Terms and Definitions

Threat: Potential cause of an incident that may harm Base39.
Asset: Anything that has value for Base39.
Information Asset: Intangible property of Base39, consisting of its information of any nature, including strategic, technical, administrative, financial, marketing, human resources, legal, as well as any information created or acquired through partnerships, acquisitions, licensing, purchase, or entrusted to Base39 by partners, clients, employees, and third parties, in written, verbal, physical, or digitized format, stored, transmitted, or circulating through the computational infrastructure of Base39 or through external infrastructure contracted by the organization, in addition to documents in physical support or electronic media transmitted inside and outside its physical structure.
Backup: Storage of backup data to be used for information recovery whenever necessary. The backup aims to restore information in an integral manner to ensure the continuity of work.
Collaborator(s): Partners, permanent and temporary employees, contracted service providers, interns, and young apprentices of Base39, as well as Third Parties.

Objective

This Information Security Policy, also called PSI, aims to define guidelines and best practices for handling and protecting information, preserving confidentiality, integrity, and availability in generation, use, storage, and distribution, regardless of the medium in which it is contained.

It establishes the continuous pursuit of actions aimed at preserving the basic principles of security applied to information that must be observed by all Collaborators and Third Parties, as well as specific procedures, alongside the implementation of controls and processes for its compliance.

Drafted to prevent causes of information security incidents and minimize risks of financial loss, market participation, client trust, or any other negative impact on Base39 as a result of threats or failures.

Target Audience

The PSI applies to any individual or organization that has or had a link with Base39, such as Collaborators, ex-collaborators, service providers, ex-service providers, and Third Parties, who had, have, or will have access to Base39's information and/or made, make, or will make use of computational resources included in Base39's infrastructure.

Guidelines

The PSI aims to protect information from various types of threats, ensuring business continuity, minimizing damage, and maximizing returns on investments and business opportunities.

All procedures at Base39 must be carried out considering the following basic principles of information security:

Authenticity: ensures that the information comes from the announced source;
Confidentiality: ensures that the information is accessible only by authorized agents and is used strictly for performing their functions as collaborators of Base39, preventing the information from becoming public or accessible to any third party outside Base39;
Integrity: ensures that the information is maintained in its original state since its creation, protecting it during storage or transmission against undue, intentional, or accidental alterations until disposal, if applicable;
Availability: ensures that essential information and services will be available to users when requested;
Non-repudiation: the ability to identify an action already performed, so that the executor cannot deny authorship;

Risk Management

All products and services developed, acquired, implemented, or made available must undergo a formal risk analysis, assessment, and treatment process, aiming to achieve an adequate level of security for Base39.

Business Continuity Management

Base39 must implement documented, tested, and periodically reviewed business continuity plans, ensuring that its essential services are properly identified, encompassing the information security mechanisms established in production environments.

There must be redundancy of assets to meet availability requirements.

Data Protection Governance

Base39 must implement, follow, and continuously improve the guidelines established in the Data Protection Governance Policy and Privacy Policy, which aim to ensure the privacy and security of personal data processed in the context of offering and providing solutions.

Information Security and/or Privacy Incident Management

All Collaborators must report any security incidents so they may be classified, analyzed, monitored, communicated, and properly handled according to their level of criticality.

Information Classification

Base39's information may only be used in fulfilling business purposes, and access will depend on the role exercised and the prior authorization of the information owner.

All information must be classified based on its sensitivity to the business, according to the criteria established in the Information Classification Policy.

Access Management

Upon hiring, changing areas, or the termination of Collaborators or Third Parties, there must be processes to register, review, and adjust physical and logical accesses according to the new roles performed, to ensure access only to the information and resources necessary for their new position or function.

User Passwords

All Collaborators' passwords must be confidential, personal, and non-transferable. Passwords must meet minimum security requirements according to the Password Policy.

Use of Information Technology Assets

Information technology assets are corporate resources owned by Base39, made available only for the functional activities of Collaborators. It is the Collaborator's responsibility to ensure the protection and the information contained in the assets under their responsibility. Only approved and authorized assets by Base39 should be used.

Encryption

The effective and appropriate use of an encryption system must be established to ensure the authenticity, confidentiality, and integrity of the information.

Relationship with Third Parties

The protection of assets accessed by Third Parties must be ensured, with each involved area being responsible for ensuring that the information security requirements are implemented and agreed with the Third Parties, to mitigate the risks associated with access.

Acquisition, Development, and Maintenance of Systems

Any system owned by Base39, whether acquired or developed internally, must undergo a risk assessment process before deployment, ensuring its alignment with the information security practices established in this PSI.

Audit and Compliance

Base39 must periodically audit its information security practices to assess the compliance of its Collaborators' actions with what is established in this PSI and applicable legislation.

Monitoring

Base39 must, in accordance with applicable legislation, monitor access and use of its assets, such as environments, equipment, and technological systems, so that undesirable or unauthorized actions are proactively detected.

Conflicts

In the event of a conflict between security controls and a specific business need, a new control scenario must be analyzed and implemented to enable Base39's objectives, with the need for recording the acceptance of remaining risks by the management.

Information Ownership

All information produced, sent, or received by Collaborators and Third Parties as a result of professional activity belongs to Base39, including the content of all email boxes as well as all files saved on various media types. Exceptions must be explicit and formalized in a contract between the parties.

Communication and Training

The PSI is available to all Collaborators on the Intranet and should be consulted regularly.

All Collaborators and those involved in activities under the company's control, according to the scope, must be aware of this PSI, receive training and awareness in information security periodically, at the time of hiring and/or annually.

Roles and Responsibilities

Information Security Management Committee – ISMC

The Information Security Management Committee, also called ISMC, is composed of at least one representative from the management of the following internal areas: Management, Business Development, Business, Marketing, Operations, Finance & People, Customer Success, Credit & Data, BI, Engineering & Product, and Data Protection Officer.

The ISMC has the following responsibilities:

Analyze, review and propose the approval of policies and norms related to information security; Ensure the availability of necessary resources for effective information security management; Ensure that information security activities are carried out in compliance with the PSI; Promote the dissemination of the PSI and take necessary actions to spread a culture of information security in Base39's environment; Manage information security incidents, ensuring appropriate treatment, in accordance with legal and infralegal norms, mainly those connected to the General Data Protection Law, Civil Framework of the Internet and Consumer Protection Code, always with the assistance of the Data Protection Officer. Analyze, review and propose the approval of policies and norms related to information security; Ensure the availability of necessary resources for effective information security management; Ensure that information security activities are carried out in compliance with the PSI; Promote the dissemination of the PSI and take necessary actions to spread a culture of information security in Base39's environment; Manage information security incidents, ensuring appropriate treatment, in accordance with legal and infralegal norms, mainly those connected to the General Data Protection Law, Civil Framework of the Internet and Consumer Protection Code, always with the assistance of the Data Protection Officer.

Information Managers

Each of the Information Managers has the following responsibilities:

Manage the information generated or under the responsibility of their business area throughout its lifecycle, including creation, handling, and disposal, according to the norms established by Base39; Identify, classify, and label the information generated or under the responsibility of their business area according to the norms, criteria, and procedures adopted by Base39 in accordance with the Information Classification Policy; Periodically review the information generated or under the responsibility of their business area, adjusting classification and labeling as necessary; Authorize and review access to information and information systems under their responsibility; Request granting or revocation of access to information or information systems according to the procedures adopted by Base39; Support the ISMC in its deliberations; Develop and propose to the ISMC the norms and procedures for information security necessary to comply with this PSI; Identify and evaluate the main threats to information security, as well as propose and, when approved, implement corrective measures to reduce risk; Take appropriate actions to comply with the terms of this PSI; Manage the information generated or under the responsibility of their business area throughout its lifecycle, including creation, handling, and disposal, according to the norms established by Base39; Identify, classify, and label the information generated or under the responsibility of their business area according to the norms, criteria, and procedures adopted by Base39 in accordance with the Information Classification Policy; Periodically review the information generated or under the responsibility of their business area, adjusting classification and labeling as necessary; Authorize and review access to information and information systems under their responsibility; Request granting or revocation of access to information or information systems according to the procedures adopted by Base39; Support the ISMC in its deliberations; Develop and propose to the ISMC the norms and procedures for information security necessary to comply with this PSI; Identify and evaluate the main threats to information security, as well as propose and, when approved, implement corrective measures to reduce risk; Take appropriate actions to comply with the terms of this PSI;

Collaborators

Each of the Data Subjects, defined in item 3 of this policy, has the following responsibilities:

Read, understand, and fully comply with the terms of the PSI, as well as other applicable security norms and procedures; Forward any doubts and/or requests for clarification about the PSI, its norms, and procedures to the data protection officer, to the information managers, or, when applicable, to the ISMC; Communicate to the information managers any event that violates this PSI or puts at risk the security of information or Base39's computational resources; Sign the information systems usage agreement of Base39, formalizing awareness and complete acceptance of the provisions of the Information Security Policy, as well as other security norms and procedures, assuming responsibility for compliance; Read, understand, and fully comply with the terms of the PSI, as well as other applicable security norms and procedures; Forward any doubts and/or requests for clarification about the PSI, its norms, and procedures to the data protection officer, to the information managers, or, when applicable, to the ISMC; Communicate to the information managers any event that violates this PSI or puts at risk the security of information or Base39's computational resources; Sign the information systems usage agreement of Base39, formalizing awareness and complete acceptance of the provisions of the Information Security Policy, as well as other security norms and procedures, assuming responsibility for compliance;

Data Protection Officer

The Data Protection Officer has several duties, including:

Accept complaints and communications from Data Subjects, provide clarifications and take action; Receive communications from the National Data Protection Authority – ANPD and other administrative, regulatory, and/or judicial bodies, as well as take necessary actions to comply with determinations, respond to inquiries, etc., always reconciling the protection of the Data Subjects and the rights of Base39; Guide Base39 employees and contractors regarding practices to be taken concerning the protection of personal data and information security; Act as a point of contact for exercising Data Subjects' rights, processing their queries and, when applicable, training the area responsible for managing those requests; Participate in meetings of the privacy management committee for joint decision-making; Ensure the maintenance and updating of the adequacy program implemented by Base39, including regulatory documents, policies, and created manuals; Accept complaints and communications from Data Subjects, provide clarifications and take action; Receive communications from the National Data Protection Authority – ANPD and other administrative, regulatory, and/or judicial bodies, as well as take necessary actions to comply with determinations, respond to inquiries, etc., always reconciling the protection of the Data Subjects and the rights of Base39; Guide Base39 employees and contractors regarding practices to be taken concerning the protection of personal data and information security; Act as a point of contact for exercising Data Subjects' rights, processing their queries and, when applicable, training the area responsible for managing those requests; Participate in meetings of the privacy management committee for joint decision-making; Ensure the maintenance and updating of the adequacy program implemented by Base39, including regulatory documents, policies, and created manuals;

Human Resources

Ensure that the security guidelines in human resources defined in the PSI are followed by collaborators and third parties; Ensure that the security guidelines in human resources defined in the PSI are followed by collaborators and third parties;

Review Control

This document must be reviewed annually and updated promptly in case of changes in rules, responsibilities, processes, and activities.

Applicable Norms and Legislation

Law No. 9,609/1998 (Software Law); Law No. 13,709/2018: General Data Protection Law (LGPD); ABNT NBR ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements; ABNT NBR ISO/IEC 27002:2013 Information technology – Security techniques – Code of practice for information security controls;

Contact Channels

If you have questions about the topics covered by this policy or related matters, please contact us at the email si@base39.com.br.

We guarantee the confidentiality and anonymity of reported information, as well as protection against retaliation to whistleblowers acting in good faith.