGDD).
    • Law 2/2023, of February 20, regulating the protection of persons who report regulatory infringements and fight against corruption.
    • Law 34/2002, of July 11, on information society services and electronic commerce.
    • Law 6/2020, of November 11, regulating certain aspects of electronic trust services.
    • Royal Legislative Decree 1/1996, of April 12, approving the revised text of the Intellectual Property Law, regularizing, clarifying, and harmonizing the legal provisions in force on the matter.
    • Resolution of February 22, 2018, of the General Directorate of Employment, registering and publishing the XVII State Collective Bargaining Agreement for consulting and market research and public opinion companies.
    • Royal Decree-Law 8/2019, of March 8, published on March 12, 2019, in the Official State Gazette, regarding urgent social protection measures and the fight against labor precariousness in working hours.
    • Law 10/2021, of July 9, on remote work.
    • Criminal Code
  • Information Security and Privacy Standards and Best Practices:
    Woffu undergoes annual audits to ensure information security and maintain its certifications.

    • ISO-27001 Audit. Information Security Management Systems, and implementation of ISO-27002 controls
    • ISO-27701 Audit. Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines.
    • ISO-27018 Audit. Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
    • Annual Pentest of our Woffu SaaS service.

6. Organization and Responsibilities

The General Manager is responsible for Woffu’s security.

The Security Committee is responsible for overseeing and directing Woffu’s security performance.

Managers are responsible for ensuring that policies and procedures are implemented and complied with.

Security Contacts are responsible for overseeing general security operations at Woffu and implementing necessary measures to ensure compliance.

All employees are responsible for adhering to general security policies and the security provisions of their roles and the procedures they perform.

Security incidents and policy violations must be reported to security contacts via security@woffu.com.

7. Personal Data

The privacy policy details the processing of personal data, as well as its purpose, retention period, legitimate basis, data typology, transfers, international transfers, and profiling.

All functionalities of our Woffu SaaS will comply with the security levels required by the GDPR for the nature and purpose outlined in the aforementioned privacy policy.

8. Awareness and Training

All Woffu members must complete security training courses at least once a year.

9. Risk Management

For Security Risk Management, a risk analysis is performed on our Woffu SaaS, evaluating the threats and risks it is exposed to for treatment. This analysis will be repeated:

  • Regularly, at least once a year
  • When the information handled changes
  • When the services provided change
  • When a serious security incident occurs
  • When serious vulnerabilities are reported

10. Approval and Review Process

The Information Security Policy will be approved by the General Manager, and all Woffu members are obliged to know and comply with it.

The review of the policy is the responsibility of the security manager.

Likewise, the policy will be subject to an annual review or when significant changes occur in applicable regulations, intrinsic changes in information systems, and the complexity of the organization itself, to ensure its continued suitability, adequacy, effectiveness, and compliance with the legal and regulatory framework in which our activities are carried out.