- +33 877 554 332
- wmconsultingcolom@gmail.com
PERSONAL DATA PROTECTION AND PROCESSING POLICY
WOODPECKER M.C S.A.S, with registered office in the city of Medellín, Antioquia, and in Seattle, Washington, hereinafter referred to as the COMPANY, in accordance with the provisions of current legislation on personal data protection, namely Article 15 of the Political Constitution of Colombia, Law 1266 of 2008, Law 1581 of 2012, Regulatory Decrees 1727 of 2009, 2952 of 2010, 1377 of 2013, Decree 886 of 2014, the regulatory compendium of Decree 1074 of 2015, and all those regulations that repeal, modify, or add to the aforementioned laws, articles, and decrees, it is permitted to inform the public, its customers or users, employees, shareholders, partners, collaborators, and suppliers of its POLICY ON THE PROTECTION AND PROCESSING OF
PERSONAL DATA.The objective of our Personal Data Protection and Processing Policy is to inform all data subjects of the processing that will be given to their personal data when it is made available to the COMPANY, as well as the purposes that will be established and implemented for such personal data processing. It also aims to identify the expedited procedures formalized herein for accessing information, any complaint and/or request related to the processing of personal data by the COMPANY as the data controller, always in accordance with legal and/or constitutional provisions and the right of all individuals to know, update, delete, dispose of, and rectify the information that has been collected about them on the COMPANY’s web platform when the customer or user visits and/or uses the website, hires employees, links shareholders or partners, and/or conducts commercial business with the COMPANY’s allies, collaborators, or suppliers. In the specific case of customers or users, when they visit or use the COMPANY’s website, regardless of whether or not they purchase the products and/or services offered by the COMPANY, they accept and authorize the processing and purposes set forth in this Personal Data Protection and Processing Policy.
Customers or users who do not agree with the terms and conditions stipulated in this document must refrain from using the COMPANY’s web platform.
Legal framework
The legal framework for this Personal Data Protection and Processing Policy is primarily determined by the Colombian Constitution, particularly Articles 15 and 20, which set out the right to information, freedoms, and guarantees for all citizens with regard to their personal data and their right to privacy.
The provisions of Statutory Law 1581 of 2012, which sets out general provisions for the protection of information and personal data, must also be taken into account. In the same vein are the regulatory provisions established by the National Government in Decrees 1377 of 2013, Decree 886 of 2014, and even the new regulatory compendium of Decree 1074 of May 26, 2015, as well as Regulatory Decrees 1727 of 2009, 2952 of 2010, and all those regulations that repeal, modify, or add to the aforementioned laws, articles, and decrees.
Purpose
This document contains the policy that determines the processing of personal data collected by the COMPANY and its employees in relation to the intended purposes for the personal data and sensitive information of each data subject. This information processing policy is duly adjusted to the provisions of Articles 17 and 18 of Law 1581 of 2012,
as well as the provisions of Articles 2.2.2.25.3.1, 2.2.2.25.3.2, and 2.2.2.25.3.3 of Decree 1074 of 2015.
Therefore, the purpose of this document and the regulations stipulated herein is to establish the parameters for the handling and intended purposes of the processing of personal data by the COMPANY and, in turn, all data subjects can have full knowledge of the processing and purposes given to their data once obtained by any of our departments or the COMPANY’s web platform, guaranteeing data subjects the exercise of the powers and rights derived from their status.
Definitions and concepts
• Authorization: Authorization is understood to be the prior, express, and informed consent provided by the owner of the information and personal data, which may be granted to the COMPANY so that it may carry out the purposes set forth in its Personal Data Protection and Processing Policy. This authorization is implicit for customers or users who use the COMPANY’s web platform.
• Privacy notice: This is understood to be the verbal or written communication generated by the data controller, addressed to the owner of the personal information and data, informing them of the existence of the Personal Data Protection and Processing Policy that will apply to them, how to access it, and the purposes for which the COMPANY intends to process their personal data and information.
• Database: This is the organized set of personal data that will be processed by the COMPANY, taking into account the provisions of the Personal Data Protection and Processing Policy.
• Sensitive data: Sensitive data should be understood as that established in Article 5 of Law 1581 of 2012, that is, data that affects the privacy of the data subjects or whose misuse may lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or organizations that promote the interests of any political party or guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sexual and reproductive life, and biometric data.
• Personal data: This is understood to be any information linked or that can be associated with one or more specific or determinable natural persons.• Public data: Public data is understood to be data that is not enshrined in the constitution, law, or jurisprudence as semi-private, private, or sensitive. In other words, public data includes, among other things, data relating to a person’s marital status, profession or trade, and status as a merchant or public servant, in general any data that can be obtained without reservation.
Public data may be contained, among other things, in public records, public documents, official gazettes and bulletins, as well as in duly enforced court rulings that are not subject to confidentiality by express legal provision.
• Semi-private data: Semi-private data should be understood as personal data that is known and of interest only to the data subject and a specific sector of people or society in general, but without being private, confidential, or public.
• Private data: Private data shall be understood to be personal data that, due to its confidential and intimate nature, is exclusive to the personal sphere of the data subject.
• Data processor: This shall be understood to be any natural or legal person, public or private, who, alone or in association with others, processes personal data on behalf of the COMPANY, which is the data controller.
• Data controller: This shall be understood to mean any natural or legal person, public or private, who, alone or in association with others, decides on the databases and/or the processing of the data. Taking into account this Personal Data Protection and Processing Policy, the data controller is the COMPANY.
• Data subject: This refers to any natural person whose personal data is processed in the databases managed and administered by the COMPANY.
• Processing: This refers to any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion, carried out by the COMPANY in accordance with this Personal Data Protection and Processing Policy.
• Transfer: This refers to the transfer of data between the data controller and/or processor, located in Colombia, and a recipient who is responsible for processing the data in a manner different from that of the COMPANY and is located inside or outside the country.
• Transmission: Transmission is understood as a method of processing personal information and data that involves the communication of such information and data, either internally within the COMPANY or with external third parties, within or outside the territory of the Republic of Colombia, when the purpose is to carry out processing by the processor on behalf of and for the account of the controller, in order to fulfill the latter’s purposes. However, all transmission must be made with the authorization of the controller.
Guiding principles of the company’s personal data protection and processing policy.
• Principle of legality: The processing referred to in Law 1581 of 2012 is a regulated activity that must comply with the provisions of that law, Decree 1074 of 2016, and the other regulations mentioned in the legal framework, as well as any subsequent developments, modifications, or additions thereto.
• Principle of purpose: Processing must comply with one or more legitimate purposes in accordance with the Constitution, the Law, and case law, which must be communicated to the data subject.
• Principle of freedom: Processing may only be carried out with the prior, express, and informed consent of the data subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves the need for express consent.
• Principle of accuracy or quality: The information subject to processing must be accurate, complete, exact, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.
• Principle of transparency: In the processing of personal data, the COMPANY must guarantee the data subject’s right to obtain, at any time and without restriction, information about the existence of data that belongs to or identifies them.• Principle of Restricted Access and Circulation: Processing is subject to the limits derived from the nature of the personal data, the provisions of the law, case law, and the Constitution. In this regard, processing may only be carried out by persons authorized by the data subject and/or by the persons provided for in the law.
Personal data, except for public data, may not be available on the Internet or other means of mass dissemination or communication, unless access is technically controllable to provide restricted knowledge only to the owners or third parties authorized in accordance with the law, jurisprudence, the Constitution, or that are within the scope of the consent granted by the owner.
• Principle of security: Information subject to processing by the COMPANY must be handled with the technical, human, and administrative measures necessary to ensure the security of the records, preventing their adulteration, loss, consultation, unauthorized or fraudulent use or access.
• Principle of confidentiality: All persons involved in the processing of personal data that is not public in nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks involved in the processing has ended, and may only supply or communicate personal data when this corresponds to the performance of activities authorized by law and under the terms thereof.
Database of employees and job applicants:
1. To establish and manage the recruitment, selection, and hiring process carried out by the COMPANY.
2. Incorporate their personal data into the employment contract, as well as into any other documents that may be necessary to manage the employment relationship and the obligations arising therefrom that are the responsibility of the COMPANY in its capacity as DATA CONTROLLER and employer.
3. Develop the proper management of the employment relationship between the data subject and the COMPANY.
4. To send communications to employees that may or may not be related to their employment relationship.
5. To manage personal data so that the COMPANY, as employer, can correctly fulfill its obligations.
6. Manage the personal data of the owner and their family members in order to carry out affiliation procedures
with health care providers (EPS), family compensation funds, occupational risk administrators (ARL), and others necessary for the COMPANY to fulfill its duty as an employer.
Supplier database
1. Accounting, tax, and administrative management of supplier information, including collections and payments.
2. Develop proper management of the contractual relationship that binds them to the COMPANY, allowing for the collection, recording, and updating of their personal data for the purpose of informing, communicating, organizing, controlling, attending to, and accrediting activities related to their status as a supplier and/or contractor of the COMPANY.
3. Managing data to carry out the processes of paying invoices and collection accounts submitted to
the COMPANY and other actions for which it is responsible.
4. Providing assistance and/or information of general and/or commercial interest to the COMPANY’s suppliers.
Customer or user database
1. Accounting, tax, and administrative management of customer or user information, as well as related billing.
2. Registering them as a customer of the COMPANY and updating their data in the COMPANY’s information systems.
3. Analyzing the financial risk associated with the customer or user.
4. Complying with and monitoring the obligations contracted by the customer or user with THE COMPANY in relation to the offering and marketing of products and/or services through the COMPANY’s web platform, through the application of E-Commerce.5. Report to databases, directly or through the supervisory and control authorities, processed or unprocessed data relating to: (i) compliance or non-compliance with their credit obligations or financial duties, (ii) their credit applications, personal data, as well as information on their commercial, financial, and general socioeconomic relationships that they have provided to the authorized authorities or that are recorded in public registers, public databases, or public documents.6. Manage the collection of financial obligations acquired by the customer with the COMPANY.
7. Send, by any physical or electronic means, known or unknown, commercial, marketing, and promotional information about the products manufactured by the COMPANY.8.
Collect, store, identify preference patterns, and manage information about the user’s device, the user’s personal identification, and the services with which they interact on the COMPANY’s web platform, as well as the information they provide, in order to establish marketing campaigns, promotion plans, sweepstakes, and/or verify the preferences of the customer or user in relation to the products and/or services offered by the COMPANY.
Rights of data subjects
In accordance with Article 8 of Statutory Law 1581 of 2012, which establishes the rights of data subjects, the COMPANY hereby guarantees, through this Personal Data Protection and Processing Policy, the exercise of the following rights of data subjects, among others:
• To request proof of the authorization granted to the COMPANY in its capacity as data controller and processor, except when expressly exempted as a requirement for processing, in accordance with the provisions of Article 10 of Law 1581 of 2012.
• To be informed by the COMPANY, in its capacity as data controller and processor, upon request, regarding the use that has been made of their personal data.
• File complaints with the Superintendency of Industry and Commerce for violations of the provisions of the Personal Data Protection and Processing Policy, Law 1581 of 2012, and other regulations that modify, add to, or complement it, once the procedural requirements established in this Personal Data Protection and Processing Policy have been exhausted.
• Revoke the authorization and/or request the deletion of personal data when the COMPANY does not respect the constitutional and legal principles, rights, and guarantees in the processing of such data.
In any case, such revocation and/or deletion shall only proceed when the Superintendency of Industry and Commerce has determined that, in the course of its processing activities, the COMPANY has engaged in conduct contrary to Law 1581 of 2012 and the National Constitution of the Republic of Colombia.
• Revoke the authorization and/or request the deletion of personal data when, in the processing thereof, the COMPANY does not respect constitutional and legal principles, rights, and guarantees.
In any case, such revocation and/or deletion shall only proceed when the Superintendency of Industry and Commerce has determined that, in the course of its processing activities, the COMPANY has engaged in conduct contrary to Law 1581 of 2012 and the National Constitution of the Republic of Colombia.
Legitimacy for the exercise of data subjects’ rights
Taking into account the provisions of Article 2.2.2.25.4.1 of Single Regulatory Decree 1074 of 2015, the rights of the owners of personal data and information may be exercised by the following persons:
• By the respective owner, who must sufficiently prove their identity by the various means made available by the controller.
• By their successors, who must prove their status as such.
• By the representative and/or attorney-in-fact of the owner, upon proof of representation or power of attorney.
• By stipulation in favor of another or for another.
• In the event that the owner of the information is a minor, their rights may only be exercised by persons who are legally authorized to represent them.
Authorization of the owners of information and personal data
THE COMPANY hereby certifies that any activity involving the collection, storage, use, handling, updating, correction, deletion, and in general, any activity through which it is intended to obtain and/or process personal data and information owned by third parties, must be carried out with the prior, express, and free authorization of their respective owners.
By granting authorization for the collection and processing of personal information and data, it will be understood that the owner has read and approved this Personal Data Protection and Processing Policy or, failing that, that they have been previously informed through the privacy notice that it is stored in the company’s commercial books. For the purposes of becoming familiar with it, interested parties may request it through the contact channel, which is the email address ___________________________________, and it may be consulted at any time and by any person without any restrictions.
Likewise, by authorizing the storage, administration, collection, and processing of personal information and data, the owner declares that such data and information are true, complete, accurate, up-to-date, verifiable, understandable, and correspond to the current reality at the time they are provided.The COMPANY will make available to all owners of the personal information and data subject to processing the document by which they granted the respective authorization, for the sole purpose of allowing them to access it upon request in order to verify the means and date on which it was granted.
The authorization granted by the owner of the information may be in writing, either in a physical document, digital document, or magnetic media, as well as in audio files, online data storage technology platforms, or any other suitable means capable of proving the existence of the owner’s consent and authorization for the processing of their personal data. Law 1581 of 2012, in Article 10, establishes that the owner’s authorization shall not be necessary in the following cases:
1. Information required by a public or administrative entity in the exercise of its legal functions or by court order.
2. Data of a public nature.
3. Cases of medical or health emergencies.
4. Processing of information authorized by law for historical, statistical, or scientific purposes.
5. Data related to the civil registry of individuals.
In light of the provisions of Articles 8 and 9 of Law 1581 of 2012, the owners of the information or personal data may at any time request the deletion of their data and/or revoke the authorization granted to the COMPANY for its processing. In accordance with Article 2.2.2.25.2.8 of Single Regulatory Decree 1074 of 2015, the request for deletion of information and revocation of authorization shall not proceed when the owner of the information has a legal or contractual duty to remain in the database.
Once the request has been filed through the channels established in this Personal Data Protection and Processing Policy and the COMPANY has not responded or has not deleted the data of the claimant, the claimant shall be fully entitled to apply to the Superintendency of Industry and Commerce so that said entity, in exercise of its sanctioning and jurisdictional powers (Article 22 of Law 1581 of 2012), may order the COMPANY to delete and/or revoke the authorization requested by the data subject.
By virtue of the provisions of the first paragraph of Article 6 of Law 1581 of 2012, the processing of sensitive personal data is prohibited as a general rule. However, in accordance with subparagraph d) of the aforementioned provision, the processing of such data is permitted when it is done for the purposes for which it is intended, that is, when it is directly linked to a specific objective.
Procedure for resolving queries, requests, complaints, and claimsIn
accordance with the provisions of Law 1581 of 2012, Article 14, and the provisions of the previous section of this Personal Data Protection and Processing Policy, the COMPANY shall have a maximum period of TEN (10) business days from the day following its filing to respond to each and every one of the inquiries that have been filed by the owners or their successors through any of the means established in the previous section and for which there is proof. These inquiries must relate to or be aimed at consulting or learning about the personal information that is being processed by the COMPANY.
If it is not possible to respond to the inquiry within this period, the interested party will be informed, explaining the reasons for the delay and indicating the date on which their inquiry will be answered, which may not exceed five (5) business days after the expiration of the first period.
Secondly, in accordance with the provisions of Article 15 of Law 1581 of 2012, the COMPANY hereby informs all interested parties and owners of the data processed by it that, with regard to requests that are not related to a query of the information being processed or that constitute a claim relating to the correction, updating, or deletion, or when they report an alleged breach of any of the duties of this Personal Data Protection and Processing Policy or Law 1581 of 2012, the deadline for responding will be fifteen (15) business days, counted from the day following its filing.
In the event that it is not possible to respond to the complaint or request within the above-mentioned period, the COMPANY will inform the applicant of the reasons why it is not possible to respond and, as such, a response will be provided within an additional period of eight (8) business days following the expiration of the first period.
However, in cases where the complaint filed is incomplete, the interested party will be required to correct the deficiencies within five (5) business days following receipt of the complaint. If two (2) months have elapsed since the date of the request without the applicant submitting the required information, it will be understood that they have withdrawn the complaint.
If the person receiving the complaint is not the competent authority to resolve it, they shall forward it to the appropriate authority within a maximum of two (2) business days and inform the interested party of the situation.
All inquiries, requests, or complaints must contain at least the following information: the full name of the holder and their identification number, the full name of the applicant, their identification number and the capacity in which they are acting, a clear and concise indication of the request for knowledge and access to the information being processed, and finally, contact details (address, telephone number, cell phone number, and email address).
Email for personal data protection
In compliance with Law 1581 of 2012 and its regulatory decrees, the COMPANY has made available to all interested parties, as the most expeditious means of communication for all matters concerning this Personal Data Protection and Processing Policy and the legal system, wmconsultingcolom@gmail.com. Alternatively, inquiries, requests, complaints, or claims arising from the processing of personal information and data may be submitted to Calle 16 No. 41-210, Edificio La Compañía, Offices 703 and 704, in the city of Medellín. However, the procedure for using this means of communication is established in this Personal Data Protection and Processing Policy in the corresponding section.
Requirements for proceedingIn accordance
with the provisions of Article 16 of Law 1581 of 2012, its regulatory decrees, and the provisions of this Personal Data Protection and Processing Policy, the owners of the information and data processed, as well as their respective successors, agents, or representatives, are advised that the consultation, claim, petition, request, or complaint processed in accordance with the procedure established in this document constitute a procedural requirement for filing a complaint with the Superintendency of Industry and Commerce regarding an alleged violation of the rights of the owners of the information or personal data, and therefore said entity will not process complaints that are filed without exhausting the aforementioned preliminary stage.
Validity of the personal data protection and processing policy
This Personal Data Protection and Processing Policy shall be effective as of August 6, 2025, and shall remain in force indefinitely, meaning that its content is binding on the COMPANY, its users, instructors, and suppliers, as well as any external or internal third party involved in the processing of information and personal data.
The COMPANY reserves the right to make modifications, adjustments, and/or updates to the content of its Personal Data Processing Policy in any of its sections, including the purposes or terms of the processing of the data covered by this policy. However, such modifications will be notified to all data subjects whose data is being processed at that time.
What are cookies?
Cookies are files created by a website with a small data storage capacity that are transmitted between a sender and a receiver of such data. Cookies allow the receiver to store and retrieve information about users, especially regarding their preferences, number of visits to the website, time spent browsing the website, number of clicks made, preferred language, among other data that helps optimize the user experience and tailor it to their digital behavior.
The COMPANY uses session cookies, which expire after a short period of time or when the browser is closed, and persistent cookies, which remain stored in the browser for an indefinite period of time.If visitors to the COMPANY’s website leave a comment in any area of the site enabled for this purpose, they can choose to save their name, email address, and website in cookies.
This is for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If visitors to the COMPANY’s website have an account and log in to the site, a temporary cookie will be installed to determine whether the browser accepts cookies. This cookie does not contain any personal data and is deleted when the browser is closed.
When you log in, several cookies will also be set to save your login information and screen display options. Login cookies last for two days, and screen options cookies last for one year. If you select “Remember Me,” your login will last for two weeks. If you log out of your account, the login cookies will be deleted.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie does not include personal data and simply indicates the ID of the article you have just edited. It expires after 1 day.
Embedded content from other websites
Articles on this site may include embedded content (e.g., videos, images, articles, etc.). Embedded content from other websites behaves in exactly the same way as if the visitor had visited the other website.
This website may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.
Embedded content from other websites
Articles on this site may include embedded content (e.g., videos, images, articles, etc.). Embedded content from other websites behaves in exactly the same way as if the visitor had visited the other website.
This website may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.
Who do we share your data with?
If you request a password reset, your IP address will be included in the reset email.
How long do we keep your data?
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically, rather than holding them in a moderation queue. For users who register on our website (if any), we also store the personal information they provide in their user profile. All users can view, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also view and edit that information.
What rights do you have over your data?
If you have an account or have left comments on this website, you can request to receive an export file of the personal data we hold about you, including any data you have provided to us. You can also request that we delete any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Where do we send your data?
Visitor comments may be reviewed by an automated spam detection service.
What are your privacy options?
Users have a number of options for controlling or limiting how the COMPANY and its partners use cookies:
• Most browsers automatically accept cookies, but you can change your browser settings to refuse cookies by consulting your browser’s help articles. If you decide to refuse cookies, please note that you may not be able to log in, customize, or use some interactive features of the Services.
– Internet Explorer: Tools -> Internet Options -> Privacy -> Settings.
– Firefox: Tools -> Options -> Privacy -> History -> Custom Settings. For
more information, please refer to Mozilla Support or your browser’s Help section.
– Chrome: Settings -> Show advanced options -> Privacy -> Content settings.
For more information, please consult Google Support or your browser’s Help section.
– Safari: Preferences -> Security. For more information, please consult Apple Support or your
browser’s Help section.
• For general information on how to manage cookies and how to disable them, users can visit www.allaboutcookies.org.
ANTI-CORRUPTION COMPLIANCE POLICY WOODPECKER M.C. S.A.S.
1. Purpose
The purpose of this Anti-Corruption Compliance Policy is to establish the principles, guidelines, and responsibilities that will enable the prevention, detection, and punishment of any act of corruption, bribery, fraud, conflict of interest, or conduct contrary to business ethics within WOODPECKER M.C. S.A.S. This policy is a fundamental part of the company’s commitment to integrity, transparency, and regulatory compliance.
2. Scope
This policy applies to all WOODPECKER M.C. S.A.S. and WOODPECKER M.C. LLC employees, including staff, managers, contractors, consultants, suppliers, strategic partners, and any third party acting on behalf of or representing the company.
3. Principles of Conduct
WOODPECKER M.C. and its employees must act with honesty, respect for the law, and in accordance with the highest ethical standards. The following is prohibited:
• Using privileged information for personal gain or for the benefit of third parties.
• Exercising or accepting undue influence to obtain advantages in contracting,
negotiation, or selection processes.
• Participating in activities that generate conflicts of interest without proper disclosure and management.
• Providing, offering, or accepting payments, gifts, or favors that could be interpreted as bribes or acts of corruption.
4. Relationship with customers
WOODPECKER M.C. will not support or facilitate its customers in carrying out activities that contravene the law or are contrary to the ethical principles and values of the organization.
All business relationships must be guided by legality, transparency, and mutual respect.
5. Relationship with suppliers and contractors
Relationships with suppliers will be conducted in an ethical, objective, and transparent manner. Contracting decisions will be based exclusively on criteria such as quality, technical compliance, commercial conditions, delivery times, and experience. All negotiations must be conducted without favoritism or improper practices.
Relationship with suppliers and contractors
Relationships with suppliers shall be conducted in an ethical, objective, and transparent manner. Contracting decisions shall be based exclusively on criteria such as quality, technical compliance, commercial conditions, delivery times, and experience. All negotiations must be conducted without favoritism or improper practices.
Conflict of Interest Management
Employees must avoid situations in which their personal interests may interfere with their job responsibilities. In the event of a potential conflict, it must be reported immediately to the line manager for evaluation and management in accordance with internal procedures.
7. Retention of information and documents
WOODPECKER M.C. undertakes to retain and protect its documents and records in accordance with current legislation. It is expressly prohibited to alter, destroy, or conceal information for illegal or unethical purposes. All employees must be familiar with and comply with document filing and custody procedures.
8. SAGRILAFTWOODPECKER M.C. has adopted the Money Laundering, Terrorism Financing, and Proliferation Financing Risk Management System (SAGRILAFT) as part of its compliance system. This system seeks to prevent the company from being used as a means to commit these crimes, promoting compliance with applicable regulations and due diligence in its business relationships.
9. Commitment and responsibilities
The senior management of WOODPECKER M.C. leads and supports this policy, promoting a culture of compliance and zero tolerance for any conduct that is corrupt or contrary to corporate principles. Each member of the organization is responsible for knowing, complying with, and reporting any situation that contravenes this policy.
10. Reporting channel and confidentiality
WOODPECKER M.C. will have secure and confidential mechanisms in place for receiving reports related to acts of corruption, bribery, or unethical behavior. The company guarantees protection against retaliation for those who act in good faith.
GENERAL INFORMATION SECURITY POLICY
Introduction
WOODPECKER M.C. S.A.S. recognizes the importance of properly managing information. Therefore, it has committed to implementing, maintaining, and continuously improving an Information Security Management System (ISMS) based on the NTC ISO/IEC 27001 standard. This system seeks to establish a reliable environment for handling the information involved in its operations with customers and other stakeholders, in strict compliance with Colombian laws, as well as legal, contractual, regulatory, and information security requirements, in line with the organization’s strategic and security objectives.
For the Firm, protecting information means systematically identifying and managing risks that may affect the confidentiality, integrity, and availability of its IT assets, minimizing their impact or probability of occurrence, and applying control measures that allow them to be kept within the acceptable risk levels defined by the organization, in accordance with the expectations of its clients and other stakeholders.
The content of this policy, together with the other specific policies that act as ISMS controls, will be reviewed annually, incorporating the necessary changes to ensure the effectiveness, efficiency, and continuous improvement of the system.
Failure to comply with the provisions set forth in this policy, as well as other policies, procedures, guidelines, and directives related to information security, may result in disciplinary sanctions, in accordance with the provisions of the Colombian Substantive Labor Code, internal regulations, employment contracts, and other provisions, as managed by the Human Resources Department or its equivalent.
Main Objective
To establish the necessary guidelines to protect both the information of WOODPECKER M.C. S.A.S. and that received from its stakeholders, through adequate information security controls, considering legal, operational, technological, organizational, and security requirements.
These guidelines will be aligned with the strategic approach and risk management model, with the aim of ensuring the confidentiality, availability, and integrity of information.
Specific Objectives
• Manage risks until they fall within the acceptance levels defined by the
organization.
• Ensure full compliance with the policies and procedures established in the ISMS.
• Develop, maintain, and strengthen an information security awareness program
aimed at staff.
• Effectively manage the human, technological, and financial resources necessary to
design, execute, and verify a Business Continuity Plan (BCP).
• Establish treatment plans for information security risks that exceed
previously defined acceptance levels.
Scope
This information security policy applies to all WOODPECKER M.C. S.A.S. and WOODPECKER M.C. LLC, including their employees, contractors, suppliers, and third parties who have access to information classified as critical assets or requiring at least a basic level of protection. This information may be contained in documents, computing devices, technological systems, or communication media belonging to the Firm.
General Policies
WOODPECKER M.C. protects the information that is generated, used, or stored during the operation of its business processes, as well as its technological infrastructure and assets, against risks arising from access granted to third parties (such as customers or suppliers) or from the provision of outsourced internal services.
It protects itself against internal threats, safeguards its data processing facilities and the technological infrastructure that supports its critical processes, and controls the operation of its business activities, ensuring the protection of technological resources and data networks.
The organization is committed to continuously strengthening its security model through the proper management of security events and vulnerabilities present in information systems. WOODPECKER M.C. is also committed to ensuring the availability and continuity of its business processes, taking into account the potential impact of disruptive events, and ensures compliance with all applicable legal, regulatory, and contractual requirements.
Similarly, it is committed to effectively improving its security model through the proper management of security events and weaknesses associated with information systems.
WOODPECKER M.C. will comply with the availability of its business processes and the continuity of its operations, based on the impact that disruptive events may have, and will be committed to complying with established legal, regulatory, and contractual obligations.
Compliance
All persons covered by this policy are required to comply with it in its entirety. Ignorance or non-compliance with its provisions, as well as with policies, procedures, and other guidelines related to information security, may result in disciplinary measures, in accordance with the provisions of the Substantive Labor Code (Colombia), internal regulations, and employment contracts, and will be handled by the Human Resources Department or the corresponding department.