This policy aims to establish guidelines and controls to ensure the security of the information handled by GoLedger Tecnologia e Participações LTDA (“GoLedger”), ensuring the confidentiality, integrity, and availability of the data, especially personal and sensitive data, as provided by the General Data Protection Law (Law No. 13.709/2018 – LGPD).
This policy applies to all employees, partners, service providers, interns, and any person who, directly or indirectly, has access to information under GoLedger’s responsibility.
GoLedger observes the following principles when processing information:
The information under GoLedger’s responsibility is classified into three levels:
GoLedger is committed to handling personal data responsibly, securely, and in compliance with the General Data Protection Law (LGPD – Law No. 13.709/2018), adopting practices that ensure data subjects’ privacy and the integrity of the information.
The purpose of this section is to ensure that access to company information and systems is granted only to authorized individuals, with the minimum rights necessary to perform their functions.
Access to information assets will be granted based on the principle of least privilege and need-to-know.
All access must be identified, authenticated, and logged.
Only individuals and entities who require access will be granted such permission.
Each employee, service provider, or third party will have a unique user identifier.
Generic and shared accounts are prohibited, except in cases formally authorized by the information security department.
Processes for creating, modifying, and revoking access must be documented.
The use of strong passwords is mandatory, with at least 8 characters, combining uppercase letters, lowercase letters, numbers, and special characters.
Whenever possible, passwords should be changed periodically (e.g., every 90 days).
Whenever possible, multi-factor authentication (MFA) should be implemented for critical systems.
Access to critical systems must be reviewed periodically (e.g., every 6 months) to avoid undue privileges.
Access logs must be recorded and monitored.
Devices used for remote access must be up to date, protected with antivirus software, and follow the same security standards as corporate equipment.
Third parties (suppliers, partners, consultants) will only have access to company information with formal authorization and a confidentiality agreement.
Third-party access must be temporary and limited to the minimum necessary.
The access of any employee or third party must be immediately revoked in the event of termination, change of role, or end of contract.
Revocation must be documented and auditable.
The company must keep access logs for critical systems.
Improper use of access will be treated as a violation of the security policy and may result in disciplinary sanctions.
Access logs must be auditable and kept for at least 5 years.
GoLedger will always strive to establish rules and best practices for the use of personal devices (such as laptops, smartphones, and tablets) in work activities within the company, with the aim of preserving information security, the integrity of corporate systems, and the protection of personal and sensitive data processed by the organization.
The use of personal devices for professional purposes is allowed, provided it is expressly authorized by the Information Technology department.
All devices used must be properly updated with active and up-to-date operating systems and antivirus software.
Access to corporate systems, code repositories, SaaS platforms, and sensitive data should preferably be done through secure networks (VPN when applicable) and using multi-factor authentication (MFA).
The local storage of data classified as confidential, sensitive, or strategic on personal devices is prohibited, unless formally authorized and encrypted.
In the event of loss, theft, or compromise of a personal device, the employee must immediately notify the Information Security team to mitigate risks.
GoLedger reserves the right to restrict access from non-compliant devices or those that pose a risk to information security.
The use of personal devices is subject to internal audit policies and compliance with the LGPD and other applicable regulations.
The employee is responsible for ensuring their device complies with the policies and that its use for corporate purposes does not compromise the security of the organization or third parties.
The Technical and Security Board may provide technical guidance, support device configuration, and establish usage guidelines as necessary.
GoLedger adopts a formal process for storage and backup management with the aim of ensuring the availability, integrity, and recovery of the company’s critical information, even in cases of failure, attack, or disaster. This process is governed by the following guidelines:
The storage of data and systems may take place in a cloud or on-premises environment, depending on the infrastructure availability of GoLedger and the client.
All of the company’s critical systems, databases, and files are included in scheduled backup routines, with execution frequency based on data criticality and operational recovery needs.
Backup copies must be stored in secure locations, primarily using cloud storage services with encryption and restricted access control, ensuring protection against unauthorized access.
The effectiveness of backups must be verified through frequent restoration tests with documented records of test results, ensuring that data can be recovered when necessary.
Backups must follow a retention policy according to the nature of the data and legal obligations, with secure support after the defined period, using methods that ensure complete and irreversible data elimination.
GoLedger understands that information security is the responsibility of all employees. Therefore, a continuous training and awareness program will be maintained with the following objectives:
All GoLedger employees must participate in periodic training on:
Information security;
Running an information security awareness program;
Digital best practices in the use of corporate systems and resources;
Identification and response to security incidents;
Privacy and data protection (in accordance with the LGPD).
For this topic, training content must cover, at a minimum:
LGPD principles;
Rights of data subjects;
Legal bases for processing;
Best practices and conduct in the use of personal data;
Penalties and risks resulting from non-compliance.
Each new employee will receive an onboarding session before being granted access to systems and data.
Access to GoLedger systems, repositories, artifacts, and code will only be granted after the employee signs the GoLedger intellectual property and copyright agreement (Clause 10).
Refresher training will be conducted at least annually or whenever necessary.
The administration and finance department will be responsible for:
Assigning the training programs;
Recording and documenting participation in training sessions;
Evaluating knowledge retention to measure employees’ understanding of the data being processed.
GoLedger recognizes and values the protection of intellectual property and copyrights, both for its own assets and those belonging to its clients. This policy sets forth guidelines for the secure, ethical, and legal handling of such information.
All technical content, source code, algorithms, data models, documentation, training materials, trademarks, logos, and other assets created by GoLedger are considered intellectual property and protected under the company’s copyright.
These assets must be securely and properly stored, accessed, and handled. Their reproduction, distribution, or reuse is prohibited without the express authorization of company management.
GoLedger reserves all legal rights to these assets, including the ability to take administrative and legal action in case of violation.
Solutions, customizations, and technical deliverables developed for clients may contain information, code, or documents that constitute the client’s intellectual property or copyright.
GoLedger is fully committed to respecting all contractual terms, confidentiality agreements, and agreed ownership clauses.
Reusing, replicating, or distributing a client’s assets to another is not permitted unless formal written authorization is provided.
All employees, interns, and service providers must:
Sign the Confidentiality and Copyright Agreement;
Use information assets ethically and in accordance with legal regulations;
Report any misuse or suspected violation of these rights.
The use of third-party content (images, libraries, tools, etc.) in company projects must comply with applicable licenses and legal usage rights.
GoLedger may periodically audit the use of protected assets and apply administrative, civil, or criminal penalties in case of policy violations.
GoLedger maintains strict control over all information assets and equipment used in the company, aiming to ensure their security, traceability, and proper usage.
All assets relevant to information security, such as notebooks, desktops, mobile devices, servers, removable media, and systems, are identified, classified, and recorded in an inventory.
Each asset is linked to a specific department.
GoLedger maintains a centralized and updated inventory of all assets, containing information such as:
Serial number or internal ID;
Equipment type and model;
Physical or logical location;
Status (active, under maintenance, decommissioned);
Delivery and return dates.
The use of any company equipment is subject to signing a responsibility agreement.
Upon employee departure or job change, asset return is mandatory, with condition verification and data wiping, if needed.
Equipment must be used exclusively for professional purposes in accordance with company guidelines.
Employees are responsible for ensuring the physical and logical integrity of equipment, applying protection against loss, theft, unauthorized access, and damage.12.5. Logical and Digital Assets
Systems, software licenses, stored data, cloud environments, and access credentials are also considered information assets and must be managed with the same level of control and responsibility.
Disposal of obsolete or damaged assets must be done securely, ensuring complete and irreversible data removal before disposal, reuse, or donation.
GoLedger adopts a continuous and structured process for identifying, analyzing, treating, and mitigating technical vulnerabilities in its information assets, ensuring protection of corporate systems, applications, devices, and data.
Vulnerability identification is carried out through:
Automated and/or semi-automated scans frequently executed on systems, servers, networks, and applications;
Technical security analyses conducted by internal or external specialized teams.
Monitoring of security alerts, vendor advisories, and known vulnerability databases (e.g., CVE).
All code developed internally by GoLedger’s team undergoes periodic security analysis to identify implementation flaws, insecure dependencies, and inadequate coding practices.
These analyses include:
Automated static source code analysis tools integrated into the development pipeline;
Manual code reviews, especially for critical components or those handling sensitive data;
Evaluation of third-party libraries and packages to ensure they do not contain known vulnerabilities.
The analysis process must be integrated into the CI/CD flow and follow the company’s secure development guidelines, mitigating risks through validated practices and recommendations defined in this and other policies.
GoLedger conducts penetration tests (Pentest) to identify exploitable vulnerabilities in its IT environment.
These tests are conducted by professionals with technical expertise in evaluation.
Production applications must undergo testing on scheduled and segregated environments, especially after significant infrastructure or application changes that affect the company’s attack surface.
Detected vulnerabilities will be classified based on their risk level (low, medium, high, or critical), considering:
Potential business impact;
Ease of exploitation;
Existence of known exploits;
Asset exposure (internet, internal network, etc.).
After discovering incidents or system failures (such as malicious code, hacker attacks, or unauthorized or inappropriate use of corporate systems):
Incident response will follow defined procedures and involve the technical team and affected areas to ensure risk mitigation and asset preservation.
Critical vulnerabilities must be remediated immediately or according to an action plan approved by the information security team.
Corrections may involve:
Application of security patches;
System reconfiguration;
Software or firmware updates;
Isolation or replacement of vulnerable assets.
All identified vulnerabilities, corrective actions taken, and deadlines will be documented and archived for audit and continuous improvement purposes.
After implementing corrections, new tests or scans must be conducted to ensure the vulnerability has been successfully resolved.
The Information Technology area is responsible for coordinating scans, analyses, and periodic tests.
Development teams must perform security reviews of code and infrastructure as part of secure development.
GoLedger mandates the implementation of security controls to protect digital access and its systems, networks, applications, and data through the use of specialized technologies.
The company implements and maintains perimeter and internal firewalls to filter and control network traffic, with rules defined according to operational and security needs.
Firewall rules are periodically reviewed to ensure alignment with access policies and risk prevention.
Data storage on servers and workstations will be carried out, whenever possible, using encryption on device disks.
Whenever applicable, Data Loss Prevention (DLP) solutions are used to prevent the exposure, leakage, or unauthorized transmission of confidential information, both at rest and in transit.
DLP policies must cover the use of emails, cloud storage, removable devices, and other forms of data sharing.
Whenever applicable, critical applications exposed to the internet will be protected with a Web Application Firewall (WAF), capable of identifying and blocking attempts to exploit common vulnerabilities, such as SQL injection, XSS, and other digital threats.
Where applicable, GoLedger systems will be monitored by Intrusion Detection Systems (IDS) and Endpoint Detection and Response (EDR) with real-time alerts about malicious behavior and possible intrusion attempts.
These IDS and EDR configurations will be regularly monitored, and corrective actions must be taken according to the detected criticality levels.
All operating systems, software, applications, and devices used by GoLedger are updated with the latest security patches, according to approval criteria defined by the manufacturers.
Updates must be applied in a controlled manner, respecting:
Policies for prior testing and validation in a staging environment;
Assessment of impact on the production environment;
Deadlines defined based on the criticality of the fixed vulnerability.
Failure to apply a patch for technical or operational reasons must be formally documented, and compensatory measures defined when necessary.
It is mandatory to install malware protection software (antivirus/antimalware) on all company workstations and servers.
These programs must be updated automatically and continuously to ensure protection against known and recent threats.
Protection should include, whenever possible, real-time detection mechanisms, behavioral analysis, and blocking of suspicious files.
Whenever possible, the described controls should be integrated with centralized monitoring solutions, enabling event correlation, alert generation, and timely responses.
Relevant alerts and logs, along with their contexts, must be regularly reviewed, and a formal document generated for access change records.
GoLedger establishes a formal Change Management process to ensure that any alteration in systems, infrastructure, services, applications, or components related to information security occurs in a controlled, secure manner, with minimal impact on business processes.
Before any change, a risk analysis must be conducted, evaluating impacts on the security, availability, integrity, and confidentiality of the affected information and systems.
All changes must be documented and submitted for prior approval by a designated committee or responsible party, including scope, responsibilities, schedule, communication plan, and rollback plan.
Stakeholders must be informed in advance about the change, including technical teams, affected users, and other stakeholders, with clear information about any unavailability or operational alterations.
Changes must be carried out in a secure and controlled manner, preferably outside peak hours, with active monitoring during and after implementation.
Pre-implementation testing in a staging environment must be conducted whenever possible, as well as post-implementation validations to ensure that the change was effective and secure.
After implementation, all technical documentation, operational procedures, and affected security controls must be updated to reflect the new environment status.
This policy applies to all GoLedger collaborators, including employees, interns, third parties, and service providers who have access to personal or sensitive data processed or relevant to the company’s operations.
This policy will be reviewed annually or whenever there are relevant legislative, technological, or organizational changes.
GoLedger Technology and Holdings LTD
Version: 1.3
Approved on: 04/15/2025
Reviewed on: 07/01/2025
Next review scheduled for: 10/15/2025
