Information Security Policy (PSI)
Last Update: May 24, 2022
With the advent of the General Personal Data Protection Law (Law No. 13,709, of August 14, 2018), SleepUp began its Privacy and Personal Data Protection Governance Program.
Since then, adaptation initiatives have been constant processes, which will last throughout the life of our Organization, since, every day, new services and products are developed, internal processes are changed, technical and administrative measures in information security are reinforced.
In this sense, the services provided by our technological infrastructure comply with technical standards relating to the storage, handling, transmission of data, confidentiality, privacy and guarantee of professional secrecy, adopting the best efforts to preserve data privacy and security.
Bearing in mind that the rules of good practices and privacy governance must establish the organizational conditions, operating regime, procedures, involving activities related to Information Security (IS), this Policy consists of a set of guidelines and rules whose objective is to enable the planning, implementation and control of actions related to SleepUp's information security.
The Information Security Policy is permanent. The content of this document may be modified at any time according to current needs. SleepUp professionals and their service providers should, whenever necessary, consult the latest available version.
This Information Security Policy (“Policy”) applies to all hierarchical levels of SleepUp, partners, managers, employees, consultants, employees, trainees, interns and service providers (“Collaborators”), and all Employees are aware that they must know and respect all the rules set out here, being aware that failure to comply with such rules may result in the imposition of administrative sanctions by the Board, depending on the degree of severity of the conduct, including dismissal/termination of the contractual relationship .
The central objective of this Policy is to disseminate among all SleepUp Employees the policies and procedures defined to guarantee the integrity of the information produced and managed within the work environment. It is the responsibility of each of its Employees to guarantee total confidentiality and integrity of the information produced daily on the floor and/or in the work environment.
All Employees are aware that all information generated internally by SleepUp and/or received from Users or Customers for the development of activities of any nature is strictly confidential and must remain intact throughout its existence. Furthermore, Collaborators, when using any electronic means (chats, skype, google meet, zoom, emails, internet, among others), to carry out their activities, must consider their use to be the property of the company and in the interests of the company. . The use of electronic media for private purposes is strictly prohibited. It is also worth noting that access to emails and the internet is backed up weekly and may be subject to audits and reviews at any time, being at the complete disposal of SleepUp's administration.
The responsibility of the Employee and/or service provider regarding the confidentiality and integrity of information is mandatory even after their dismissal and must be fulfilled in accordance with the items in this policy.
As compliance items, SleepUp establishes the following technical and administrative measures related to the processing of personal data, with periodic reviews.
1. Administrative Measures
1.1 Awareness and Training. SleepUp's human resources must receive training and awareness training on their obligations and responsibilities related to the processing of personal data.
1.2 The information provided to Employees are recommendations regarding: (i) how to use security controls on IT systems related to daily work; (ii) how to avoid becoming victims of security incidents, such as virus contamination or phishing attacks, among others; (iii) keep physical documents containing personal data in drawers, and not on tables; (iv) do not share logins and passwords for workstations; (v) lock computers when you leave your workstations, to prevent unauthorized access by third parties; (vi) prohibiting the transfer of personal data from workstations to external storage devices, such as pendrives, external hard drives, among others; (vi) immediately report incidents and detected vulnerabilities; (vii) follow the information security policy (PSI) guidelines.
1.3 Contract Management: SleepUp requires all Employees to sign a confidentiality agreement (non-disclosure agreement-NDA) to undertake not to disclose confidential information involving personal data; for suppliers that process personal data in IT services, the adequacy of contracts includes, among others, information security clauses that ensure adequate protection of personal data, rules on sharing personal data, relations between controller-operator, guidance on the treatment to be carried out and prohibitions on treatments that are incompatible with SleepUp’s guidelines;
1.4 Information Security Organization – Controls over how responsibilities are defined and managed at SleepUp based on the personal data access control system applicable to all users, with permission levels in proportion to the need to access personal data, applying -the premise of least privilege (need to know) is used, that is, users of the SleepUp system will have the lowest level of access only to carry out their activities;
1.5 Physical and Environmental Security – Controls defining safe areas, entry controls, threat protection, equipment security, safe disposal, clean table and clean screen policy;
2. Technical Measures
2.1 Information Asset Management – Controls are carried out related to asset inventory, acceptable use, information classification and media handling;
2.2 Access Control – Controls are carried out in authentication processes (identification of who accesses the systems or data) and authorization (determination of what the user can do); in addition to configuring passwords with a certain level of complexity, defining, for example, the need to use a special character or other factors necessary to protect personal data against unauthorized access;
2.3 Cryptography - Controls are carried out related to the management of SSL cryptographic keys for communication between services through APIs, in addition to network security and database encryption to prevent the leakage of personal data throughout the processing cycle.
2.4 Security in Operations – Controls related to production management are carried out involving the architecture of technologies that support products/systems such as: change management, capacity management, malicious software, daily backups with storage for 7 days, event recording, monitoring, installation, vulnerabilities and carrying out periodic offline backups with secure storage;
2.5 Communications Security – Controls are carried out related to the security of data in transit over the network, segregation, network services, information transfer, messaging; use of encrypted connections (TLS/HTTPS) or applications with end-to-end encryption for communication services; installation and maintenance of a firewall system and/or use a Web Application Firewall (WAF -Application Filter) that monitors, detects and blocks threats, preventing connections to untrusted networks; protection of email services, using integrated antivirus, anti-spam tool and email filters; remove any sensitive data and other personal data that are unnecessarily made available on public networks;
2.6 Vulnerability Management: Updates are periodically carried out on all systems and applications used, keeping them in their updated version; antivirus and antimalware software are adopted and periodically updated; periodic antivirus scans are carried out on the systems used;
2.7 Systems acquisition, development and maintenance - Controls defining safety and security requirements in development and support processes. All Type SAAS providers are approved in accordance with our Data Security and Privacy Policies.
2.8 Supply Chain Relationships and Cloud Services – Supplier Assessment Controls for selection, evaluation and re-evaluation of external providers.
2.9 Information security incident management – The entire infrastructure is subject to traceability, including informing the DPO regarding the date and time when the leak incident occurred, and briefly describing how the incident occurred, the nature of the affected data, the number of affected holders, the category of affected holders, and what security measures were used to protect data, in order to prevent the incident and those to be taken after becoming aware of the leak incident.
2.10 Aspects of information security in business continuity management - Establishes guidelines in order to minimize the negative impacts caused by any events that may pose a risk to SleepUp's business continuity.
2.11 Compliance – Controls are carried out requesting the identification of applicable laws and regulations, protection of intellectual property, protection, protection of personal data and reviews of information security.
Last Update: May 24, 2022