1. Purpose

This Information Security Policy establishes the principles, responsibilities, and controls adopted by Baroque Bloodlines to protect its own information and that of its clients, collaborators, and business partners, ensuring its confidentiality, integrity, and availability across all channels and platforms in which it operates.

2. Scope

This policy applies to:

• All information managed through the website baroquebloodlines.com
• Digital communication channels: email, WhatsApp, and social media
• Internal data storage and processing systems
• Any individual accessing, processing, or managing information related to Baroque Bloodlines, including employees, partners, and technology providers

3. Reference Framework

• Law 1581 of 2012 — Personal Data Protection Law
• Law 1273 of 2009 — Cybercrime Law (Colombia)
• Decree 1074 of 2015 — Unified Regulatory Decree for the Commerce Sector
• ISO/IEC 27001 — International Information Security Management Standard (best practice reference)
• OWASP Top 10 — Web application security best practices

4. Information Security Principles

• Confidentiality: information is accessible only to authorized individuals with legitimate purpose.
• Integrity: information remains accurate, complete, and protected against unauthorized modification.
• Availability: systems and information are accessible when required for operations.
• Traceability: actions performed on information can be audited when necessary.
• Accountability: each individual handling Baroque Bloodlines information is responsible for its proper use and protection.

5. Information Classification

• Public: information intended for open access (catalogs, website content, general information).
• Internal: operational information not intended for external disclosure (business processes, negotiations, internal records).
• Confidential: sensitive information requiring strict protection (customer data, financial data, agreements, genetic records).

6. Access Control

• Access is granted only to authorized personnel
• Least privilege principle is applied
• Credentials are personal and non-transferable
• Strong passwords and, where possible, two-factor authentication (2FA) are required
• Third-party access is temporary and revoked after service completion

7. Website Security

• SSL/TLS encryption enabled for secure data transmission
• Regular updates of WordPress core, themes, and plugins
• Security plugins for intrusion detection and brute-force protection
• Regular backups stored in secure, separate locations
• Restricted admin access and authentication controls

8. Password Management

• Minimum 12-character strong passwords required
• Password reuse across platforms is prohibited
• Use of password managers is recommended
• Passwords must be changed in case of suspected compromise
• Passwords must not be shared via insecure channels

9. Acceptable Use of Digital Channels

• Use only for legitimate business purposes
• Do not share confidential information through unsecured means
• Avoid opening suspicious links or attachments
• Verify unusual requests for sensitive information before responding

10. Security Incident Management

• Detection: identify and document the incident
• Containment: limit impact by restricting access or isolating systems
• Notification: inform responsible parties and, if applicable, authorities
• Recovery: restore normal operations using backups or recovery tools
• Post-analysis: identify root cause and implement corrective measures

Report incidents to: info@baroquebloodlines.com

11. Backups

• Weekly automated backups of website and database
• Storage in separate secure environments
• Periodic integrity testing of backups
• Retention of at least the last 4 backup versions

12. Third Parties

• Must comply with this policy and applicable regulations
• Must implement equivalent or higher security standards
• Must report security incidents immediately
• Must return or delete data upon contract termination

13. Responsibilities

• Management: approve and ensure compliance with this policy
• Employees and partners: follow established security practices
• Systems/Web administrator: implement technical controls and manage incident response

14. Non-Compliance

• Immediate revocation of system access
• Disciplinary or contractual termination measures
• Legal reporting under Cybercrime Law 1273 of 2009 when applicable

15. Review and Updates

This policy will be reviewed at least annually or whenever significant security events, technological changes, or legal updates occur. Updates will be published on baroquebloodlines.com with the effective date.

16. Effective Date

This Information Security Policy is effective as of April 25, 2026 and remains valid until replaced by a new version.

Contact: info@baroquebloodlines.com | WhatsApp: +57 (318) 4603207