Information security policy – Trakto

Last update: January/2025

Classification: Public

1. Introduction

Trakto’s mission is to provide secure, modern, and high-quality technological solutions. We recognize that information is one of our most valuable assets, which is why we adopt controls, processes, and practices aligned with the best international security standards.
Our Information Security Policy (ISP) reflects our commitment to data protection, privacy, transparency, and business continuity.

2. Purpose

This policy aims to:
‍
- Define information security principles and guidelines applicable across the entire company.
- Demonstrate to the market our commitment to data protection and secure practices.
- Establish responsibilities and best practices for employees, partners, and third parties.
- Ensure compliance with the General Data Protection Law (LGPD) and other applicable regulations.
- Strengthen the security of our products, APIs, internal systems, and infrastructure.

3. Scope

This policy applies to:

- All employees, partners, suppliers, and authorized third parties.
- All platforms, systems, APIs, and processes operated by the company.
- Information and data produced or processed in the context of our services.
- Internal environments, cloud environments, corporate devices, and technological assets.

4. Information Security Principles

We adopt practices based on the classic pillars of information security:

4.1 Confidentiality

Information is accessed only by authorized individuals.

4.2 Integrity

Information remains accurate, complete, and is not improperly altered.

4.3 Availability

Information and services must be available whenever required.

4.4 Legality

We comply with all applicable laws and regulations, including the LGPD.

4.5 Transparency

We maintain clear communication channels regarding the use and protection of data.

5. Certified and Trusted Infrastructure

To ensure security, performance, and reliability, all Trakto services operate on the Google Cloud Platform (GCP) infrastructure and use Google Workspace for internal communication and management.
These platforms hold internationally recognized security and privacy certifications widely acknowledged in the market.

✔ Google Cloud Platform Certifications

ISO/IEC 27001 — Information Security Management
ISO/IEC 27017 — Cloud Services Security
ISO/IEC 27018 — Protection of Personal Data in the Cloud
SOC 1, SOC 2, and SOC 3
PCI DSS (for eligible services)
FedRAMP (applicable components)

✔ Google Workspace Certifications

ISO/IEC 27001
ISO/IEC 27018
SOC 2 Type II
Advanced encryption, auditing, and DLP controls
Compliance with LGPD requirements

Important Statement

The certifications listed above belong to the Google Cloud and Google Workspace platforms.
Trakto operates its services on these platforms, ensuring that data is transmitted and stored in environments that meet international security standards.

6. General Security Guidelines

6.1 Security Culture

We promote continuous training and awareness initiatives in security and privacy.

6.2 Access Management

- Access is granted based on necessity and role (principle of least privilege).
- Strong authentication (MFA) for critical and administrative systems.
- Periodic reviews of access permissions.

6.3 Data Protection

- Data is encrypted at rest and in transit.
- Labeling and classification controls based on data sensitivity.
- Continuous monitoring of logs and relevant activities.

6.4 Secure Development

We adopt Secure Software Development Lifecycle (SSDLC) practices:
- Vulnerability analysis.Security testing.
- Code reviews.
- Penetration testing (pentests) on APIs and systems.

6.5 Business Continuity

We maintain recovery and contingency plans, ensuring continued operation even in adverse events.

7. Use of Systems and Technological Resources

The use of internal resources (Google Workspace, internal systems, work tools, and cloud infrastructure) follows guidelines such as:

- Secure remote access (VPN, MFA).
- Acceptable use of corporate devices and assets.Prohibition of misuse, storage of illegal content, or copyright infringement.
- Immediate notification in case of device loss, incident, or suspicious access.

8. Privacy and Data Protection (LGPD)

8.1 Legal Basis

All personal data is processed in accordance with the legal bases established by the LGPD.

8.2 Principles

We follow the principles of:

- Purpose
- Necessity
- Adequacy
- Transparency
- Security
- Prevention

8.3 Data Subject Rights

Data subjects may request:

- Confirmation of processing
- Access
- Correction
- Anonymization
- Portability
- Revocation of consent

Requests should be submitted to the DPO (contact information at the end of this document).

9. Security Incident Management

We maintain formal procedures for:
- Identification and logging of incidents
- Containment
- Analysis and remediation
- Appropriate communication, including regulatory authorities when applicable

Incidents involving personal data are handled in accordance with the LGPD.

10. Non-Retaliation Policy

Any employee, client, or partner can report concerns, violations, suspicious behavior, or incidents without risk of retaliation.
We maintain secure and confidential reporting channels.

11. Responsibilities

11.1 Company Responsibilities

- Protect information assets.
- Implement technical and administrative controls.
- Handle incidents and risks transparently.

11.2 Employee Responsibilities

- Comply with this policy and other internal regulations.
- Maintain confidentiality of sensitive information.
- Immediately report any incident or suspicion.

11.3 Third-Party Responsibilities

- Respect contracts and security obligations.
- Adopt standards equivalent to those required by the company.

12. Policy Reviews and Updates

This policy is reviewed at least once a year, or whenever there are significant changes in the technological, regulatory, or operational environment.

13. Data Protection Officer (DPO) Contact

For questions, data subject requests, or privacy-related matters:
‍
Mail: dpo@trakto.io
Security Channel: security@trakto.io

14. Glossary

Personal data: information related to an identified or identifiable natural person.
Processing: any operation involving personal data.
Security incident: an event that compromises confidentiality, integrity, or availability.
Encryption: a technique that prevents unauthorized access to information.
LGPD: General Data Protection Law (Law 13,709/2018).
MFA: multi-factor authentication.

15. Term Validity

This policy comes into effect on the date of its publication and remains valid until its next review.