Legal
GDPR

Information Security Policy

Softruck takes security very seriously!

1. Introduction

1.1 SOFTRUCK BRASIL SOFTWARE DEVELOPMENT LTD (“Softruck”), a private legal entity, registered under CNPJ No. 21,478,520/0001-84, headquartered at Rua Sergipe, No. 1492, Room 800, Savassi, CEP 30.130-174, in Belo Horizonte/MG, prioritizes the security, integrity, confidentiality, and authenticity of information, and therefore digitally endorses this instrument, as outlined below.

1.2 Through this instrument ("Information Security Policy" or "Policy"), Softruck directs the treatment of information from the perspective of Information Security, within the scope of its relationships.

1.3 Through this Policy, Softruck establishes a set of best practices with the following objectives:

(i) Ensure the privacy, confidentiality, authenticity, integrity, and availability of the information lifecycle;

(ii) Guide behaviors for the best use of information protection resources and personal data processed by Softruck;

(iii) Establish guidelines for protection against unauthorized access, theft, unavailability, breach of confidentiality, fraud, loss, accidents, and other security threats or incidents;

(iv) Determine the responsibilities and limits of action of stakeholders regarding information security.

2. Target Audience

All Softruck stakeholders who may access and/or process information internally during their relationship with the company are responsible for knowing, reading, and understanding this Policy to ensure proper compliance with data protection, privacy, and information security laws.

3. Validity and Revision

This Policy comes into effect on the date of its publication and will remain in effect indefinitely, subject to revision at any time.

4. Glossary

Understanding this Policy depends on a clear and adequate understanding of certain expressions, whose definitions are provided below:

4.1 Personal Data: Personal data is any information that directly identifies a natural person or makes them identifiable.

4.2 Sensitive Personal Data: Sensitive personal data are more intimate data that, due to their nature, require stricter protection. They are data that relate to racial or ethnic origin, religious belief, political opinion, union membership, or organization of a religious, philosophical, or political nature, data related to health or sexual life, genetic or biometric data.

4.3 Information: A set of data, texts, images, methods, systems, in short, any form of representation with meaning, regardless of the medium in which it is or is conveyed (paper, computer memory, floppy disk, telephone line, etc.).

4.4 Information Security Incident: According to the guidance of the National Data Protection Authority (ANPD), an information security incident is any event that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to data, personal or not, processed, transmitted, or stored by Softruck. For the purposes of this Policy, an incident is understood to compromise or threaten the confidentiality, integrity, and availability of information, including but not limited to unauthorized and/or unauthorized access, improper use of Softruck's systems and/or equipment, external and/or internal attacks on systems, viruses, and information leaks.

4.5 Data Processing: According to the law, processing is any operation performed with personal data, such as those referring to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination, or extraction.

4.6 Data Protection Officer: Also known as "DPO," "Data Protection Officer," or "Data Protection Officer." According to the law, the DPO is the person appointed by the controller and operator to act as a communication channel between the controller, data subjects, and the National Data Protection Authority. Softruck appoints LIS Empreendedorismo (CNPJ No. 47,202,413/0001-12) as the Data Protection Officer, whose contact should be made by email at privacy@softruck.com.

4.7 DataProtection: "General Data Protection Law" (or "Law No. 13,709/18") is the federal law that regulates the processing of personal data, including in digital media, by natural or legal persons, public or private, with the objective of protecting fundamental rights of freedom and privacy and the free development of the natural person's personality.

4.8 Stakeholders: Individuals who, in one way or another, have some level of interest in the projects, activities, and results of a particular organization, including but not limited to employees, service providers, customers, business partners, suppliers, investors, managers, among others.

5. Principles

From the perspective of Information Security, the care with the data and information processed by Softruck is based on the following principles:

.
- Integrity: Ensure that information is accurate and complete throughout its lifecycle.
.
- Confidentiality: Ensure that only authorized persons have access to the information.
.
- Availability: Ensure that information is available whenever needed for those with access.
.
- Security: Use technical and administrative measures capable of protecting personal data from potential security incidents.
.
- Authenticity: The property that information was produced, sent, modified, or destroyed by a particular individual, system, body, or company; assurance that information can be trusted, with the possibility of tracing the authorship and origin of the information.

6. Guidelines for Stakeholders

6.1 Softruck has registered the processing operations of personal data and sensitive personal data and complies with legal requirements to process them, and no personal data or sensitive personal data may be processed improperly or unauthorized, under penalty of incurring losses and damages and other applicable penalties.

6.2 All Softruck stakeholders must practice storing information in a secure location, regardless of its presentation format, to prevent it from being accessed, read, copied, lost, or stolen by unauthorized persons or strangers to Softruck.

6.3 The processing of personal data and sensitive personal data by Softruck is based on (i) respect for privacy; (ii) informational self-determination; (iii) freedom of expression, information, communication, and opinion; (iv) inviolability of intimacy, honor, and image; (v) economic, technological development, and innovation; (vi) free enterprise, free competition, and consumer protection; and (vii) human rights, the free development of personality, dignity, and exercise of citizenship by natural persons.

6.4 The use of personal equipment and personal mobile devices (such as: laptops, tablets, smartphones, etc.) for the exercise of activities related to Softruck must comply with the Information Security guidelines specified herein, without prejudice to those provided in other internal policies and others that may be determined by Softruck.

6.5 It is the responsibility of the stakeholder to use only licensed applications on their personal equipment and personal mobile devices.

6.6 Softruck respects the copyrights of the software used and does not authorize, nor does it consent to the use of unlicensed software on Softruck's equipment or on equipment used for the execution of activities related to the company.

6.7 Stakeholders must ensure that they will not take actions that may infringe on confidential information, copyrights, trademarks, licenses, or patents of third parties, nor of Softruck.

6.8 Any information owned by Softruck or made available by it should not be used for private purposes not agreed upon by the stakeholders.

.
6.9 Softruck recommends that stakeholder passwords always have a minimum of 8 (eight) alphanumeric characters, containing at least one uppercase letter and one special character.
.
6.10 Softruck also suggests that passwords be changed every 3 (three) months, and passwords defined in the last 12 (twelve) months should not be repeated.

6.11 Any file obtained from the internet or received from an external entity to Softruck must be checked by antivirus software.

.
6.12 Softruck suggests adopting good information security practices, such as: locking access to the computer whenever leaving the workstation, even if only for a few minutes; keeping desks organized and documents with confidential information locked or filed when not in use.

7. Use of Corporate Email

Softruck's email is intended for professional purposes related to the company's shareholders and stakeholders' activities.

Therefore, for security purposes, it is not recommended or authorized to use corporate email for:

  • Opening and executing files from unknown sources;
  • Sending messages that make Softruck vulnerable to civil or criminal actions;
  • Sending messages with private announcements, advertisements, videos, photographs, music, chain-type messages, campaigns, or promotions;
  • Creating, sending, or disclosing messages that: aim to gain unauthorized access to another computer, server, or network; contain threats, such as: spam, malware, phishing, etc.; aim to bypass any security system, secretly monitor, or harass another user; contain content considered improper, obscene, or illegal; contain files with executable code (.exe, .cmd, .pif, .js, .hta, .src, cpl, .reg, .dll, .inf) or any other extension that poses a security risk; are defamatory, defamatory, degrading, infamous, offensive, violent, threatening, pornographic, among others; aim to access confidential information without authorization from the owner; contain copyrighted work without the permission of the rights holder.

8. Information Asset Management

All information managed by Softruck must be properly managed throughout its lifecycle to be available for access, protected from unauthorized access, and from accidental or unlawful situations of destruction, loss, alteration, communication, or dissemination. Information assets must:

  • be inventoried and protected;
  • have their owners and managers identified;
  • have their threats, vulnerabilities, and interdependencies mapped out;
  • have their entry and exit from Softruck's control only through authorization;
  • be capable of monitoring, and their use investigated when there are indications of security breaches, through mechanisms that allow the traceability of the use of these assets;
  • be regulated by specific procedural norms regarding their use;
  • be used strictly for their intended purpose, with their use prohibited for personal or third-party purposes.

9. Information Storage

Softruck keeps the information collected only for as long as necessary to fulfill the purposes of the respective processing.

Softruck reserves the right to retain personal information for the periods they are necessary to:

  • fulfill the purposes described in this Policy;
  • comply with deadlines determined or recommended by regulatory agencies, professional bodies, or associations;
  • comply with applicable laws, legal holds, and other legal obligations;
  • fulfill contractual obligations;
  • respond to requests; and
  • provide a defense in legal proceedings.

To determine the appropriate retention period for personal data, we consider the quantity, nature, and sensitivity of the personal data, the purpose of processing, and applicable legal requirements.

10. Access Control

Softruck has access controls and access hierarchy in place so that access to and use of information are limited to what is necessary, considering each user's duties.

Specific guidelines and procedures for logical and physical access controls should be established in complementary norms, considering the following general guidelines:

  • Access control should consider and respect the principle of least privilege when configuring user credentials or access accounts to Softruck's information assets.

  • Access to information should be authorized only for employees who need it for the performance of their professional activities.

  • Each employee should access only the information or systems previously authorized.

  • The credential (login and password) granted to an employee is for individual, non-transferable use and exclusive knowledge.

  • Account creation and administration will be carried out according to specific procedure for any user. For users who do not perform network administration functions, the creation of a single institutional access account, personal and non-transferable, will be privileged. Accounts with administrator profile will only be created for users registered for specific tasks in information asset administration.

  • Access to the corporate network must be traceable, allowing user identification for a minimum period to be defined in specific regulation.

  • Security practices should include physical access procedures to areas and facilities, access management, and security perimeter delineation.

  • The manager of each information must determine the access authorization, including those related to the enterprise management system, taking into account appropriate confidentiality and access needs for each type of audience, in the fulfillment of Softruck's strategic objectives.

  • Corporate resources provided, including email, should be primarily used for professional purposes. Therefore, any use must not violate competent laws and regulations, as well as Softruck's Code of Ethics Conduct.

  • To ensure compliance with this policy, the use of corporate resources must be recorded and monitored by Softruck, and employees should not expect confidentiality in their use.

11. Implemented Security Measures

Softruck has tools and services aimed at promoting information security, which include the following tools:

  • Firewall;
  • AntiSpam;
  • Proxy Server;
  • Information Backup;
  • Password Policy;
  • Antivirus;
  • Access restriction levels by employees;
  • Identification and verification of unauthorized accesses;
  • Constant update of server operating systems;
  • Maintenance of technology tools and programming components updated;
  • Internal Information Security Management Policy;
  • Employee guidance for virus prevention and other unauthorized access measures;
  • Implementation of Crisis Management and Security Incident Response Plan.

The measures above do not constitute an exhaustive list, and Softruck is committed to adopting, whenever possible, additional security measures beyond those provided in this instrument to ensure the protection of the information and personal data processed.

12. Stakeholders

Anyone who has or will have access to Softruck's confidential information must be bound by a contract with explicit clauses of secrecy and confidentiality, and commit to following the privacy policies, data protection, and information security regulations.

13. Responsibility

Failure to comply with the guidelines established in this Policy subjects the infringer and those who collaborate with them to the sanctions provided in the contracts by which they are bound to Softruck, without prejudice to other administrative, civil, and criminal penalties provided by Brazilian law, and they will personally respond for any damages caused to Softruck or third parties.

At no time will any person be allowed to invoke ignorance of this Policy to justify violations or non-compliance.

14. Reference Documents

  • Law 13.709/2018 - DataProtection.
  • ISO/IEC 27001 and ABNT NBR ISO/IEC 27002 for information privacy management. Requirements and guidelines.
  • Information Security Guidance Guide for small-scale treatment agents from the National Data Protection Authority.

15. Final Provisions

This Policy must be read and interpreted together with Softruck's legislation and other internal norms.

Stakeholders are aware that this document may be audited or altered by the Technology/Information Management and/or Information Security areas. This Policy is under the responsibility of the data protection officer and can be requested at any time.