2CLIX knows that your security and privacy are important and cares deeply about them.
The purpose of this document is to define the legal, regulatory, and contractual parameters and requirements that 2CLIX TECNOLOGIA EIRELI’s Information Security Management System (ISMS) must follow.
This document applies to all other documents, processes, and activities that make up the ISMS.
Access to this documentation is PUBLIC.
LAWS, STANDARDS, AND CONTRACTS
Information Security controls must be consistent with customer requirements, with best practices defined in standards, and—above all—with the applicable laws.
Care must therefore be taken to handle potential conflicts among these sources when defining information-security policies, processes, or controls. To set priorities among requirements, the organization adopts the following hierarchy (from highest to lowest priority):
- Local laws: the organization is based in Brazil, as is most of its customer and employee base. Brazilian law therefore takes priority for information-security requirements.
- International laws: because the organization serves international customers who are subject to data and information-security legislation, these laws must be considered as requirements for maintaining Information Security.
- Contractual requirements: when our services are contracted, alignment between the customer’s and the organization’s security teams often establishes minimum security requirements in the contract. These must be implemented to maintain compliant customer–organization relationships.
- Normative requirements: there are several information-security standards that require compliance with multiple controls. These standards are followed both for certification purposes and to maintain best practices when implementing Information Security policies. However, because many standards are international and general in nature, their requirements may conflict with local legislation or contractual specifics; therefore they occupy the lowest level in the hierarchy.
Scope of Laws and Standards
There are various Brazilian laws related to information security. Laws No. 12,737 of November 30, 2012 and No. 14,155 of May 25, 2021 address cybercrimes and their penalties. Law No. 12,527 of November 18, 2011 governs public access to information held by public institutions.
For private organizations, key requirements arise from Law No. 12,965 of April 23, 2014 (the “Marco Civil da Internet”), which defines the internet under Brazilian law and the rights and duties of citizens and institutions in its use. In 2018, Law No. 13,709 of August 14 (the LGPD) was enacted, expanding personal-data security requirements and obligations for companies and clearly defining data-subject rights.
Beyond personal data and information security, the organization must also comply with related legislation such as Law No. 9,610 of February 19, 1998 (copyright) and Laws No. 8,078 of September 11, 1990; No. 10,741 of October 1, 2003; and No. 14,181 of July 1, 2021 (consumer protection).
Internationally, regional data-privacy laws—such as Europe’s GDPR (General Data Protection Regulation)—must be observed or taken into account during the international expansion of the Quality Portal’s services. The specific laws of each region and country will be addressed in line with business opportunities.
As for standards, this documentation is primarily based on ISO/IEC 27000 and related standards, especially ISO/IEC 27001 and 27002.
LGPD AND PERSONAL DATA PROTECTION
Data Inventory
We maintain and control the types of data received from customers and users through a data inventory. Because customized registration fields can be created, fields containing Personal or Sensitive Data may be created or imported via the platform’s integration tools. In such cases, a monthly list of registration fields is generated to ensure awareness of which data types are present in the platform and to validate that encryption flags are correctly applied to fields that will receive sensitive data.
Flagging Sensitive Data
All default system fields relate at most to personal data (e.g., name or an internal customer code). However, extra registration fields can be created by users or imported depending on the integration used. In these cases, basic control over data types depends on the user-provided content.
To reduce the inherent risk, during the import of a dataset—and the consequent creation of registration fields to hold that data—all such fields are classified as “sensitive data” and are encrypted at rest in the database.
For fields created manually through customization, the user can mark whether the field constitutes sensitive data. Any field created without the “sensitive data” flag must undergo a secondary confirmation, in which the user explicitly accepts creating a new field without the sensitive-data protection.
All data flagged as “sensitive” are stored encrypted in the database. Additionally, during field review as part of the data-inventory process, if the reviewer finds registration fields that receive sensitive data but are not flagged as such, they may open a request to correct the flags to ensure the protection of the data captured by that field.
Encryption
The database encryption used is based on the Rijndael algorithm, while database backups are encrypted using AES-256.
Encryption is applied during processing of the selected data and during backup creation.
Encryption keys are stored in an electronic vault; access permissions and credentials are granted only to the CEO and the Administration team’s Director. Keys must be rotated every two years, and encrypted data updated accordingly.
Transmission of data from the application to the servers—and consequently to the database—uses HTTPS with TLS 1.2+ to ensure encrypted transfer over the internet to the correct destination.
Fulfilling Data-Subject Requests
The data subject may request the exercise of their rights regarding the data used in the Quality Portal. To do so, the data subject or controller should submit the appropriate request via a form to the DPO or Support.
DOCUMENT MANAGEMENT
This document is valid from its most recent approval and is the responsibility of the 2CLIX TECNOLOGIA EIRELI Projects team. The update cycle is annual and must always be carried out based on an assessment of this document’s effectiveness and alignment with the company’s other policies and processes.
To ensure a clear and concise assessment, the following evaluation criteria will be used:
- Impactful changes in legislation, standards, or contracts;
- Conflicting requirements caused by incorrect prioritization;
- Security incidents arising from non-compliance with legal, contractual, or normative requirements;
- Redundancies or duplicated processes resulting from conflicting interpretations of requirements.
Incident records involving the content of this document will be stored in a dedicated folder within the 2CLIX TECNOLOGIA EIRELI documents directory.
