Web Content Viewer
Actions
Web Content Viewer
Actions
1 - Objective
To establish the guidelines for the processing of personal data carried out by Almaviva Solutions as a Data Controller agent. Therefore, Almaviva Solutions, when acting as a Data Processor agent, reiterates to the interested parties targeted by the processing of personal data (“Data Subjects”) that the data related to the identified or identifiable natural person (“personal data”) processed as a result of its business partnerships will be processed in accordance with the legislation in force regarding the protection of personal data, and in accordance with the due guidance of its client (“Controller”), who will have more information regarding the aforementioned processing in its privacy policy.
2 - Scope
This policy applies to all employees, third parties, and suppliers who use the processing environment or access information belonging to Almaviva Solutions.
3 - References
Federal Law No. 13.709/2018 - LGPD (General Data Protection Law)
Federal Law No. 12.965 - Brazilian Internet Civil Rights Framework
NBR ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection — Information security management systems — Requirements
NBR ISO/IEC 27002:2022 - Information security, cybersecurity and privacy protection — Information security controls
NBR ISO/IEC 27701:2019 - Security techniques — Extension to ABNT NBR ISO/IEC 27002 for information privacy management — Requirements and guidelines
PSI-002 - Public Information Security Policy.
4 - Definitions
Controller - natural or legal person, of public or private law, who is responsible for decisions regarding the processing of personal data
Personal data - information related to an identified or identifiable natural person, such as: name, ID number, CPF (Brazilian tax ID), date of birth, photo, telephone, geolocation, among others
Sensitive personal data - category of personal data about racial or ethnic origin, religious belief, political opinion, union membership or membership in a religious, philosophical or political organization, data relating to health or sex life, genetic or biometric data, when linked to a natural person
Data Protection Officer (DPO) - person designated by the Controller/Processor to act as a communication channel between the Controller, the data subjects and the National Data Protection Authority (ANPD)
Personal data security incident - any confirmed adverse event related to a personal data security incident, such as unauthorized, accidental or illicit access that results in the destruction, loss, alteration, leakage, or any form of inadequate or illicit data processing, which may pose a risk to the rights and freedoms of data subjects
Processor - natural or legal person, of public or private law, that processes data according to the instructions of the Controller
Data Subject - the natural person to whom the personal data that is the object of processing refers
Processing - any operation performed with personal data, such as those relating to collection, production, reception, handling, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction
Technical measures - those related to technologies and controls that can be implemented in relation to information security and improvements for an assertive and efficient execution of the principles of the General Data Protection Law
Organizational measures - measures related to policies, procedures, guides, manuals, awareness activities (such as training and communications) and documents, in general, that guide the user regarding the guidelines of Privacy and Protection of Personal Data.
5 - Responsibilities
It is the responsibility of the Executive Board:
To promote and approve the activities of the Information Security and Privacy Management System.
It is the responsibility of the Information Security and Privacy Committee:
To conduct a periodic assessment of data Protection and Privacy
To guarantee the availability of the necessary resources for effective management of privacy and protection of personal data
To disseminate the culture of Information Security and Privacy
To align the strategic objectives of Information Security and Privacy with the business objectives of Almaviva Solutions
To support and approve continuous improvement activities of the Information Security and Privacy Management System
To deliberate on the application of sanctions when non-compliance with this policy and other policies established by the Information Security and Privacy area is observed.
It is the responsibility of the Personal Data Officer (DPO):
To promote and approve the activities of the Privacy Program
To value and safeguard the interests of all data subjects with whom the Almaviva Group interacts
To receive communications and updates from the ANPD to pass them internally, as well as maintain the relationship between the parties.
It is the responsibility of the Information Security and Privacy area:
To establish information security and privacy guidelines
To raise awareness among relevant stakeholders about information security and privacy
To identify and report risks related to Information Security and Privacy
To establish controls for risk mitigation
To continuously maintain and improve the information security management system.
It is the responsibility of Employees, Third Parties, Suppliers and other relevant stakeholders:
To comply with the guidelines of this policy and other policies established by the Information Security and Privacy area
To safeguard the security of company information, reporting any perceived abnormalities to the Information Security and Privacy area. When using Almaviva Solutions' assets and facilities, the necessary care for the preservation of assets must be taken. It is everyone's duty to safeguard the protection of assets and to have habits that avoid waste in general
In the identification of risks, incidents and non-conformities, corrective and preventive actions must be taken, in order to eliminate the root cause and provide adequate treatment of the associated risks
When necessary, audits, inspections and assessments may be carried out by the Almaviva Group to ensure that all requirements for information security are being met. The results of inspections and assessments, as well as improvement recommendations, will be recorded and forwarded for action by the supplier
Service providers must respect and comply with all measures, procedures and instructions for the registration and control of physical and logical accesses established by Almaviva Solutions
Whenever necessary, service providers will provide Almaviva Solutions with a list of people, their profile description, functions and responsibilities associated with the service provided, communicating any changes made regarding the relationship with the Company (admission, dismissal, substitution or change of functions or positions)
Service providers must ensure that all their employees have adequate instruction and are duly trained to perform the service provided, whether specifically in relation to the fields that correspond to the actions associated with the service provision or with reference to information security and privacy
Ensure that information assets are used only for purposes approved by Almaviva Solutions, being subject to monitoring, traceability and audit
The supplier may only subcontract if the contract allows it, and must disclose to Almaviva Solutions any use or change of subcontractors to process personal data, before use
Service providers must have a Contingency Plan to guarantee the continuity of the contracted services, with the same quality and within the agreed deadlines, with Almaviva Solutions
When applicable, service providers must have a Backup Policy as well as restoration and monitoring procedures
7 - Final Provisions
Any need for action that is not in accordance with the rules established in the Information Security Policy, the Privacy Policy and its complementary policies should be directed to Information Security for risk analysis, its registration, and submission for consideration by the competent authority and/or Information Security and Privacy Committee.
Web Content Viewer
Actions
Confirmation and Access: Confirm if there is one or more activities carried out by Almaviva do Brasil that use your personal information, in addition to being able to obtain a copy of your personal data and other information related to you.
Correction: Correction of incomplete, inaccurate or outdated data, so that we can have correct and precise information about you.
Note: If you are an employee of Almaviva do Brasil, to correct your data, please request it through "Fale com o RH" (Talk to HR).
Anonymization, Blocking or Deletion: You may request Almaviva do Brasil to anonymize, block or delete your data if it is unnecessary for the purpose of processing, excessive for the pursuit of the objective or the activity is inconsistent with the purposes informed or the processing is not justifiable by law. If you no longer wish your personal data to be processed by Almaviva do Brasil, you may request the deletion of your information from our database.
But remember: data necessary for compliance with legal (contractual) or regulatory obligations or for legitimate processing purposes cannot be deleted.
Portability: Request the sharing of your data provided to Almaviva do Brasil, i.e., the portability of your data, to another service or product provider.
Information on Sharing: Information on the public and private entities with which Almaviva do Brasil shares your data.
Note: This information, for employees, is available in the Internal Privacy Notice, available on the Employee Portal > Code of Conduct > Regulations
Consent Revocation and Related Information: Your consent may be revoked at any time by express manifestation. You may also request information about the possibility of not providing your consent and what the consequences would be for your relationship with Almaviva do Brasil.
Review of automated decision: Right to request a review of decisions taken solely on the basis of automated processing of your data and that affect your interests.
To submit one of the requests above, please email contato@almavivasolutions.com.br. We’ll respond promptly.
Web Content Viewer
Actions
1 - Objective
To establish guidelines to ensure the security of corporate information, seeking a balance between performance and reliability, aiming at the permanence of the Almaviva Group's business in Brazil, based on the following items:
Alignment of strategic Information Security and Privacy objectives with the business objectives of the companies
Reduction of impacts resulting from Information Security events.
Identification of the main information security and privacy risks applicable to the business.
Dissemination of information security and privacy standards and guidelines to all professionals of the Almaviva Group in Brazil, applicable third parties and any person related to the expansion of the Almaviva Group's business in Brazil.
The Presidency, Executive Board, and Information Security and Privacy Committee are committed to effective Information Security management in the Almaviva Group in Brazil. Therefore, they adopt all necessary measures to ensure that this policy is adequately communicated, understood, and followed at all levels of the organization.
Periodic reviews will be carried out to ensure its continued relevance and adequacy to the company's needs.
2 - Scope
This policy applies to all users of information from the Almaviva Group in Brazil, including any individual or organization that has or had a link with Almaviva, such as employees, former employees, service providers, former service providers, collaborators, former collaborators, who have had, have, or will have access to Almaviva's information and/or have used, are using, or will use computational resources included in the infrastructure of the Almaviva Group in Brazil.
3 - References
NBR ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection — Information security management systems — Requirements.
NBR ISO/IEC 27002:2022 - Information security, cybersecurity and privacy protection — Information security controls.
NBR ISO/IEC 27701:2019 - Security techniques - Extension of ABNT NBR ISO/IEC 27002 for information privacy management - Requirements and guidelines
Almaviva Group's Privacy Policy in Brazil.
4 - Definitions
Information Security (IS): Protection against unauthorized use or access to information, as well as protection against denial of service to authorized users, while the integrity and confidentiality of that information are preserved. IS is not confined to computer systems, nor to information in electronic format. It applies to all aspects of information or data protection, in any form. The level of protection must, in any situation, correspond to the value of this information and the damages that could result from its improper use. IS also covers all the infrastructure that allows its use, such as processes, systems, services, technologies, and others.
Privacy: Data privacy is the right to manage how your personal information is collected and used.
5 - Responsibilities
It is the responsibility of the Executive Board:
To promote and approve the activities of the Information Security and Privacy Management System.
It is the responsibility of the Information Security and Privacy Committee:
To conduct a periodic assessment of Information Security
To ensure the availability of the resources necessary for effective information security management
To disseminate the culture of Information Security and Privacy
To align strategic Information Security and Privacy objectives with the business objectives of the Almaviva Group in Brazil
To support and approve continuous improvement activities of the Information Security and Privacy Management System
To decide on the application of sanctions when non-compliance with this policy and other policies established by the Information Security and Privacy area is observed.
It is the responsibility of Employees, Third Parties, Suppliers, and other relevant stakeholders:
To comply with the guidelines of this policy and other policies established by the Information Security and Privacy area
To safeguard the security of company information, reporting any perceived anomalies to the Information Security and Privacy area.
It is the responsibility of the Information Security and Privacy area:
To establish information security and privacy guidelines
To raise awareness among relevant stakeholders about information security
To identify and report risks related to information security and privacy
To establish controls for risk mitigation
To continuously maintain and improve the information security management system.
6 - Guidelines
6.1 - General guidelines
This policy demonstrates our ability and integrity in dealing with all stakeholders. Therefore, this policy ensures that:
Information is protected against unauthorized access
The confidentiality of information is maintained
Information is not disclosed to unauthorized entities through deliberate or careless actions
The integrity of information is maintained to prevent unauthorized modifications
Information is available to authorized users, when necessary
Whenever there are legal, regulatory, normative, or contractual changes that impact the Almaviva Group's business in Brazil, a critical analysis is carried out so that adjustments, if necessary, are made
Each individual has adequate knowledge of the management controls, operational and technical controls that help protect the information technology resources and assets of the Almaviva Group in Brazil
Goals and objectives are disclosed to the stakeholders involved, so that each individual has an adequate understanding of their role and responsibility regarding information security and privacy and the mission of the Almaviva Group in Brazil
Policies, procedures, and practices are communicated to the stakeholders involved in the Almaviva Group in Brazil.
6.2 - Regulation
The Almaviva Group in Brazil and the stakeholders involved undertake to fully comply with the applicable information security and privacy requirements or those required by regulations, statutes, laws and/or contractual clauses.
6.3 - Risks and threats
All information and associated assets must be periodically assessed and the respective risks to the Almaviva Group's business in Brazil must be mapped.
The risks and threats inherent to information security and privacy must be addressed through the implementation of specific controls and must be periodically reassessed.
The acceptance of residual risks must be approved by the manager and reassessed periodically.
6.4 - Suppliers
The Almaviva Group in Brazil has a risk assessment process for critical suppliers.
This methodology aims to detect, assess, and manage risks in the services or products provided by suppliers that may directly impact the Almaviva Group's business in Brazil.
All third parties must commit to acting in accordance with the Information Security Policy, and it is essential that the contract signed between the companies includes a clause that ensures the confidentiality of information and adherence to the Information Security Policy.
6.5 - Audits
Audits are periodically carried out to ensure the effectiveness of the Information Security and Privacy Management System and its controls, as well as to guarantee its effective implementation and maintenance.
6.6 - Business continuity
Business continuity plans are produced, maintained, and tested in accordance with management expectations.
6.7 - Information classification
The information classification process established by the Almaviva Group in Brazil aims to protect information against disclosure. To this end, any and all types of information created and/or stored within the company's facilities must be classified by one of the following options:
Public
Internal
Restricted
Confidential
6.8 - Training and awareness
The Almaviva Group in Brazil has a communications and training program for all employees and appropriate stakeholders.
6.9 - Incident handling
Security incidents that occur in the Almaviva Group in Brazil must be reported to the Information Security area through the company's official channels, e-mail for Information Security and Privacy: sip@almavivadobrasil.com.br, especially cases of system unavailability and customer information leakage.
An Information Security incident is considered any Information Security event that has an impact on the Almaviva Group in Brazil, leading to the need for response and recovery. The following occurrences are considered Information Security and Privacy incidents:
Loss, theft, or robbery of equipment containing corporate information
System malfunction or overload due to internal or external attacks
Unauthorized use or access to information systems
Non-compliance with Information Security and Privacy policies and guidelines
Deviation from Information Security controls implemented at Almaviva
Violation of access to critical areas containing corporate information or systems.
Incidents must be prioritized according to the impact and criticality classification recorded. In this way, it is possible to decide when it is necessary to activate the incident response group, which in turn will decide on the activation of the business continuity plan.
6.10 - Information Security in project management
Information Security is an integral participant in the development and delivery of any special or non-special project that alters the standard of the infrastructure of the Almaviva Group's environment in Brazil.
Being responsible for evaluating the requirements or needs requested, whether they are in accordance with the objectives and guidelines of Information Security and are being followed in all phases of the projects.
Information security is responsible for evaluating and identifying risks and proposing the best solution to meet the objectives of Information Security and Privacy and the objectives of the project and/or business.
6.11 - Secure system development
Secure development is a requirement for building secure services, architecture, software, and systems in the Almaviva Group in Brazil. To this end, the following aspects must be considered at a minimum:
Separation of development, testing, and production environments
Security in the software development lifecycle
Security requirements in the specification and design phase
Security checkpoints in projects
Secure repositories for source code and configuration
Security in version control
Necessary knowledge and training in application security
Developers' ability to prevent, find, and fix vulnerabilities.
For system testing, select, protect, and manage information, considering:
Do not copy sensitive information into the system's development and testing environments unless equivalent controls are provided for the development and testing systems
Protect sensitive information by removing or masking it if used for testing.
If development is outsourced, it is necessary to analyze the guarantee that the supplier complies with the Almaviva Group's rules in Brazil for secure development.
6.12 - Communication security
All communications between the Almaviva Group's technological environments in Brazil and the relevant stakeholders must use encrypted communication channels, using recognized secure ciphers and algorithms.
6.13 - Backups
Copies of information, software, and system configurations must be maintained and tested regularly according to specific backup policies, allowing for data or system recovery if necessary.
To prevent data leakage, measures such as encryption, access control, and physical protection of storage media must be used when applicable.
6.14 - Protection and privacy of personal data
All existing processes in the Almaviva Group in Brazil that involve the processing of personal data in any database must follow the guidelines established in the Privacy Policy.
6.15 - Critical analysis of information security
Annually, or whenever a significant change occurs in the business model, a formal critical analysis process of the information security policy must be carried out.
6.16 - Continuous improvement
The continuous improvement of the Information Security and Privacy Management System is a commitment of everyone in the Almaviva Group in Brazil and stakeholders.
7 - Final provisions
Any need for action contrary to the rules established in the Information Security Policy and the Privacy Policy and its complementary policies must be directed to Information Security for risk analysis, registration, and submission for consideration by the competent authority and/or the Information Security and Privacy Committee.
Any employee who makes improper or unauthorized use of company resources, violates security controls, or in any way acts contrary to the terms of this policy, is subject to the application of legally foreseen disciplinary measures, and may be subject to criminal, civil and/or administrative liability, in accordance with current legislation.
Web Content Viewer
Actions