Celering

Security Policy

General Information Security Policy

Celering relies on information systems to achieve its objectives. These systems must be diligently managed, adopting appropriate measures, based on risk, to protect them from accidental or deliberate damage that may affect the authenticity, traceability, integrity, or confidentiality of the information processed, or the availability of the services provided.

The ultimate goal of information security is to ensure that the organization can meet its objectives, perform its functions or competencies, and provide the services for which it was established, maintaining the quality of the information and the continuous delivery of services. This is achieved by acting preventively, supervising daily activities, and responding promptly to incidents.

ICT systems must be protected against rapidly evolving threats that could impact the confidentiality, integrity, availability, intended use, and value of the information and services. To defend against these threats, a strategy adaptable to changing environmental conditions is required to ensure the continuous provision of services. This means that departments must apply the minimum security measures required by the National Security Framework (Esquema Nacional de Seguridad – ENS), continuously monitor service performance levels, follow and analyze reported vulnerabilities, and prepare an effective response to incidents to ensure service continuity.

Celering must ensure that ICT security is an integral part of every stage of the system’s life cycle—from conception to decommissioning—including development or acquisition decisions and operational activities. Security requirements and financial needs must be identified and incorporated into planning, requests for proposals, and tender specifications for projects involving personal data processing, ICT service acquisition, or services that affect information systems.

Company Description

Celering is a corporate group headquartered in Madrid, composed of Celering Smart Mobility Services S.L.U. and Celering Travel S.L.U.

Both companies focus on road transport from two different perspectives.
Celering Smart is a technology company that has developed a digital management platform powered by artificial intelligence.

Celering Travel is a travel agency that intermediates transport services using Celering Smart’s licensed SaaS technology.

The name “Celering”, as used hereinafter, refers to both companies collectively, although, where necessary, specific references will be made to Celering Smart (CS) or Celering Travel (CT).

The group’s head offices are located in central Madrid, where both companies carry out their activities. Throughout this policy, differentiating between them may be complex due to the many shared elements referred to as “Grey Areas”, particularly regarding the Information Security Management System (ISMS). As reflected in the organizational chart, CT may be integrated as a department within CS, although both remain legally independent entities.

Celering Smart (CS) encompasses the majority of the group’s personnel, including the following areas:

  • Technology
  • Operations
  • Finance
  • Marketing
  • Sales
  • Information Technology

Celering Travel (CT) has personnel dedicated specifically to traffic management, including:

  • Traffic Director
  • Traffic Management Team

Both companies are linked through two contractual relationships:

  • CS provides CT with its software under a SaaS model.
  • CS provides CT with all other services required under a services agreement.

Responsibility for information security lies with the CISO (Chief Information Security Officer), who operates outside the general organizational structure, reports directly to the Group’s Managing Director, and manages information security transversally across both companies.

Mission

The security objectives that Celering aims to guarantee through this Policy are as follows:

  • Ensure the confidentiality, integrity, and authenticity of information, as well as the continuity in the provision of services.
  • Implement security measures based on risk.
  • Train and raise awareness among all Celering personnel regarding information security.
  • Implement security measures that allow the traceability of access, while respecting, among other principles, the principle of least privilege, and reinforcing the duty of confidentiality of all users concerning the information they access during the performance of their duties.
  • Deploy and monitor physical security, ensuring that information assets are located in secure areas, protected by access controls, and safeguarded according to identified risks.
  • Establish secure communication management through the necessary procedures, ensuring that all information transmitted via communication networks is adequately protected.
  • Control the acquisition, development, and maintenance of information systems throughout their life cycle, ensuring security by default.
  • Monitor compliance with security measures in the provision of services, maintaining control during the acquisition and incorporation of new system components.
  • Manage security incidents to ensure their proper detection, containment, mitigation, and resolution, and adopt corrective measures to prevent recurrence.
  • Protect personal data by implementing technical and organizational measures in accordance with risks derived from processing activities and in compliance with applicable data protection legislation.
  • Continuously monitor the information security management system, identifying inefficiencies, and implementing continuous improvement actions.

Guiding Principles

Strategic Scope

Information security must have the commitment and support of all levels of the organization. It must be coordinated and integrated coherently with the rest of the company’s strategic initiatives.

Comprehensive Security

Security shall be understood as a holistic process comprising all technical, human, material, and organizational elements related to information systems, avoiding isolated or temporary actions. Information security must be considered part of daily operations and applied from the initial design stage of ICT systems.

Risk-Based Security Management

Security management shall be based on identified risks, maintaining a controlled environment that minimizes risks to acceptable levels.
Security measures will be established according to the risks affecting information and its systems, being proportionate and justified. Identified risks in the processing of personal data will also be considered.

Prevention, Detection, Response, and Preservation

The organization shall implement preventive actions to avoid incidents, minimize detected vulnerabilities, and prevent threats from materializing. When incidents do occur, Celering will respond swiftly to restore information and services while ensuring secure data preservation.

Defense-in-Depth

The entity’s security strategy shall be designed and implemented in multiple layers of defense, providing redundancy and resilience across the organization.

Continuous Monitoring and Periodic Reevaluation

Celering shall implement mechanisms for detecting and responding to anomalous activities or behaviors, as well as tools that enable ongoing evaluation of the security status of assets.
A continuous improvement process shall be in place to periodically review and update security measures in accordance with their effectiveness and with the evolution of risks and protection systems.

Security by Design and by Default

Systems must be designed and configured to guarantee security by default.
They will provide only the minimum functionality necessary to deliver the intended service.

Segregation of Duties

In accordance with this principle, the functions of the Information Security Officer and the System Owner must be clearly differentiated and independent.

Legal and Regulatory Framework

The Celering Group operates under various regulatory frameworks, including commercial law, contractual law, tax regulations (A.E.A.T.), social security, civil and criminal codes, consulting regulations, the Workers’ Statute, collective bargaining agreements, and the specific regulations governing travel agencies and transportation services, among others.

In the area of cybersecurity, special attention is paid to the following regulations:

  • Royal Decree 311/2022, of May 3, regulating the National Security Framework (Esquema Nacional de Seguridad – ENS).
  • Organic Law 3/2018, of December 5, on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD), and EU Regulation 2016/679 (GDPR).
  • Regulation (EU) 2022/2065, of the European Parliament and of the Council, of October 19, 2022, on a Single Market for Digital Services (Digital Services Act – DSA).
  • Law 34/2002, of July 11, on Information Society Services and Electronic Commerce (LSSI).
  • Directive (EU) 2022/2555, of December 14, 2022, concerning measures to ensure a high common level of cybersecurity across the Union (NIS2 Directive), whose transposition into Spanish law is pending.

Transport and Mobility Legislation

  • Law 16/1987, on the Organization of Land Transport (LOTT) – applicable to fleet management or subcontracted transport services.
  • Royal Decree 1211/1990, implementing regulations of the LOTT.

Regional Legislation (Autonomous Community of Madrid)

  • Law 1/1999, on the Organization of Tourism in Madrid.

Labor and Occupational Transport Regulations

  • For transport services provided to employees (e.g., company routes), the Law on the Prevention of Occupational Risks (Law 31/1995) and regulations on private collective transport may apply.

Labor-Related Regulations

  • Workers’ Statute: regarding labor conditions, working time registration, and rest periods.
  • Collective Bargaining Agreements applicable to the transport sector (when relevant to drivers).
  • Law 31/1995, on Occupational Risk Prevention, with special attention to activities involving regular driving.

These specific regulations are reflected in this general policy, as well as in internal standards and mandatory training programs, which form part of Celering’s employee onboarding process.

Within Celering, there are specialized internal roles (described later in this policy) responsible for monitoring, interpreting, and updating applicable regulations.

Additionally, Celering maintains a centralized legal information repository, updated and accessible to all company personnel, known as “Compliance”, which contains current legislation and corporate governance materials.

Roles, Security Functions, and Governance Structure

Within Celering, responsibility for information security lies with the Chief Information Security Officer (CISO), who reports directly to the CEO and is supported by the Cybersecurity Committee, established on January 1, 2024.

The Committee acts as an advisory and coordination body for cybersecurity matters. It is composed of the following members:

  • Chief Information Officer (CIO) – Head of internal infrastructure
  • Chief Operating Officer (COO) – Head of operations
  • Chief Data Officer (CDO) – Head of data management and governance
  • Chief Technology Officer (CTO) – Head of technology and development
  • Data Protection Officer (DPO) – Data protection delegate and advisor

A Cybersecurity Committee Membership Agreement outlines the rights and responsibilities of each member and must be signed upon their appointment.

The Committee’s activity is recorded in official meeting minutes, including the attendees, topics discussed, decisions adopted, and actions to be taken. Membership changes are also recorded.

Decisions are made based on the “unanimity minus one” principle, meaning that initiatives may proceed as long as there is no more than one dissenting vote. Any disagreement must be noted in the minutes, identifying the dissenting member and, if desired, their reasoning.

Each significant decision made by the Cybersecurity Committee must then be submitted to the Executive Management Committee for approval prior to implementation.
The DPO acts solely in an advisory capacity and does not hold voting rights, as voting could conflict with the independence required for their role.

Chief Information Security Officer (CISO)

The CISO is a trusted position appointed by Celering’s Executive Committee. This role requires technical expertise, management capability, and an in-depth understanding of the organization.

The CISO is responsible for ensuring compliance with all mandatory information security regulations and for implementing the policies necessary to maintain such compliance.
The CISO position must have long-term continuity and organizational knowledge. Performance is evaluated based on cybersecurity milestones achieved, aligned with Celering’s strategic goals, including:

  • Design and implementation of Celering’s first Cybersecurity Plan.
  • Compliance with the National Security Framework (ENS).
  • Alignment with ISO/IEC 27001 standards.
  • Achievement of ISO/IEC 27001 certification.

Data Protection Officer (DPO)

The DPO acts independently under the General Data Protection Regulation (GDPR).
Their functions include informing, advising, supervising compliance, training staff, and mediating between Celering and the Spanish Data Protection Agency (AEPD).
The DPO must be officially registered with the AEPD, and receives continuous legal counsel to stay updated on regulatory developments.

Chief Information Officer (CIO)

The CIO is responsible for the implementation and management of the company’s information infrastructure and workstations, as well as for the corresponding cybersecurity measures.
Their role is critical to the Committee’s decision-making process, requiring close coordination with the CISO to ensure operational continuity and compliance.

Chief Operating Officer (COO)

The COO oversees the implementation of Celering’s SaaS systems for clients.
Each deployment presents unique cybersecurity challenges that must be analyzed in coordination with the Committee, ensuring that external integrations meet Celering’s internal security standards.

Chief Data Officer (CDO)

The CDO is responsible for data engineering, governance, and utilization.
Given the sensitivity and strategic value of data, this role involves substantial cybersecurity risks and overlaps with the CISO’s and DPO’s domains, requiring high coordination and joint oversight.

Chief Technology Officer (CTO)

The CTO leads the software development team, overseeing design, architecture, and implementation activities that are central to Celering’s cybersecurity reputation.
Because their work affects both internal systems and client-facing environments, the CTO’s role is key within the Cybersecurity Committee, balancing innovation with strict compliance and risk control.

Processing of Personal Data

Celering processes personal data as described in its Record of Processing Activities (ROPA).
The company must assess all risks related to the personal data it processes, and establish an action plan to correct any risks exceeding the authorized threshold.

The risk analysis shall be periodically reassessed, under the supervision and advice of the Data Protection Officer (DPO), and whenever high-risk processing activities are detected.
In such cases, Celering shall conduct a Data Protection Impact Assessment (DPIA).

The implementation of the risk treatment plan will be coordinated with the National Security Framework (ENS) and aligned with all other information security procedures and standards, especially those related to service provider oversight, incident management, and personal data breach response.

Risk Management

All systems covered by this Policy must undergo a risk analysis, evaluating the threats and vulnerabilities to which they are exposed. This analysis must be repeated:

  • Regularly, at least once per year.
  • When there are changes in the information handled.
  • When there are changes in the services provided.
  • When a major security incident occurs.
  • When serious vulnerabilities are reported.
  • When there are changes in the data protection risk analysis or in impact assessments.

To ensure consistency, the Information Security Committee shall establish reference valuation criteria for the different types of information handled and services provided.

The Committee will also facilitate the availability of resources to meet the security needs of the various systems, and promote horizontal investments when necessary.

Risks related to data protection will always be taken into account, incorporating the DPO’s opinion, and coordinating all risk treatment plans accordingly.

Obligations of Personnel

All members of Celering are required to understand and comply with this Information Security Policy and with any additional standards, procedures, or guidelines derived from it.
It is the responsibility of the Information Security Committee and the Human Resources department to ensure that the necessary means are provided for this information to reach all affected personnel.

All Celering employees must attend an information security awareness session at least once per year.
A continuous awareness program will be implemented to reach all staff members, particularly new hires.

Individuals with responsibilities in the use, operation, or administration of ICT systems shall receive specific training to ensure the secure management of such systems, proportionate to their responsibilities.
This training is mandatory before assuming any such responsibility — whether it is a first assignment, a role change, or a reassignment of duties.

Third Parties

When Celering provides services to other entities or handles their information, those entities will be made aware of this Information Security Policy, without prejudice to data protection obligations when acting as a data processor.
Appropriate reporting and coordination channels will be established between the respective Security Committees, including incident response procedures.
The Information Security Officer (or their delegate) shall act as the Point of Contact (POC) for such interactions.

When Celering uses third-party services or transfers information to third parties, they shall also be informed of this Policy and of any security standards applicable to the relevant services or data.
During the procurement process, service providers are required to comply with the National Security Framework (ENS).

For cloud services or cloud-based assets, Celering shall ensure that security requirements conform to the ENS Annex II measures and relevant development guidelines.

Third parties are subject to the obligations set out in this Policy and may develop their own operational procedures to meet these obligations. Celering reserves the right to supervise compliance, request evidence, or conduct second- or third-party audits.

Specific reporting and resolution procedures will be established for incidents involving third parties, coordinated through the third party’s POC and, where personal data is affected, with the involvement of the DPO.

Third parties must also ensure that their personnel are properly trained and aware of security practices, at least to the same level established in this Policy or as contractually required.

If a third party cannot meet a specific requirement of this Policy, the Information Security Officer must issue a risk report describing the identified risks and the proposed mitigation measures.
This report must be approved by the information and service owners before the contract award or procurement process continues.
The final authorization shall rest with the company representative who assumes responsibility for the identified risks.

When the organization acquires, develops, or implements an Artificial Intelligence (AI) system, in addition to complying with the applicable legislation, it must obtain a report from the Information Security Officer, who will consult with the Information Owner, Service Owner, and, where appropriate, the System Owner.
The DPO must also issue an opinion as part of this process.

Structure, Management, and Access to Security Documentation

Celering maintains a cybersecurity information repository containing all related documents, organized hierarchically to ensure that each company user has access only to the information necessary for their role.

The CISO is responsible for coordinating the preparation of documentation, while the Cybersecurity Committee is responsible for approving content of strategic relevance.

Celering’s security documentation is structured as follows:

  1. General Cybersecurity Policy (this document).
  2. Legal and Regulatory Framework.
  3. Internal Cybersecurity Regulations, including:
    • Policies
    • Standards
    • Procedures

The security regulations define the rules governing the use of Celering’s systems and information.
They clearly specify prohibited behaviors and the consequences of non-compliance.
Different regulations exist depending on the data access profiles: administrator, owner, and user.

  1. Technical Cybersecurity Guides
    These are informative technical documents intended to guide or update practices for system implementation.
  2. Cybersecurity Communication Channels
    A public internal channel provides updates and general information on cybersecurity matters.
    Its dual objective is to promote awareness and informal learning across the organization.

Information Classification within Celering

All information processed through Celering’s systems is classified according to the following categories:

  • Public Information:
    Includes all documents that Celering has expressly made public and that can be accessed by anyone, whether or not they belong to Celering.
  • Private Information:
    Any internal corporate document that has not been explicitly published.
  • Confidential Information:
    Sensitive documents whose access is restricted to certain internal groups. These must be labeled as “Confidential”.
  • Top-Secret Information:
    Documents containing highly sensitive information with very restricted access, classified as such by the Executive Management Committee.

Classification Hierarchy

  • The Executive Management Committee is the ultimate authority responsible for classifying information and may do so at its discretion.
  • Each Department Director is responsible for the information managed by their team, determining its classification, labeling, and diligent protection.
  • Every authorized user is responsible for protecting the information to which they have legitimate access.
  • Any user (internal or external) who gains access to Celering’s information, whether authorized or not, must safeguard it and immediately notify the Cybersecurity Department upon detecting any incident or anomaly.

Access to Information

Information classified as Private, Confidential, or Top Secret MUST NOT be transmitted by any external means.
It must be shared exclusively through Celering’s internal systems, via:

  • A Celering corporate account, or
  • A Celering guest account (for external collaborators).

Celering’s information environment is organized into access blocks, which can be granted individually to internal or external users based on two primary principles:

  1. Principle of Least Privilege:
    Access is provided only to the minimum information necessary for each user’s role, at any given time.
  2. Role-Based Access Control (RBAC):
    Access roles are predefined according to each type of activity, ensuring granular control over access permissions and maintaining an auditable structure.

Responsibility

The Department Director responsible for the information determines which users may access corporate or confidential data under their supervision.
For Top-Secret information, authorization must be requested from the Executive Management Committee; in exceptional cases, the General Director may grant access under their direct responsibility.

Security Incident Management

The objective of Security Incident Management is to detect, respond to, contain, and recover from any events that may compromise the confidentiality, integrity, or availability of Celering’s information assets—minimizing impact and preventing recurrence.

In compliance with the National Security Framework (ENS, Articles 13 and Annex II), this Policy establishes a structured framework for the identification, classification, reporting, and resolution of incidents, ensuring a coordinated and timely response among designated personnel.
It is also aligned with international standards such as ISO/IEC 27035 and the guidelines of CERTSI (Security and Industry Incident Response Team) to guarantee the resilience of systems and services.

Fundamental Principles

  1. Proactive Preparation:
    Maintain clearly defined procedures, resources, and roles (e.g., Incident Response Team).
  2. Early Detection:
    Monitor events through technical tools and reporting mechanisms to identify anomalies in real time.
  3. Effective Containment:
    Limit the scope and duration of incidents to reduce damage and maintain service continuity.
  4. Continuous Improvement:
    Document lessons learned and update controls to strengthen the security posture.

This Policy applies to all personnel, suppliers, and third parties with access to Celering’s information systems covered by the ENS.
The Executive Management is responsible for ensuring full compliance.

Classification of Security Incidents

  • Critical:
    • Compromise of critical systems (e.g., essential infrastructure).
    • Massive loss of confidential data (GDPR/ENS breach).
    • Prolonged interruption of essential services.
  • High:
    • Unauthorized access to systems containing sensitive data.
    • Denial-of-Service (DoS) attacks affecting operations.
  • Medium:
    • Incidents with limited impact (e.g., isolated malware infections).
    • Exploited vulnerabilities without immediate consequences.
  • Low:
    • Failed access attempts without impact.
    • False positives or minor security alerts.

In the event of an incident, coordination will be led by the Chief Information Security Officer (CISO).

Password Management Policy

Celering establishes the following guidelines for password management applicable to all personnel:

1. Individual and Confidential Use

Authentication credentials—especially passwords—are personal and non-transferable.
Users are responsible for their custody and proper use.
Passwords must never be shared, disclosed, or stored in insecure locations.

2. Minimum Strength Requirements

Passwords must meet the following criteria:

  • Minimum length: 10 characters.
  • Include at least three of the following: uppercase letters, lowercase letters, numbers, and symbols.
  • Must not contain personal data (e.g., name, ID, date of birth).
  • Must not appear in known databases of compromised passwords.

3. Change Frequency and Expiration

  • Passwords must be changed every 180 days, or sooner if a compromise is suspected.
  • Reuse of the last five passwords is strictly prohibited.

4. Protection Against Unauthorized Attempts

  • User accounts will be automatically locked after a maximum number of consecutive failed login attempts.
  • Unlocking requires authorization by designated personnel and must be logged as a security event.

5. Multi-Factor Authentication (MFA)

All access to corporate systems, critical applications, or data classified as medium or high sensitivity must use multi-factor authentication (MFA).
This includes:

  • A password or secret (first factor), and
  • A physical or biometric second factor (e.g., token, smartphone app, FIDO2 key, or biometric method).

Each second factor (e.g., mobile device or hardware key) is individually assigned and registered.
Loss, theft, or malfunction must be immediately reported to the Cybersecurity or IT Support Department for revocation and replacement.
Devices must be protected by PIN, biometric lock, or equivalent, and never shared or left unattended.

6. Access and Lockout Controls

  • After several consecutive failed attempts (thresholds vary by system criticality), access will be blocked automatically.
  • Any anomalous authentication attempt will be logged, reported, and, if necessary, treated as a security incident.

7. Training and Awareness

All personnel must receive training on secure password and authentication practices, in accordance with Article 15 of the ENS (Personnel Management) and Measure 26 (Awareness and Training).

Policy Approval and Entry into Force

Any modifications to this Policy that imply changes or adaptations in response to inefficiencies shall be made by the Information Security Committee, which must review the Policy annually.

If the proposed changes constitute substantial modifications—including alterations to principles, responsibilities, or designated roles—the Committee shall submit them for approval to the competent authority or governing body within the organization.

The replacement of this Policy shall be initiated by the Information Security Committee and formally ratified by the competent authority, after which the approved version will be duly communicated to all affected parties through the same channels used for its initial distribution.

This Policy was approved on May 25, 2025, by the Cybersecurity Committee.
It shall remain in force from the date of approval until it is replaced by a new Information Security Policy.

This Policy is officially ratified by the Chief Executive Officer,
José María Campos,
in Madrid, on June 25, 2025.

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.