Information Security Policy (ISP)

Last updated: July 1, 2025

1. Objective

This Information Security Policy (ISP) aims to establish the strategic guidelines and corporate standards for the protection of information assets of IDGN IT Solutions, its clients, and partners. The goal is to mitigate risks and ensure the confidentiality, integrity, and availability of information, supporting business objectives and legal compliance.

2. Scope

This policy applies to all employees, service providers, partners, and third parties who have access to information assets and information systems owned or managed by IDGN IT Solutions, regardless of their physical location or employment relationship.

3. Information Security Principles

The security actions of IDGN IT Solutions are based on the following fundamental principles:

• Confidentiality: Ensuring that information is accessible only to authorized persons.
• Integrity: Safeguarding the accuracy and completeness of information and processing methods.
• Availability: Ensuring that authorized users have access to information and associated assets whenever necessary.

4. Guidelines

To ensure the effectiveness of this policy, the following guidelines must be observed:

• Asset Management: All information assets must be identified, classified according to their criticality, and have a designated owner.
• Access Control: Access to information and systems must be based on the "need-to-know" and "least privilege" principles, implemented through formal user identification, authentication, and authorization processes.
• Cryptography: Sensitive information, both at rest and in transit, must be protected by robust and approved cryptographic controls.
• Physical and Environmental Security: Areas where sensitive information is processed or stored must be protected by physical access controls and environmental protection measures.
• Operations Security: Procedures for change management, capacity management, and malware protection must be implemented to ensure the secure operation of information systems.
• Communications Security: Information exchanged over internal and external networks must be adequately protected against interception and unauthorized modification.
• System Acquisition, Development, and Maintenance: Information security requirements must be integrated into all stages of the information system lifecycle.
• Information Security Incident Management: All information security incidents must be reported, recorded, investigated, and addressed in a timely and effective manner.
• Business Continuity: A Business Continuity Plan must be developed and maintained to ensure the availability of critical services in the event of adverse events.
• Compliance: All activities must comply with current legislation, regulations, and contractual obligations, including the guidelines established in our General Data Protection Policy (LGPD).

5. Responsibilities

• Senior Management: To provide resources and demonstrate commitment to this policy.
• Information Security Officer (ISO): To manage the Information Security Management System (ISMS) and report on its effectiveness.
• Managers and Owners of Assets: To implement security controls in their areas of responsibility.
• All Users: To know and comply with this policy and related security procedures.

6. Awareness and Training

IDGN IT Solutions will promote a continuous program of information security awareness and training for all employees and relevant third parties to ensure understanding and compliance with this policy.

7. Violation Management and Sanctions

Violations of this policy or its related procedures will be subject to investigation and may result in disciplinary measures, as provided in internal regulations and applicable legislation.

8. Policy Review

This policy is reviewed annually or whenever significant changes occur in the business, technological, or legal environment.