Legal Document

Security Policy

Information Security Overview

Effective Date: March 2026

1. Purpose

This Security Policy outlines the information security principles, practices, and commitments adopted by WarMind Labs, S.L. ("WarMind Labs") to protect the confidentiality, integrity, and availability of its systems, data, and intellectual property.

Given the nature of our work in cognitive AI applied to warfare, defense, and security (WDS), we apply a security-first approach across all aspects of our operations.

2. Scope

This policy applies to:

  • All WarMind Labs employees, contractors, and consultants
  • All systems, devices, networks, and environments managed or used by WarMind Labs
  • All data processed, stored, or transmitted in connection with our operations
  • Third parties with access to our systems or data under contractual agreements

3. Security Governance

  • Security is governed at the executive level, with direct oversight by the founding team.
  • A designated Security Officer is responsible for policy enforcement, incident management, and compliance.
  • Security reviews are conducted periodically and in response to significant changes in operations or threat landscape.

4. Key Security Principles

4.1 Least Privilege

Access to systems, data, and resources is granted on a need-to-know and need-to-use basis.

4.2 Defense in Depth

We employ multiple layers of security controls across infrastructure, network, application, and data levels.

4.3 Continuous Monitoring

We monitor systems for anomalies, unauthorized access, and potential threats on an ongoing basis.

4.4 Secure by Design

Security is embedded into the software development lifecycle (SSDLC) from design through deployment.

5. Technical Controls

  • Encryption: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
  • Authentication: Multi-factor authentication (MFA) is required for all internal systems.
  • Access Control: Role-based access control (RBAC) is enforced across all platforms.
  • Endpoint Security: Company-managed devices are protected with endpoint detection and response (EDR) tools.
  • Network Security: Firewalls, intrusion detection/prevention systems (IDS/IPS), and network segmentation are in place.
  • Logging and Auditing: Security-relevant events are logged, stored securely, and reviewed regularly.

6. Data Classification

All data handled by WarMind Labs is classified into the following categories:

  • Public: Intended for general distribution (e.g., website content).
  • Internal: For internal use only (e.g., internal documentation, non-sensitive business data).
  • Confidential: Sensitive business or technical information (e.g., trade secrets, proprietary algorithms, client data).
  • Restricted: Subject to legal or regulatory controls (e.g., export-controlled technical data, classified information if applicable).

Handling, storage, and transmission procedures are defined for each classification level.

7. Incident Response

WarMind Labs maintains an Incident Response Plan (IRP) that covers:

  • Detection and identification of security incidents
  • Containment, eradication, and recovery procedures
  • Internal and external notification (including GDPR breach notifications within 72 hours where applicable)
  • Post-incident review and lessons learned

8. Personnel Security

  • Background checks are performed for all employees and contractors with access to sensitive systems or data.
  • All personnel receive security awareness training upon onboarding and periodically thereafter.
  • Access is revoked immediately upon termination or role change.

9. Third-Party Security

  • Third-party vendors and partners are subject to security assessments before engagement.
  • Data processing agreements (DPAs) are required for all processors handling personal or sensitive data.
  • Ongoing monitoring and periodic reassessment of third-party compliance is conducted.

10. Physical Security

Our primary operations are conducted from Torre Juana OST Hub, Alicante, Spain. Physical security measures include:

  • Access-controlled facilities
  • Visitor management and logging
  • Secure areas for sensitive operations

11. Compliance and Standards

WarMind Labs aligns its security practices with recognized frameworks and regulations, including:

  • GDPR and LOPDGDD (data protection)
  • ISO/IEC 27001 (information security management, alignment in progress)
  • ENS (Esquema Nacional de Seguridad, Spain)
  • EU Dual-Use Regulation and applicable export control regimes
  • NIST Cybersecurity Framework (reference)

12. Policy Review

This policy is reviewed at least annually and updated as necessary to reflect changes in our operations, threat environment, or regulatory requirements.

13. Contact

For security-related inquiries or to report a vulnerability, contact:

WarMind Labs, S.L. - Torre Juana, Alicante, Spain - Email: info@warmindlabs.com