Privacy Policy » Algar Tech

Privacy Policy

What is LGPD?

The General Data Protection Act provides for the processing and protection of personal data and sensitive personal data. This law requires companies to handle customers' personal data securely and with maximum protection. The availability of data for data subjects should be facilitated, within the limits of the LGPD, through governance and compliance practices that are more appropriate and efficient to the process.

LGPD and Algar Tech

We are working to comply with the provisions of the LGPD and to ensure that your data is increasingly secure on our platforms and software.

What are my rights?

Confirmation of Treatment You have the right to confirm whether we, as controller, carry out the processing of your personal data. Data Access You can request information about the processing of your personal data carried out by us within the limits provided by the LGPD through our means of communication. Data Correction You may request the correction of your data that is outdated, incomplete or inaccurate. Anonymization, blocking or deletion of unnecessary, excessive or non-compliant data In accordance with the LGPD, whenever possible, your personal data may be anonymized, i.e. processed in a way that does not allow your identification. You also have the right to have incorrect or incomplete personal data corrected and, if personal data is not required to be kept by law, you have the right to request its deletion. Portability You may expressly request at any time the portability of your personal data with other service or product providers, within the limits established by the LGPD. Deletion of personal data processed with consent You have the right to request the deletion of your personal data in the company database, provided that these data are being treated in any case not permitted by the LGPD. It is worth noting that this right is not absolute, personal data necessary for compliance with legal or regulatory obligations, as well as financial data and other data treated for a legitimate purpose that transcends the will of the holder will not be deleted. Sharing of Personal Data You have the right to know with which entities (companies, government agencies, etc.), whether public or private, and what personal data we share. Information on non-consent and what the consequences of refusal will be If you choose not to consent to the processing of your personal data, we have a duty to inform you of the consequences of refusal. Revocation of consent You can at any time revoke the consent to the processing of your personal data previously granted, free of charge and easily.

Right Request of Holders

You can easily exercise your rights by filling in the form available below:

Objective

Provide guidance and support for information security in accordance with business requirements and relevant laws and regulations, thus contributing to the financial sustainability of the organization.

Reference Documents

• Algar Tech's Code of Conduct; • Algar Tech Logical Access Control Policy; • Procedure Physical Management of Algar Tech Assets; • NBR ISO 20000-1:2018; • NBR ISO 27001:2013; • Law 13.709/18 - General Law of Personal Data Protection (LGPD)

Definition

1. Scope This "Security Policy" maintains integrity in service delivery across all units of the Algar Tech according to the company's strategies, current legislation and contractual requirements. The guidelines established here should be followed by all associates, service providers, suppliers, trainees, contractors, partners and customers who use Algar Tech's information. Note 01: Exceptions only when approved by the governing body. .2 Information Security Are ongoing efforts to protect information assets from various types of threats to ensure business continuity, minimize risk to the organization, helping Algar Tech to to fulfill its mission; It is obtained from the implementation of control objectives and adequate controls to ensure that the organization's business and safety objectives are met. .3 ISMS (SGSI) Information Security Management System.

Description

- Responsibities Algar Tech, through its presidency and board affirms its commitment to information security, laws and regulations applicable to the business, from this "Information Security Policy". - Main areas of the information security management system Presidency; Information Technology; Infrastructure; Human Talents; Operations. - Safety objective Ensure the applicability of rules, policies, and procedures for information security, reflected in the organization's business. - People 4.1.1 - Algar Tech Associates All associates, young apprentice, trainees, service providers, suppliers, contractors, visitors, partners, startups and customers in the Algar Tech environment should be aware of the Algar Group's Code of Conduct and Information Security Awareness training and be consistent with them. Every associate shall sign the "Confidentiality Agreement" upon his/her admission or whenever requested by the company. Any associate is forbidden to unduly use the information of the company and/or its customers, pass them on to competitors, use them for their own benefit and/or store files and emails improperly. Algar Tech can automatically receive and store information about the activities of anyone using your resources, including IP address, user, applications, screen/page and conversation carried out in or through the company. Any authentication ID (user and password) on the corporate network or in applications provided by Algar Tech is personal and non-transferable and each user will be responsible for the storage and use of the same. At the end of the employment and/or contractual relationship of the associates and/or service providers, Algar Tech will disable all authentication ID's used during the provision of service. - Supplier and Third Party Every creation, invention and development of ideas, processes, systems, products and services performed during the provision of services at Algar Tech should be transferred to it. Any service provider shall be prohibited from misusing information from the company and its customers, pass them on to competitors, use them for one's own benefit and/or store files and emails improperly. c) Receiving access to any resource of Algar Tech, the service provider will be subject to the internal policies and guidelines of the organization and to all the criteria established in the clauses of confidentiality available in the service provision contract signed at the time of the hiring. (d) at the end of the contractual relationship, the head of the contract of the service providers of Algar Tech should ensure that the authentication ID's used during the work are properly disabled. - Assets Each member shall be responsible for the proper functioning and integrity of any resources provided by the company for carrying out its activities and, when applicable, must sign a resource use agreement. Every Algar Tech product or equipment that needs to be transported should be safely accommodated, thus ensuring its physical and logical integrity when applicable. In the corporate network, the use of personal computers is not allowed. With the exception of the following previously authorized by the information security area. Access via mobile devices (smartphones, mobile phones, tablets, ipads, etc.) will be allowed through the SSID AlgarTec_Mobile, which allows only the use of applications required for this type of device. For these cases the only person responsible for looking after the operation of these assets is the associate owner of the equipment. All entry, movement and exit of assets of Algar Tech units should obey to the company's internal procedures. - Processes The company must map all critical processes to the business and conduct an assessment of risks with controls and treatment. These must be known, approved and accepted by the governing body. The mapping of critical processes shall be reviewed whenever changes in impact occur in the environment. - Risk the undertaking shall establish and implement a process for the assessment of security risks information for existing processes and technologies and their results should be comparable and reproducible, making up the Corporate Risk Map. the risk assessment shall be able to identify vulnerabilities, threats, impacts and acceptable levels of risk to assets, people, information, systems, application and mapping of the main business processes according to the company's strategies, current legislation and contractual requirements; The risk assessment shall be reviewed at least once every year or whenever impact changes occur in the environment. - Information a) Access to Algar Tech's or its customers' information in their business environment and computing is restricted and will only be made available to the profile of persons formally authorized. (b) All confidentiality clauses agreed with clients in relation to their information should be respected by Algar Tech associates or third parties to services that may have access to this information. It is expressly forbidden for any user who does not have a formal authorization to use the access to any systems and applications or even the simple attempt to access them. Any information generated within Algar Tech or on its behalf, which is the result of work of associates, suppliers or service providers are the right of Algar Tech and it alone can determine its destiny and purpose. (e) Every creation, invention and development of ideas, processes, systems, products and services, created within the scope of work or the responsibilities and mission of the function or position of the associate in the company, should be transferred to Algar Tech. f) It is prohibited to disclose any information of the company or its customers to others who does not belong to the same working group, in public media (including photos/filming on social networks) or internal, without prior authorization or that is bound to the Liability and Confidentiality Agreement, subject to exceptions when provided in contract. (h) Information generated within the organization must be stored in an backup with guaranteed restore in a safe place validated by the competent team. The use of pen drives, external HD or any other type of device is not allowed removable for transport or storage of data. Exceptions must be formally stated authorized by the information security area. At the end of the contractual relationship with the client or service provider, all information stored in Algar Tech's equipment should be erased or passed on to the same when provided for in the contract; At the end of the employment and/or contractual relationship, the associates and/or service providers who may have permission to access equipment or storage media shall eliminate any physical and/or logical traces of information generated or acquired inside Algar Tech. - Systems and Applications All software installed on machines owned or operated by Algar Tech must have a license to use previously acquired, and the user area must register request to the Service Desk for installation, authorization and use. Installation of shareware, freeware or equivalent software that does not is provided for in the list of approved solutions. All security updates and patches shall be deployed according to the each application and approved by the security and information technology team. All equipment (servers, desktops, notebooks, among others) that allow the antivirus installation, they must have them installed and updated online, and the user disable or uninstall. All anti-virus software must guarantee the blocking of viruses, worms, spyware or other new existing attack technology. All e-mail and internet access must be monitored and protected with antivirus and firewall. Algar Tech's corporate e-mail should be used only to deal with matters related to the company, being the information stored or transmitted proprietary of the organization, being up to the user to ensure its correct classification and treatment according to Procedure - Information Classification and Labelling. The use of corporate e-mail for personal purposes, registration on shopping and other sites forms is not allowed. No access to systems and applications of Algar Tech or its customers can be shared, with the member who owns the user being solely responsible for maintaining the confidentiality of your logon passwords, network user, internet, work files and other Algar Tech applications. It is forbidden to use Instant Messaging tools not approved by the safety and technology, subject to exceptions, when their effective use in the activities is proven performed by the associate or customer. It is forbidden to transfer files by any Instant Messaging tool and file sharing, with the exception of authorized exceptions and/or approved tools, and authorized. - Violation of ISMS Policies and Guidelines Security breaches must be reported to the Information Security area, by through the Service Desk. Every violation or deviation shall be investigated for the determination of necessary measures, aimed at correcting the fault or restructuring processes. These are considered security breaches: - Illegal use of software; - Introduction (intentional or not) of computer viruses; - Sharing sensitive business information; - Sharing of personal data; - Undue exposure of data related to contracts and customers; - Breach of confidentiality of confidential information and/or sensitive data; - Other violations set forth in the Algar Group's Code of Conduct, the Algar Group's Information Security Policy and current legislation. - Disclosure of information on clients and the operations contracted. The safety principles established in this policy are in full compliance with the presidency and board of directors of Algar Tech and must be observed by all in the execution of their functions. Failure to comply with the guidelines of this policy or other policies and guidelines of the organization are subject to the Action Plans and Disciplinary Management Enforcement. - Auditing All associates, as well as third parties that use Algar's technological environment Tech, are subject to auditing of network, telephony and application usage. The audit and monitoring procedures will be carried out periodically by the information security or contracted company, in order to observe compliance with the guidelines established in this policy by users and with a view to managing the performance of the network. Where there is evidence of activities that might compromise the security of the network, it shall be allowed the information security area to audit and monitor the activities of a user, and inspect its files and access records, in the interest of Algar Tech, being the fact immediately reported to senior management. 5. General provisions This Privacy Policy is subject to regular amendment to ensure that it is up to date with applicable legislation.