Policies

We want to be long-term partners with our clients

BILBOMÁTICA promotes and approves its criminal compliance policy, which expresses the behaviors and general principles of action required of the recipients of the prevention system.

BILBOMÁTICA's Criminal Compliance Policy requires adherence to the following commitments:

  1. Comply with applicable criminal law, which implies the prohibition of committing criminal acts.
  2. Prevent BILBOMÁTICA, and the organization in general, from being exposed to criminal risks.
  3. Establish the appropriate framework for defining, reporting, and achieving the objectives of the prevention system: prevention and detection of criminal conduct and compliance with the law.
  4. Impose the obligation to report any suspicious acts or conduct related to criminal risks, guaranteeing that the whistleblower will not suffer retaliation. To this end, an Ethics Hotline will be made available to all personnel where they must confidentially report any behavior that violates the compliance system.
  5. Commitment to the continuous improvement of this compliance system.
  6. Maintain the independence of the criminal compliance body.
  7. Establish a disciplinary regime in case of non-compliance.
  8. Provide information about the management of the prevention system and the results achieved.
  9. Communicate using language appropriate for BILBOMÁTICA members, as well as third parties, suppliers, and clients.

BILBOMÁTICA will provide the necessary resources to disseminate to all its employees and subcontractors the procedures designed to foster a culture of compliance. Specifically, BILBOMÁTICA will develop a Crime Prevention Manual that explains the Criminal Offense Prevention System that BILBOMÁTICA will implement, and a Code of Conduct that establishes the expected behavior of those affected by said Prevention System.

In this regard, BILBOMÁTICA considers maintaining a high level of awareness regarding the importance of compliance to be a strategic objective. Consequently, BILBOMÁTICA considers all rules established for this purpose to be binding on all employees and subcontractors, and therefore, strict compliance with them must be observed.
 

Gabriel Fernández                                                                                  Revised: January 14, 2026

Managing director                                                                  Last modified: January 14, 2026

BILBOMÁTICA, a Software Consulting and Engineering company, has developed and implemented the Integrated Management System for Quality, Services and Environment in accordance with the requirements of the UNE-EN-ISO 9001, UNE-EN-ISO/IEC 20000-1, UNE-EN-ISO 14001 Standards and with the CMMI (Capability Maturity Model Integration) quality model, at Level 3.

In this way, BILBOMÁTICA improves its adaptation to the quality, service and environmental needs demanded by an increasingly competitive and constantly evolving technological market, focusing its efforts on satisfying both customer requirements and the applicable legal and regulatory requirements or those voluntarily assumed by our organization.

The company, aware that one of the essential factors for its operation, growth, and consolidation in the market is the quality of its products and services, is committed to continuously improving the effectiveness of its quality management system, services, and environmental pollution prevention, and directs its efforts to achieve:

  • Highly qualified personnel with ongoing training in the latest technologies in Information Systems Development.
  • Standardized, agile, and precise work methodologies that enable efficient product development.
  • State-of-the-art hardware and software resources.
  • A Supplier Management System with regular evaluations to ensure that services received meet expectations and adhere to defined quality criteria.
  • Project Management Systems that enable:
    • Identify and meet customer requirements through project planning and monitoring.
    • Provide the service levels agreed upon with our customers and suppliers, managing any incidents or problems.
    • Maintain and provide the necessary information to track the progress of each project.
    • Ensure the delivery of our products to the customer on time, within budget, and to the required quality standards, with minimal environmental impact.
    • Fulfill the contractual obligations of the Services and the organization to stakeholders.
  • Risk Management Systems that allow the detection of delays, deviations and risks at their source, preventing possible security incidents and reducing their potential impact.
  • Software Engineering Project Systems that allow the identification and fulfillment of both customer requirements and applicable legal and regulatory requirements, manage change requests that affect requirements, and align work products with established requirements.
  • Quality and Environmental Management Systems that allow us to prevent any negative environmental impact on our immediate environment, derived from our products or services; and protection of the Environment.
  • Verification and validation systems that allow meeting (or exceeding) customer expectations, guaranteeing the quality of delivered products, with resources and costs in line with the benefits obtained; the prevention and early detection of potential failures or obvious errors in order to mitigate their impact and reduce the time and cost allocated to corrective tasks.
  • Configuration Management Systems that enable the establishment and maintenance of the integrity of work products using configuration identification, control, status accounting, and auditing.
  • Measurement and analysis systems of the organization's processes aimed at the different existing levels, within deadlines and with objective and real data, to support decision-making in order to meet the company's objectives within the framework of the Quality, Services and Environment Policy defined herein and to the continuous improvement of the effectiveness of the Quality, Services and Environment management system.
  • Systems for defining the set of Process Assets, which allow consistent execution of processes throughout the organization, as well as supporting process learning and improvement, allowing the sharing of good practices and lessons learned throughout the organization.
  • Likewise, for proper management of projects and teams, the organization has a series of guidelines and rules for the composition, training and operation of work teams.
  • Continuous Improvement Systems include the planning, implementation, and deployment of organizational process improvements based on an understanding of the organization's current process strengths and weaknesses, as well as its process assets. Continuous process improvement addresses organizational objectives, promotes participation in improvement activities, and provides both the long-term commitment and the necessary resources to ensure the effective and timely deployment of the improvements.
  • Business Continuity Plans, which must be reviewed and validated periodically, and which ensure the ability to respond to emergency situations.
  • Systems for reviewing and controlling the organization's processes that allow:
    • Verify that projects are built following the defined processes.
    • Detect any deviations/non-conformities as soon as possible, helping to resolve them and ensuring that the necessary corrective actions are identified and implemented, within the framework of the continuous improvement of BILBOMÁTICA's management system effectiveness.
    • Guarantee an increase in the quality delivered to the client and, consequently, a reduction in corrective costs, thereby increasing the company's productivity.
  • A focus on customer satisfaction and the satisfaction of other stakeholders by providing an effective and personalized response to their needs, while adhering to established service level agreements.

The Company's Management, through an appropriate training plan, ensures that its Quality, Services and Environment Policy is understood and accepted by all personnel and, through the periodic performance of internal audits, will verify that the Integrated Management System maintains its effectiveness and suitability.


Gabriel Fernández                                                                                  Revised: January 14, 2026

Managing director                                                                  Last modified: January 14, 2026

Information is one of BILBOMÁTICA's most valuable assets and a critical resource without which it could not operate. BILBOMÁTICA relies heavily on the accurate, complete, and timely use of this information to ensure the quality of its operations. Therefore, it recognizes the paramount importance of security measures to protect information from threats such as errors, fraud, embezzlement, sabotage, extortion, industrial espionage, privacy breaches, service interruptions, and natural disasters. BILBOMÁTICA's management acknowledges its responsibility to develop security guidelines that minimize the potential risks to which it is exposed, thereby enabling the achievement of the company's strategic business objectives.

This Security Policy is aligned with the ISO 27001 standard. Additionally, BILBOMÁTICA has a Security Policy that follows the provisions of Royal Decree 311/2022.

The objective of this Information Systems Security Policy is to define the main guidelines that lead to the formulation of Information Systems Security procedures, to safeguard information in accordance with what was discussed in the previous paragraph.

The formulation of BILBOMÁTICA's Corporate Information Systems Security Policy is based on the following key pillars to achieve the protection of BILBOMÁTICA's information:

  • BILBOMÁTICA's information and its Information Systems are critical assets that must be protected to ensure their operation. BILBOMÁTICA's information must be protected according to its sensitivity, value, and criticality.
  • All employees and third-party collaborators of BILBOMÁTICA have the responsibility to protect the information entrusted to them.
  • Information protection enables BILBOMÁTICA's business development; protection measures must be developed according to a risk assessment.
  • To determine what protection measures are necessary, you must ensure the confidentiality, integrity and availability of the information and classify it as Confidential, Internal Use or Public.

The principles of information security around which Information Systems Security measures are built are the following:

  • Information must be protected throughout its entire life cycle, from its creation or receipt to its processing, communication, transport, storage, dissemination to third parties and its eventual destruction.
  • BILBOMÁTICA will protect the information from unauthorized dissemination, manipulation, or loss.
  • Third-party organizations and individuals who may access information owned by BILBOMÁTICA must be subject to the control of the standards defined regarding information security.
  • Each employee has the obligation and duty to adequately protect information, in accordance with BILBOMÁTICA's classifications and standards.

The Corporate Information Systems Security Policy applies to all BILBOMÁTICA employees, including any external party who has access to information managed or owned by BILBOMÁTICA. The Policy also applies to all information stored in digital format and to Information Systems owned by or managed for BILBOMÁTICA. The Corporate Information Systems Security Policy includes the classification of information sensitivity levels to ensure optimal confidentiality, integrity, and availability. This policy advocates for the classification of information according to security levels as follows:

  • Confidential: Encompassing the most sensitive information for BILBOMÁTICA, and requiring strong measures to protect it against unauthorized disclosure (confidentiality) and/or modification (integrity).
  • Restricted: Information with restricted access by departments, with a medium impact if unauthorized disclosure is not available.
  • Internal Use: Applies to less sensitive information intended for internal use by BILBOMÁTICA. While unauthorized disclosure is against this policy, a serious negative impact is not expected.
  • Public: Applies to information explicitly approved by BILBOMÁTICA's Management for public display..

The requirements of this Corporate Security Policy are as follows:

  • BILBOMÁTICA's Corporate Information Systems Policy is approved by BILBOMÁTICA's Management and aligned with the ALTIA Group's Security Policy. Its content is mandatory for all BILBOMÁTICA personnel, as well as third-party organizations and subcontractors.
  • The proposed corrective measures are binding on those responsible for their implementation.
  • The implementation and compliance with the Corporate Information Systems Security Policy must be verified and tested at the pre-established intervals.
  • The Corporate Information Systems Security Policy is a living document that is updated and modified according to the established procedure. Furthermore, the Policy must be known by all BILBOMÁTICA staff.

BILBOMÁTICA's policies and procedures are designed to safeguard information from unauthorized third parties. The commitment to confidentiality is determined by BILBOMÁTICA's classification system, which distinguishes between information levels: confidential, internal use, and public.

This Security Policy includes the policies/procedures that are part of BILBOMÁTICA's Statement of Applicability of the Information Security Management System (ISMS), namely:

  • Mobile Device Usage Policy
  • Access Control Policy
  • Cryptographic Controls Usage Policy
  • Clean Desktops and Locked Screens Policy
  • Information Sharing Policies and Procedures
  • Secure Software Development Policy
  • Information Security Policy for Suppliers


BILBOMÁTICA will provide the necessary resources to disseminate the procedures designed to foster a culture of control to all its employees and subcontractors. Maintaining a high level of awareness regarding the importance of safety is considered a strategic objective of BILBOMÁTICA. Consequently, BILBOMÁTICA considers all regulations established for this purpose to be binding on all employees and subcontractors, and therefore, strict compliance with them must be observed.
 

Gabriel Fernández                                                                                  Revised: January 14, 2026

Managing director                                                                  Last modified: January 14, 2026
 

In compliance with the provisions of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the guarantee of digital rights, hereinafter LOPD, we inform you that BILBOMÁTICA processes personal data in accordance with the provisions of said regulation, and that said data are included in automated files owned by BILBOMÁTICA S.A., keeping the appropriate security measures that guarantee their confidentiality, as established by the Data Protection legislation.

In accordance with the requirements established by the LOPD, BILBOMÁTICA has carried out an analysis of the personal data processing carried out, performing an impact analysis when required and putting in place the necessary protection measures, based on the risks identified for each type of analysis.

Similarly, and in accordance with the Spanish Data Protection Act (LOPD), BILBOMÁTICA S.A. informs you and requests your express authorization to process your data and include it in the automated file. This data will be used solely for the purpose for which it was requested, and in the manner, with the limitations, and with the rights granted by the LOPD. You also have the right to exercise the rights established in the LOPD, as well as to withdraw your consent and file a complaint with the Supervisory Authority, under the terms established by current legislation and in accordance with the procedures established for this purpose by BILBOMÁTICA S.A.

To that effect, all obligations arising from compliance with the LOPD, including the duty of secrecy and the duty of safekeeping, are applicable and transferable to all employees and collaborators of the company BILBOMÁTICA S.A.
 

Gabriel Fernández                                                                                  Revised: January 14, 2026

Managing director                                                                  Last modified: January 14, 2026

BILBOMÁTICA understands that one of the principles for the proper development of an organization today is the consideration of all aspects that allow it to be classified as a socially responsible company.

Economic development must be compatible with social commitment and respect for the environment, contributing to sustainable development and reinvesting in society a portion of the profit and knowledge generated within our company.

Thus, BILBOMÁTICA has adopted a series of principles that allow it to continue growing within a framework of respect and care for the environment, actively collaborating in the social sphere and thereby fostering the progress of the society in which it operates through the use and application of new technologies.

BILBOMÁTICA works to create sustainable value by structuring its activity around the pillars that form the basis of its development: economic, social, environmental, and innovation.

These principles are embodied in the following commitments:

With our staff

Establishing communication mechanisms that allow for close and transparent dialogue, facilitating employee participation.

Providing opportunities for personal and professional development, fostering teamwork, equality, and individual initiative, identifying and developing company talent, and maintaining a policy of sustainable job retention and growth.

Ensuring a safe and healthy work environment.

The mechanisms we have in place to achieve these principles are:

  • Satisfaction surveys;
  • Corporate communication channels;
  • Knowledge management;
  • Career development plan;
  • Performance evaluation/promotions;
  • Occupational risk prevention;
  • Equality Plan.

With our clients

Establishing effective and close communication channels that allow us to understand your needs and anticipate your demands.

Guaranteeing excellent service in terms of quality, safety, and efficiency.

Making a significant effort in innovation, leading to sustainable improvement in the development of solutions and providing greater added value.

Maintaining a spirit of continuous improvement in all our activities, fostering research, development, and innovation in the services we offer.

The mechanisms we have in place to achieve these principles are:

  • Commitment to continuous improvement. ISO 9001, 20000-1, and CMMI Level 3 certifications.
  • Commitment to information security. ISO 27001 and National Security Framework certifications.
  • Promoting the attainment of recognized technological and methodological certifications and partnerships that add value to our solutions and services.
  • Customer satisfaction surveys.
  • Collaborative environments.

With Society

Collaborating with public administrations in the development of technologies that bring technologically advanced solutions to citizens, thus contributing to bridging the digital divide.

Reinvesting part of our R&D in contributing to the social improvement of sectors facing inclusion challenges.

Promoting social action that fosters a more equal and inclusive society, with special attention to people with disabilities.

The mechanisms we have in place to achieve these principles are:

  • Collaboration with centers and associations in participating in innovation projects.
  • Supporting our equality plan.
  • Collaboration with centers specializing in integration.
  • Participating in innovation dissemination blogs.
  • Collaborating with government agencies, organizations, universities, and training centers to facilitate the training and integration of young people without experience into the workforce.

Environmental Responsibility

Establishing mechanisms that guarantee respect for the environment based on material recycling and minimal impact on electricity consumption.

The mechanisms we have in place to achieve these principles are: Commitment to the Environment. ISO 14001 Certification

Waste Management Plan (paper, consumables, electronic equipment, etc.)

 

Gabriel Fernández                                                                                  Revised: January 14, 2026

Managing director                                                                  Last modified: January 14, 2026

BILBOMÁTICA recognizes the importance of information security for the proper execution of its activities. Therefore, it has developed an Information Security Policy that establishes and integrates the basic security principles with operational requirements in terms of confidentiality, authenticity, traceability, integrity, availability, and preservation of information.

The main objective of this Policy is to reinforce BILBOMÁTICA's commitment to its suppliers and partners, expressed in terms of continuous improvement of the service offered, improvement of internal processes, protection of the information processed, and compliance with applicable legislation. In this regard, BILBOMÁTICA has established an information security management framework that applies the basic principles and minimum requirements established in Royal Decree 3/2010, of January 8, which regulates the National Security Framework (hereinafter, ENS), thus ensuring adequate protection of information and services.

The aforementioned framework also encompasses the protection of personal data and takes into account the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter GDPR), as well as the provisions of national legislation on this matter. Additionally, BILBOMÁTICA aims to mitigate the risks arising from access by internal or external personnel to BILBOMÁTICA's information, information systems, or resources.

It is therefore necessary that all individuals who interact directly or indirectly with BILBOMÁTICA and its dependent bodies be familiar with the relevant Policy and Regulations and apply its guidelines as part of their duties in connection with the organization. Specifically, this policy is mandatory for personnel and third-party entities that temporarily or permanently provide services or have access to information or related assets as a result of performing their duties or executing a contract.

BILBOMÁTICA will provide the necessary resources to disseminate to its partner companies the procedures designed to foster a culture of control. In this regard, maintaining a high level of awareness regarding the importance of the security function is considered a strategic objective of BILBOMÁTICA. BILBOMÁTICA considers all regulations established for this purpose to be binding on all employees and collaborators, and therefore, strict compliance with them must be observed.

Supplier Obligations

All supplier companies whose personnel have access to BILBOMÁTICA's information, information systems, or resources, in the course of providing any service, must comply with the provisions set forth in the following sections.

Disclosure and Compliance with this Policy

It is the supplier company's obligation to inform its personnel of this Security Policy. As a guarantee, the relevant service contracts will expressly state that the policy is known and that the supplier commits to respecting it, as well as assuming the responsibilities arising from non-compliance.

Compliance with Security Requirements

BILBOMÁTICA may establish security requirements for each supplier and external personnel who have access to BILBOMÁTICA's information, information systems, or resources in order to guarantee the necessary levels of confidentiality, integrity, availability, authenticity, traceability, and preservation of information on information systems, constituting a set of prevention, detection, and recovery mechanisms.

These measures will be based primarily on the ISO/IEC 27002 standard and Annex II of Royal Decree 311/2022, which regulates the National Security Framework in the field of Electronic Administration.

As a guarantee, the relevant service contracts will expressly include the specific requirements defined during the contracting phase, as well as the commitment to their compliance. These requirements must develop or expand upon the measures mentioned in this policy, but never contradict them (for example, regarding confidentiality agreements).

Con la aceptación de la presente política, la empresa proveedora aceptará prestarse a la realización de auditorías que BILBOMÁTICA quiera llevar a cabo, ya sea a través de personal interno de la organización o bien a través de personal externo, para validar el cumplimiento de los requisitos establecidos.

Communication, Validation, and Change Management in Service Delivery

Any changes to the provision of contracted services, including modifications to operating procedures and/or security controls intended for critical systems or processes involving the provider, must be communicated in advance to the person responsible for the service at BILBOMÁTICA for review and validation.

Once a change to service delivery has been validated, it will be managed in accordance with the Security Regulations and the procedures agreed upon between BILBOMÁTICA and the provider. 

Gabriel Fernández                                                                                  Revised: January 14, 2026

Managing director                                                                  Last modified: January 14, 2026

An ALTIA company

Subscribe to our newsletter

The subscriber's email address.
Stay informed - subscribe to our newsletter.