Information Security & Privacy Policy

1. OBJECTIVE 

Protect Simetrik’s information assets from risks and threats, both internal and external, ensuring the confidentiality, integrity, availability, and privacy of the information. At Simetrik, information security is a key pillar for protecting our assets, maintaining customer trust, and complying with international regulations.

2. SCOPE

This policy applies to all employees, contractors, suppliers, and any person or entity with access to Simetrik’s systems, information, and information assets.

3. SECURITY PRINCIPLES

We adopt a risk-based approach to protect Simetrik’s and its clients’ information assets from relevant threats and vulnerabilities.

We also integrate information security and privacy principles into the organizational culture, promoting that protection is a shared responsibility among top management, employees, contractors, and third parties, strengthening a robust management structure.

Simetrik manages its processes based on the following principles:

  • Confidentiality: We ensure that only authorized people have access to the information, avoiding unauthorized access or improper disclosure.
  • Integrity: We make sure that information is protected against unauthorized changes, keeping it accurate, reliable, and complete.
  • Availability: We ensure that information is available when needed, without interruptions that affect our operations.
  • Privacy: We protect personal data, respecting the privacy of clients, employees, and third parties, always complying with applicable laws and regulations.
  • Accountability and traceability: We promote mechanisms that allow proper management, monitoring, and tracking of access to and use of information.
  • Continuous improvement: We continuously strengthen our controls, capabilities, and processes to respond to a constantly evolving technological and regulatory environment.
  • Responsible use of emerging technologies: We promote the safe, ethical, and controlled use of emerging technologies, including artificial intelligence, using international best practices to gradually strengthen our governance models.

Main Guidelines:

  • Confidentiality, Integrity, Availability, and Privacy of information assets within Simetrik must be ensured.
  • All information systems and information assets used in operations and service delivery must comply with the security controls defined by the Information Security team.
  • All employees and contractors must receive annual training and awareness in information security to have the knowledge, skills, and tools needed to help protect information and the assets they can access.
  • Measures must be applied to prevent, detect, respond, analyze, recover, and investigate threats and vulnerabilities in a proactive way.
  • Methods and tools must be implemented to adapt quickly to changes in the technological environment and new threats.
  • Information security must be integrated into all strategic and operational processes, ensuring it adds value and supports Simetrik’s growth.
  • Simetrik must ensure compliance with all applicable laws, regulations, standards, and contractual commitments, including:
    • Local and international regulations on information security, privacy, and personal data protection, as applicable.
    • Payment Card Industry Data Security Standard (PCI DSS).
    • Security and privacy standards and best practices, including ISO/IEC 27001, ISO/IEC 27701, ISO/IEC 27017, and ISO/IEC 27018.
    • Recognized international standards as a reference for the evolution of artificial intelligence governance models.
    • Contractual agreements and commitments with clients.
    • All applicable laws and regulations in the jurisdictions where we operate and provide services.

4. INFORMATION SECURITY RESPONSIBILITIES

Information security and privacy are a shared responsibility within Simetrik.

At Simetrik, we expect all people with access to our systems or information assets to act carefully, responsibly, and in line with the organization’s guidelines for information protection. We also encourage employees, contractors, and third parties to take part in training and awareness activities, and to report any incident, suspicious event, or situation that may affect the security or privacy of information in a timely manner.

Top management supports this commitment by promoting a security culture, assigning responsibilities, and continuously strengthening organizational capabilities.

5. CONTROLS AND MEASURES

5.1 INFORMATION SECURITY

We implement controls to ensure the protection of information in the following areas:

  • Access control: Management of credentials, multi-factor authentication (MFA), and least privilege.
  • Data protection: Encryption in transit and at rest, and access control for sensitive data.
  • Cloud security: Application of security controls in cloud services.
  • Software development security: Implementation of secure development practices and vulnerability testing.
  • Security incident management: Response plan, event analysis, and risk mitigation.
  • Risk management: Continuous assessment and mitigation of threats.
  • Monitoring and auditing: Continuous analysis of activities and detection of anomalies.
  • Third-party and supplier security: Risk assessment, compliance with security requirements, and contractual agreements.
  • Business continuity and disaster recovery: Contingency plans to ensure operations in case of incidents.
  • Security awareness and training: Continuous training for employees and third parties on security best practices, including cybersecurity, social engineering, and phishing.

5.2 CYBERSECURITY

Simetrik adopts a cybersecurity approach to protect its infrastructure, data, and operations from evolving digital threats. For this, the following principles and controls are established:

  • Threat and vulnerability management: Continuous monitoring of threats, vulnerability analysis, and management of cyber risks.
  • Protection against cyberattacks: Implementation of advanced security solutions, such as WAF, antivirus, and attack response tools.
  • Network security: Application of controls to protect internal and external networks through segmentation, secure protocols, and traffic monitoring.
  • Identity and access security: Implementation of strong authentication policies and identity management to reduce the risk of unauthorized access.
  • Device cybersecurity: Application of security controls on endpoints and corporate devices to prevent targeted attacks.

5.3 PRIVACY AND PERSONAL DATA PROTECTION

Simetrik manages personal data in accordance with applicable privacy and data protection regulations in each jurisdiction, as well as with contractual commitments with clients and third parties. This commitment is reflected in practices focused on:

  • Data management: Ensure proper, lawful, and transparent processing of personal data.
  • Purpose and accountability: Clearly define the purposes of data processing and the related responsibilities.
  • Minimization and protection: Promote the collection, use, and storage of only necessary data, and ensure its proper protection.
  • Privacy risk management: Identify, assess, and manage risks related to the processing of personal data.
  • Data subject rights: Address, when applicable, requests related to the rights of data subjects.
  • Protection against unauthorized access: Prevent unauthorized access, use, disclosure, modification, or loss of data.

5.4 ARTIFICIAL INTELLIGENCE GOVERNANCE

As Simetrik continues to adopt artificial intelligence technologies in its processes, products, or services, it will promote management based on principles of security, privacy, supervision, accountability, and risk analysis. In this context, Simetrik will progressively align with recognized international standards to strengthen its artificial intelligence governance model. This includes, as applicable:

  • Supervision and accountability: Promote the definition of responsible roles for the adoption, use, and supervision of artificial intelligence systems.
  • Human intervention: Ensure proper human oversight in the use of artificial intelligence systems, especially in processes or decisions with significant impact.
  • Responsible decision-making: Promote that decisions supported by artificial intelligence include review and control criteria according to their level of risk, avoiding inappropriate dependence on fully automated decisions when human validation is required.
  • Protection of data and sensitive information: Protect personal data, sensitive information, and client information used by artificial intelligence systems, according to their classification and level of criticality.

6. INCIDENT REPORTING AND COMMUNICATION

Simetrik’s Information Security team is available to address any questions or incident reports through the email  incidents@simetrik.com

Failure to report incidents or violations may result in disciplinary and/or corrective actions, as applicable.

7. EXCEPTIONS

Any exception to this policy must be approved by the Chief Information Security Officer (CISO).

8. COMPLIANCE 

Information security is part of our identity and commitment to trust and excellence. Failure to comply with this policy will be considered a serious fault and may lead to disciplinary actions, including administrative sanctions or termination of the employment contract, according to current laws and Simetrik’s internal policies. All employees, contractors, and related third parties are responsible for complying with this policy.

Emiliano Murúa Cuesta

Information Security DirectorLast update:: April 15, 2026

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.