Information Security Policy

Last updated: February 2026

1. Scope and purpose

Belzuz considers information, in particular information relating to clients, legal matters and professional communications, as well as the systems and means that support it, to be critical assets that must be adequately protected.

This Information Security Policy sets out the general principles and institutional commitments adopted by Belzuz in the field of information security, with the aim of protecting the confidentiality, integrity, availability and, where applicable, the privacy of information, while simultaneously ensuring compliance with the legislation and the deontological rules of the legal profession applicable in Spain and Portugal.

This policy is of an institutional and public nature and does not constitute a technical or operational manual, nor does it create specific rights or expectations for third parties.

2. Entities covered

This Policy applies to:

BELZUZ ABOGADOS, S.L.P., as a law firm incorporated under Spanish law;
BELZUZ ABOGADOS, S.L.P. – Portuguese Branch, as a law firm legally established in Portugal.

hereinafter jointly referred to as Belzuz.

This Policy also applies, as appropriate, to lawyers, staff members, trainees and service providers who, in the exercise of their duties, have access to information under Belzuz’s responsibility.

3. Information security principles

Belzuz’s approach to information security is based, in particular, on the following principles:

Confidentiality: information is accessible only to duly authorized persons, according to their roles and responsibilities;
Integrity: information must remain accurate, complete and protected against unauthorized or improper alterations;
Availability: information must be accessible to authorized users whenever necessary for the performance of professional activities;
Proportionality: the security measures adopted are appropriate to the nature of the information, the risks identified and the specific circumstances, avoiding excessive or inadequate solutions;
Professional responsibility: information security is an integral part of the duty of care, professional secrecy and the ethics of the legal profession.

4. Information covered

This Policy covers all information under Belzuz’s responsibility, regardless of its medium or format, including, in particular:

legal and procedural information;
personal data of clients, staff members, partners and third parties;
professional communications;
internal documentation;
information stored or processed through IT systems, digital platforms or other technological means.

5. Security measures

Belzuz adopts appropriate organizational and technical measures, in accordance with applicable best practices and the state of the art, aimed at protecting information against unauthorized access, loss, destruction, alteration or improper disclosure.

Such measures include, on a non-exhaustive and general basis:

control of access to information and systems;
responsible management of credentials and permissions;
protection of communications and the systems used;
safeguards to ensure business continuity;
procedures for responding to security incidents.

The specific measures are adapted to the context and may evolve over time, depending on risks, legal requirements and technological developments.

6. Personal data protection

Whenever information security involves the processing of personal data, Belzuz acts in accordance with Regulation (EU) 2016/679 (GDPR) and with the applicable national legislation in Spain and Portugal.

Additional information on the processing of personal data is available in Belzuz’s Privacy Policy.

7. Security incidents

Belzuz promotes a culture of responsibility and diligence in the identification and reporting of potential information security incidents.

Whenever an incident likely to affect the confidentiality, integrity or availability of information is identified, Belzuz acts in a proportionate and appropriate manner, with a view to mitigating risks and restoring security conditions.

8. Review and update

This Information Security Policy is reviewed periodically and whenever justified, taking into account the evolution of Belzuz’s activity, the legal and regulatory framework and information security threats.

The most up-to-date version of the policy is available on the Belzuz Website.