Information Security Policy

  • Version: 1.1
  • Update date: November 21, 2025

Xmarts Group LLC, an international organization operating in Mexico, Latin America, the United States, and Canada, recognizes through its affiliated entity Comercializadora Odoo, S. de R.L. de C.V. that the protection of personal data and the security of information are critical elements for maintaining the trust of clients, employees, business partners, and other stakeholders. This commitment goes beyond technical compliance; it represents an ethical, legal, and strategic responsibility that permeates all levels of the organization.

This policy establishes the institutional guidelines intended to ensure the confidentiality, integrity, availability, traceability, and resilience of information, as well as the full protection of the rights of personal data subjects, in accordance with applicable legislation in each jurisdiction where Xmarts operates.

Likewise, this policy serves as the governing framework for the organization’s Information Security Management System (ISMS), implemented in accordance with ISO/IEC 27001:2022, the applicable Mexican legislation, including the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP), and equivalent regulations in other countries.

Xmarts acknowledges that personal data and confidential information constitute strategic assets whose ethical, lawful, and secure handling is essential for business continuity, the prevention of incidents, and the development of commercial relationships based on transparency and proactive accountability.

Scope

This policy applies to all processes, systems, services, business units, employees, suppliers, contractors, strategic partners, and any third party that directly or indirectly participates in the processing, storage, transmission, use, access, or safeguarding of information generated, processed, or controlled by Xmarts Group LLC.

It also applies to the personal data of any identified or identifiable natural person processed by Xmarts in its capacity as controller, processor, or joint controller, regardless of whether such information is stored physically or digitally, within proprietary facilities or in third-party infrastructures, whether local or cloud-based.

Compliance with this policy is mandatory for all involved parties without exception. Its enforcement will be monitored by the ISMS Committee, the Executive Management, and the areas responsible for regulatory compliance.

Applicable Legal and Regulatory Framework

Xmarts Group is primarily governed by Mexican legislation related to personal data protection and information security, including:

  • Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP).
  • Its Regulations.
  • Privacy Notice Guidelines issued by the INAI.
  • Federal Criminal Code provisions regarding unlawful access or misuse of personal data or confidential information.
  • Federal Labor Law provisions related to employer obligations regarding employee privacy.

Given its regional and international presence, Xmarts Group also recognizes as binding or enforceable, to the extent applicable:

  • General Data Protection Regulation (GDPR) – European Union.
  • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) – United States.
  • Personal Information Protection and Electronic Documents Act (PIPEDA) – Canada.
  • Lei Geral de Proteção de Dados (LGPD) – Brazil.
  • Law 1581 of 2012 – Colombia.
  • Law 25,326 – Argentina.
  • Law 19,628 – Chile.
  • Law 18,331 – Uruguay.
  • Organic Law on Personal Data Protection (2021) – Ecuador.
  • Law No. 29733 – Peru.
  • Law 172-13 – Dominican Republic.
  • Law 787 – Nicaragua.
  • Law 6534/2020 – Paraguay.
  • Regulations in Honduras, Guatemala, El Salvador, and Venezuela, insofar as they apply based on the residence of data subjects or the location of infrastructure.

In the event of conflicting regulations, the principle of higher protection for the data subject will apply, in accordance with the standards of proactive accountability and risk-based approach adopted by the organization.

Governing Principles for Personal Data Processing and Information Security

Xmarts Group LLC adopts, on a mandatory and cross-functional basis, the principles established in the LFPDPPP, GDPR, and other applicable international laws, recognizing that adherence to these principles is not only a legal obligation but also an essential condition for building trust, protecting fundamental rights, and preserving institutional reputation.

Lawfulness

All processing of personal data must be based on a valid legal ground recognized by law. The use of data obtained through deceptive, fraudulent, or unlawful means is strictly prohibited.

Consent

Processing requires the prior, informed, specific, and unambiguous consent of the data subject, except where an express legal exception applies. Consent may be granted verbally, in writing, electronically, or through unequivocal actions. Documentary evidence of consent must be retained.

Purpose Limitation

Personal data may only be processed for the purposes that are determined, explicit, and legitimate, and that have been communicated to the data subject through the relevant privacy notice. Any subsequent use for incompatible or unauthorized purposes is prohibited.

Proportionality and Data Minimization

Only the data that is strictly necessary, relevant, and adequate in relation to the intended purpose shall be collected. The request for excessive, irrelevant, or disproportionate information is not permitted.

Quality

Xmarts will ensure that all personal data is accurate, complete, and up to date. Mechanisms will be implemented to allow data subjects to request rectification or updates of their information whenever appropriate.

Security

Technical, organizational, administrative, and physical measures will be implemented to protect personal data and institutional information against damage, loss, destruction, alteration, use, access, or unauthorized disclosure.

Transparency

Xmarts is committed to providing clear, accessible, and truthful information regarding the processing of personal data through privacy notices and other complementary mechanisms.

Proactive Accountability

The company adopts the principle of demonstrable responsibility, which requires the implementation of measures that enable continuous verification, auditing, and documentation of regulatory compliance.

Retention and Erasure

Personal data will be retained only for as long as necessary to fulfill the purposes of processing, in accordance with applicable legal or regulatory retention periods. Once the retention period has expired, data will be deleted or anonymized.

Information Security Governance and Responsibility Structure

The executive leadership of Xmarts has established a governance model designed to ensure leadership, resource allocation, accountability, and continuous improvement of the Information Security Management System (ISMS). This model is implemented through the ISMS Committee and formal responsibilities assigned across all organizational levels.

ISMS Committee

The ISMS Committee is the body responsible for designing, coordinating, supervising, and improving the organization’s information security strategy. It is responsible for ensuring regulatory compliance, monitoring risks, addressing incidents, and maintaining the validity of the ISO/IEC 27001:2022 certification.

Committee Composition

  • Chief Executive Officer
  • ISMS Manager
  • ISMS Compliance Officer (may be external)
  • Seven process leaders designated by Executive Management

Specific names and job titles are documented in an Internal Annex, updated as needed without modifying this policy, pursuant to document control and privacy requirements.

Committee Responsibilities

  • Approve and update this Information Security Policy
  • Coordinate ISMS-related actions within each process
  • Oversee implementation of the annual security plan
  • Participate in reviews, audits, and strategic decision-making
  • Ensure effective communication with operational areas and the data protection officer

Meetings and Decision-Making

  • The Committee will meet at least once per quarter.
  • All meetings must be documented (agenda, minutes, resolutions, responsible parties).
  • The presence of the CEO or their delegate and the ISMS Manager is required.
  • Decisions will be made by consensus; in the absence of consensus, by simple majority.
  • Extraordinary meetings may be convened in response to critical incidents or significant regulatory changes.

Executive Management

  • Ensure institutional commitment to information security
  • Approve resources for implementation and maintenance of the ISMS
  • Approve policies and strategic security plans
  • Review and validate ISMS performance annually

ISMS Manager

  • Coordinate the implementation and maintenance of the ISMS
  • Ensure compliance with ISO/IEC 27001:2022
  • Report results, progress, and risks to the Committee and Executive Management
  • Coordinate internal audits and improvement plans
  • Maintain system integrity amid organizational or technological changes

ISMS Compliance Officer

  • Monitor effective implementation of policies and controls
  • Oversee risks, incidents, and audits
  • Coordinate training and awareness activities
  • Represent Xmarts before external auditors or regulatory authorities
  • Maintain an updated inventory of data and processing activities

Process Leaders and Committee Members

  • Communicate this policy to personnel under their supervision
  • Comply with and enforce ISMS plans within their area
  • Propose improvements, risk mitigation actions, or control enhancements
  • Participate in reviews and internal audits
  • Ensure documents, assets, and access rights remain under continuous control

Information Security Risk Analysis and Management

Xmarts Group LLC adopts a preventive, risk-based approach as the guiding principle of its ISMS, consistent with ISO/IEC 27001:2022, ISO 27005:2018, and Article 18 of the LFPDPPP. This approach requires the systematic identification of risks that may affect the confidentiality, integrity, or availability of information, as well as the rights of personal data subjects.

Risk Analysis Methodology

Risk management is carried out in three stages:

Identification of Threats and Vulnerabilities

Events or conditions that may pose a threat to information assets or personal data are identified, including natural events, technical failures, human error, unauthorized access, cyberattacks, loss or misplacement of devices, among others.

Risk Evaluation

Each risk is evaluated based on its probability of occurrence (high, medium, or low) and potential impact (critical, significant, moderate, or minor). This evaluation enables the assignment of a risk level (low, medium, or high). A risk matrix is used in accordance with Xmarts’ institutional standard.

Risk Treatment

Identified risks are managed through one or more of the following actions:

  • Mitigation: Reducing the level of risk through controls
  • Transfer: Using insurance or contracts with third parties
  • Acceptance: When the risk is tolerable and documented
  • Elimination: Suspending or modifying the risky process

Controls and Monitoring

Appropriate controls (administrative, technical, or physical) are established for each risk, responsibilities are assigned, and mechanisms for continuous monitoring are implemented. The ISMS Committee reviews the risk map and its evolution every six months.

Security Measures for the Protection of Information

Xmarts has implemented a comprehensive set of security measures in accordance with Article 19 of the LFPDPPP, GDPR Article 32, LGPD Article 46, and Annex A of ISO/IEC 27001:2022. These measures are classified into administrative, technical, and physical controls.

Administrative Measures

  • Role-Based Access Controls: Access profiles are defined based on job functions and responsibilities.
  • Least Privilege Policy: Each user may only access the data strictly necessary for their role.
  • User Lifecycle Management: Onboarding, modifications, and terminations are formally managed and documented.
  • Periodic Training: All personnel receive mandatory annual training on data protection and security.
  • Document Control: Rules are established for creating, reviewing, approving, and storing internal documents.

Technical Measures

  • Multi-factor authentication (MFA) for accessing critical systems.
  • Encryption of data in transit (TLS/SSL) and at rest (AES-256 or equivalent recognized standards).
  • Regular backups with integrity checks, following the 3-2-1 principle.
  • Monitoring and incident detection using EDR, SIEM tools, and log analysis.
  • Up-to-date antivirus and perimeter protection.
  • Inactive session lockout and robust password policies.

Physical Measures

  • Restricted access to sensitive areas using credentials or controlled locks.
  • Protection of physical documents in locked cabinets.
  • Secure destruction of outdated documents containing personal data (shredding, controlled disposal).
  • Video surveillance with proper signage and compliance with local legal requirements.

Incident and Security Breach Management

Xmarts has a formal procedure for managing security incidents, both internal and external, in accordance with ISO/IEC 27035 and Article 20 of the LFPDPPP.

Definitions

Security Incident: Any event that compromises information security.

Personal Data Security Breach: Loss, destruction, alteration, unauthorized use, access, or disclosure of personal data, whether accidental or intentional.

Action Plan

Detection

All personnel are required to immediately report any anomaly to the ISMS Manager.

Classification and Analysis

Incidents are evaluated based on severity, affected assets, legal impact, and likelihood of recurrence.

Containment and Eradication

Immediate measures are applied to limit damage, such as isolating systems, revoking access, restoring backups, among others.

Notification to Data Subjects and Authorities

  • Mexico: Data subjects will be notified when their rights may be significantly affected.
  • European Union (GDPR): Authorities must be notified within 72 hours, and affected individuals must be informed if the risk is high.
  • Brazil (LGPD): Notification must be made to the ANPD within a reasonable timeframe.
  • Other jurisdictions: Actions will follow applicable legislation.

Follow-Up and Closure

Each incident will be documented, including all actions taken. Controls will be reviewed to prevent recurrence.

Rights of Personal Data Subjects

Xmarts recognizes and guarantees the full exercise of personal data protection rights for all individuals whose information it processes, whether employees, clients, suppliers, or any other identifiable natural person.

In Mexico, these rights are known as ARCO rights: Access, Rectification, Cancellation, and Opposition. In other jurisdictions, additional rights may apply, all of which are equally protected under this policy.

Rights in Mexico (LFPDPPP)

  • Access: To know what personal data Xmarts holds, the purposes of processing, the source of the data, and any transfers made.
  • Rectification: To request correction of inaccurate, incomplete, or outdated data.
  • Cancellation: To request deletion of data from records, except where legally restricted.
  • Opposition: To object to processing for legitimate reasons or when processing is not essential to the legal relationship.

The procedure for exercising these rights is provided in Xmarts’ comprehensive privacy notice. The company commits to responding within 20 business days and executing approved requests within the following 15 days, pursuant to Article 32 of the LFPDPPP.

Additional Rights in Other Jurisdictions

European Union (GDPR)

In addition to ARCO rights, data subjects may exercise rights to portability, erasure (right to be forgotten), restriction of processing, and automated decision-making objection.

Brazil (LGPD)

Similar to GDPR, including the right to information regarding the criteria used for processing and withdrawal of consent.

Canada (PIPEDA)

Right to access and correct information, and to file complaints with the Office of the Privacy Commissioner.

California (CPRA)

Rights to access, delete, opt out of tracking or data sharing, and protection against discrimination for exercising privacy rights.

Xmarts ensures these rights are upheld regardless of the data subject’s country of residence, through secure and traceable electronic mechanisms.

Personal Data Transfers

Xmarts may carry out personal data transfers only when a lawful basis permits it and always ensuring that the recipient assumes the same obligations as the controller, in accordance with the legislation of the originating country.

National Transfers

National transfers require the data subject’s consent unless a legal exception applies (Article 37 of the LFPDPPP).

Such transfers are contractually documented through confidentiality clauses or data processing agreements.

International Transfers

Intra-group Transfers

Transfers between Xmarts Mexico and its subsidiaries in Latin America, Europe, and North America are carried out based on binding corporate rules, service-level agreements, and standard contractual clauses.

Transfers to Providers

When data is transferred to a provider located outside the country, the recipient must either reside in a jurisdiction with an adequate level of protection or sign a contract ensuring equivalent safeguards.

Cases Where Consent Is Not Required (LFPDPPP, Article 37)

Consent is not required when:

  • The transfer is provided for in a law or treaty.
  • Necessary for medical care or health services.
  • Conducted within the same corporate group.
  • Necessary to fulfill contractual obligations.
  • Requested by judicial or administrative authorities.

Xmarts maintains an updated record of all transfers performed, including documentary evidence of compliance with the principles described above.

Retention, Blocking, and Deletion of Personal Data

Personal data will be retained only for the necessary period required to meet the purpose for which it was collected. Once that purpose is fulfilled, and without prejudice to statutory retention obligations, Xmarts will proceed with the blocking and subsequent secure deletion of the information.

Blocking:

Suspension of access or active use of the data for a legal or contractual period.

Deletion:

Irreversible destruction of personal data so that it cannot be recovered or reconstructed.

Deletion methods include certified logical erasure, physical destruction, overwriting, anonymization, or any mechanism ensuring irreversibility.

Sanctions Regime

Failure to comply with this policy, with legal obligations, or with the directives of Executive Management or the ISMS Committee may result in internal, civil, administrative, or criminal sanctions, as described below.

Internal Sanctions

Xmarts collaborators who violate this policy may face:

  • Verbal or written warnings
  • Temporary suspension of duties
  • Termination of employment or contractual relationship for cause

These sanctions will be applied in accordance with the organization’s Code of Conduct and applicable labor laws in each country.

Legal Sanctions in Mexico

Under Articles 63 to 73 of the LFPDPPP:

Administrative Penalties

  • Warnings issued by the INAI
  • Fines ranging from 100 to 320,000 UMA for acts such as:
    • Maintaining inaccurate data without justification
    • Collecting data through deception
    • Transferring data without consent
    • Violating the duty of confidentiality

Criminal Penalties

  • 3 months to 3 years imprisonment for individuals who cause a breach for profit
  • 6 months to 5 years imprisonment for unlawful processing of personal data
  • Penalties are doubled if sensitive data is involved

Sanctions in Other Jurisdictions

  • European Union (GDPR): Fines up to 20 million euros or 4% of global annual turnover.
  • Brazil (LGPD): Fines up to 50 million Brazilian reais per violation.
  • United States (CPRA): Class actions, monetary penalties, and processing prohibitions.
  • Canada (PIPEDA): Federal investigations, fines, and civil actions.

Xmarts will fully cooperate with data protection authorities in every country where it operates and will proactively respond to any requirement arising from an infraction or incident.