Information Security Policy of GoLedger Technology and Participations LTDA
1. Objective
This policy aims to establish guidelines and controls to guarantee the security of information processed by GoLedger Tecnologia e Participações LTDA (“GoLedger”), ensuring the confidentiality, integrity and availability of data, especially personal and sensitive data, as provided for in the General Data Protection Law (Law No. 13,709/2018 – LGPD).
2. Scope
This policy applies to all employees, partners, service providers, interns and anyone who, directly or indirectly, has access to information under GoLedger’s responsibility.
3. General Principles
GoLedger observes the following principles when handling information:
- Confidentiality: Ensure that information is accessed only by authorized persons.
- Integrity: Ensure the accuracy and completeness of information and processing methods.
- Availability: Ensure that authorized users have access to information whenever needed.
- Responsibility and Accountability: Ensure that everyone involved in data processing acts responsibly and in compliance with this policy.
4. Classification of Information
The information under GoLedger’s responsibility is classified into three levels:
- Public: May be disclosed without restrictions.
- Internal: Exclusive use by the GoLedger team, without external disclosure.
- Confidential: Includes sensitive, strategic, personal or customer data. Access to it is restricted and controlled.
5. Protection of Personal Data
GoLedger is committed to:
- Process personal data in accordance with the contracted purpose and always based on a legal basis of the LGPD.
- Implement appropriate technical and administrative controls to protect data against unauthorized access, loss, alteration and improper disclosure.
- Guarantee the rights of data subjects, such as access, correction, deletion and portability, in accordance with the legislation.
- Enter into contracts with specific data protection clauses with suppliers, customers and partners.
6. Responsibilities
- Board of Directors: Approve this policy and provide the necessary resources for its implementation.
- Information Security Area (or responsible IT): Implement controls, monitor compliance and respond to incidents.
- DPO/Manager: Act as a communication channel with data subjects and the ANPD, in addition to ensuring compliance with the LGPD.
- As DPO, GoLedger has defined:
- Employees and Third Parties: Take care of the information they have access to and follow the guidelines of this policy.
7. Access Control
- Access to information will be granted based on the principle of least privilege.
- The use of strong passwords and multi-factor authentication will be mandatory on critical systems.
- Access is monitored and reviewed periodically.
8. Security Incident Management
- All incidents related to information security must be immediately reported to the IT manager and the DPO.
- GoLedger will maintain an incident response plan that includes identification, containment, eradication, recovery and lessons learned.
9. Training and Awareness
All GoLedger employees will receive periodic training on information security, data privacy and good digital practices.
10. Auditing and Monitoring
GoLedger may carry out internal and external audits to verify compliance with this policy and identify risks, in accordance with contractual and regulatory obligations.
11. Sanctions and Penalties
Failure to comply with this policy may result in disciplinary sanctions, in accordance with internal regulations, and, in more serious cases, civil, criminal or administrative liability.
12. Revisions and Updates
This policy will be reviewed annually or whenever there are relevant legislative, technological or organizational changes.