Information Security

The objective of this policy is to regulate and discipline the procedures for collecting and storing information, as well as the rules relating to the security and eventual disclosure of this information, in case of request under applicable legislation, in order to minimize risks to information assets, including people, environments, technologies and processes.

Information is an extremely valuable and important asset, being a fundamental element for business success; therefore, it must be adequately protected in order to guarantee the maintenance of confidentiality, integrity, and availability of data.

This Policy applies to all employees of Map&An Digital and Financial Services and Map&An Auditores Independentes.

Principles of Information Security

Confidentiality: To ensure that information will not be available or disclosed to individuals, entities, or applications without authorization; that is, to ensure that certain information, source, or system is accessible only to people previously authorized to have access. To guarantee the safeguarding of information given in confidence and protection against its unauthorized disclosure.

Integrity: ensuring that information has not been altered in its content and is therefore complete, authentic, accurate, and reliable. Complete information is information that has not been improperly or unauthorizedly altered.

Availability: This ensures that information can be used when needed; therefore, it must be readily available to its users and recipients and accessible whenever necessary.

Protection of Personal and Sensitive Data

We keep our processes up-to-date for the protection of personal and sensitive data, so security measures are essential to ensure compliance with current legislation.

Physical and Environmental Security

The purpose of physical security in a building is to prevent unauthorized physical access, damage to facilities, fraud, sabotage, and other threats.

Information Security

Information Security is based on the systematic alignment of actions aimed at protecting business information from a wide variety of threats, thereby ensuring business continuity, mitigating risks, maximizing return on investment, and increasing business opportunities.

We have an ongoing information management and security program in place with Microsoft Office to ensure a secure environment, based on the principles of confidentiality, integrity, and availability of the information and services offered.

Acceptable use

Corporate IT resources should be used for professional purposes. Occasional and limited personal use is permitted if it does not interfere with work performance and productivity and is in accordance with the relevant guidelines for the use of IT resources provided by the company.

These resources (especially internet browsing, corporate emails, telephone lines, and corporate applications, including messaging apps) are subject to control and monitoring, which does not constitute any violation of the privacy, private life, honor, or image of the monitored person, aiming to safeguard the security of information and the employees themselves.

Email is a professional communication tool that all employees should use responsibly, effectively, and legally.

Workstation

Workstations include laptops and desktops and are subject to the following rules of use:

Unauthorized users are not allowed to access your workstation;

Take proper care of your work equipment;

Installing or uninstalling any software without authorization from the Information Technology team is not permitted.

Gestão de Identidade e Controle de Acesso

The processes for granting, modifying, and revoking access to information assets, information systems, and/or environments are carried out by the Information Technology team, subject to formal approval from the applicant's manager and the respective owner of the system and/or profile, whenever necessary for the performance of activities.

Privileged access that entails additional responsibilities for the user is granted with stricter criteria, subject to compliance with specific rules.

Privilege management: clear hierarchies must be established for each system, and each hierarchy must be formally approved by the Technology Team;

User management: each system should have clear procedures for approval and a method for granting access to that system with audit trails; and

User access rights are subject to periodic review.

Access Credentials (Username and Password)

Access to our devices and systems will require user passwords. Each user is responsible for their password and should adhere to the following rules:

The password is personal and non-transferable and should not be shared. Therefore, the user is fully responsible for its use, and will be held accountable for any violation or irregular/illegal act, even if committed by another individual and/or organization in possession of their access account.

Do not save in web browsers;

They should not be written down or stored in physical or digital media (email, spreadsheets, notepads, network files, among others);

If you suspect that they have been discovered or if something happens to a device such as theft or loss, request an immediate change and/or blocking;

Users without administrator privileges must have a variable-length password, with a minimum of 6 (six) alphanumeric characters, using special characters (@ # $ %) and varying between uppercase and lowercase letters whenever possible. Users with administrator privileges or privileged access must use a password of at least 10 (ten) alphanumeric characters, using special characters (@ # $ %) and varying between uppercase and lowercase letters.

After 3 (three) access attempts, the user's account will be blocked. To unlock it, the user must contact the Systems Management department via email at administrativo@map-an.com.

The maximum frequency for changing passwords is 90 (ninety) days, and the last 3 (three) passwords cannot be repeated.

All access should be immediately blocked when it becomes unnecessary. Therefore, as soon as any user is dismissed or requests dismissal, the Human Resources Department must immediately notify the Information Technology Department so that this action can be taken.

Systems and computers must have antivirus software versions installed, activated, and permanently updated. If a user suspects a virus or experiences functionality problems, they should contact the responsible technical department.

We offer a two-factor authentication service that should be activated whenever available.

Backups

Daily cloud backups of information are performed, and periodic routines are implemented and stored in a specific location known only to management.

Business continuity plan

A business continuity plan must ensure the recovery of critical processes in the event of unavailability of the environment or any resources that prevent the development or operation of the areas. It is the responsibility of each area involved in business development to develop, test, and implement its contingency plans. The Technology area can provide guidance in the development of these items. The definition of critical processes for a company or area must necessarily adhere to criteria established by the responsible Directors, considering at least: - Outlining a strategy for the recovery of each critical function; - Prioritizing critical functions to order their recovery; - Identifying the activities necessary to recover each function; - Quantifying the human and technical resources necessary to fulfill the plan; - Documenting the critical processes; - Identifying those responsible for the recovery of each process or function; - Actions to restore normal operation; - Identifying backup resources (infrastructure, hardware, software, application systems, and telecommunications). - Periodic reviews of the business continuity plan: The business continuity plan should undergo periodic reviews, at least annually, in order to identify areas for improvement.

Penalties

The subject matter addressed in this Policy is based on current Brazilian legislation, especially the Federal Constitution, Civil Code, Penal Code, Consolidation of Labor Laws (CLT), Law No. 9.279/96 (Industrial Property), Law No. 9.610/98 (Copyright), Law No. 9.609/98 (Software), Law No. 13.709/18 (LGPD) and other applicable legislation.

Violation of the rules defined in this Policy may result in penalties according to the severity of the offense committed, including contract termination, regardless of the legal regime to which the employee or service provider was subject.

Just like ethics, security must be understood as a fundamental part of our culture; that is, any security incident implies someone acting against the ethics and good customs governed by the institution.