Information Security Policy for Customers RD Station

Learn about our Information Security Policy for Customers:

1. The Information Security Policy applies to all information that is under the responsibility of RD Station, regardless of the registration medium, encompassing, in particular, databases, any computer environment, documents, files and other technological and/or application tools.

2. The purpose of the Information Security Policy is to preserve the confidentiality, integrity, and availability of information, ensuring the objectives of RD Station and maintaining customer trust and compliance with legal and regulatory obligations.

2.1. RD Station establishes clear objectives for implementing information security processes, controls, and practices in this regard. It also encourages adopting and implementing a comprehensive Information Security Policy across the entire community.

2.2. The objectives of information security are as follows:

2.2.1. Assess information security risks in order to implement necessary controls to mitigate risks up to the established level of acceptance;
2.2.2. Create a culture of information security through training and awareness-raising actions;
2.2.3. Define and implement the technical and organizational controls necessary to ensure information confidentiality, integrity, and availability;
2.2.4. Consider information security as a continuous improvement process, making it possible to achieve increasingly advanced levels of security.

3. Information Security Policy
3.1. The Information Security Policy is based on the following principles:

3.1.1. Confidentiality: Information is only made available to those with the appropriate authorization;
3.1.2. Integrity: The safeguard and preservation of information, as well as the appropriateness of each processing method;
3.1.3. Availability: The information is available to all duly authorized users;
3.1.4. Auditability: Corporate and business data and information are recorded, compiled, analyzed, and disclosed to allow internal auditors or external certification entities to attest to their integrity;
3.1.5. Traceability: The ability to recover the actions’ log history.

3.2. Information security is achieved through the implementation of a set of controls, namely policies, standards and procedures, which seek adequacy in accordance with the international standard ISO/IEC 27001.

4. Information Security Organization
4.1. The information security organization is implemented and managed through an Information Security Management System (ISMS or, in Brazilian Portuguese, Sistema de Gestão de Segurança da Informação – SGSI) that guarantees a multidisciplinary approach to the subject and allows planning, designing, controlling, evaluating and improving all information security implementation processes in a cross-cutting way, considering three aspects of action: people, technologies and processes.

4.2. RD Station implements specific policies and procedures that respect international reference standards, which can be audited and that define the requirements for the implementation of the Information Security Management System (ISMS), such as:

4.2.1. Promoting the definition of appropriate rules for data privacy and compliance with the General Personal Data Protection Law, Law No. 13,709/2018;
4.2.2. Promoting, through its Information Security Management System (ISMS), the protection of confidentiality, integrity, and availability of information and the resilience of its systems and information processing services;
4.2.3. Maintaining an Information Security Policy, a Privacy Policy with an External Privacy Notice, a Risk Management Policy, a Risk Management Policy, and an Information Security and Privacy Incident Response Policy. These policies and procedures are duly communicated and made available to all employees, suppliers, customers, and any individuals, artificial intelligence entities, or systems having access credentials to any of its assets;
4.2.4. Promoting the ability to minimize the impact of physical or technical incidents through its incident management plans;
4.2.5. Establishing control measures that address information security and privacy risks associated with the information and communication technology products and services supply chain in its risk management policy;
4.2.6. Establishing contractual obligations with its employees, suppliers, customers, and any individuals who have access to any of its assets, defining the responsibilities of both the individual and the organization concerning information security;
4.2.7. Mandating that its employees, suppliers, customers, and any individuals with access to its assets adhere to information security practices in accordance with the provisions outlined in its policies and procedures;
4.2.8. Imposing the responsibilities and obligations for information security and privacy even after the termination or alteration of contracts with its employees, suppliers, customers, and any individuals with access to the organization’s assets. These responsibilities and obligations must also be defined, communicated, and upheld;
4.2.9. Identifying security mechanisms, service levels, and management requirements for all network services provided internally and for outsourced parties in this contract, whether through instruments such as Service Level Agreements, Operational Level Agreements, or other appropriate means;
4.2.10. Safely transferring any information, personal data, or similar data related to this contract using the necessary techniques for this purpose;
4.2.11. Establishing mitigation plans for risks involving supplier or third-party access to the customers’ assets;
4.2.12. Establishing processes and instructs its employees, suppliers, customers, and individuals with access to any assets to report and document any observed or suspected information security vulnerabilities in the systems or services.
4.2.13. Performing regular vulnerability reviews and penetration tests on the system to identify and correct potential security threats, taking proactive steps to address promptly and remedy identified vulnerabilities;
4.2.14. Establishing and maintaining an inventory of service providers (suppliers) and applying security and privacy due diligence to all third parties that are part of its service provision;
4.2.15. Designating personnel to manage the incident handling process, establishing and maintaining contact information for reporting security incidents through a defined corporate incident reporting process.

5. Training and Awareness
5.1. RD Station implements and sustains a security awareness program for its employees, suppliers, customers, and any individuals, artificial intelligence systems, or systems with access credentials to any of its assets.

5.2. RD Station trains its workforce members on best authentication and data processing practices, as well as how to recognize social engineering attacks, understand the causes of unintentional data exposure, identify and report security incidents, determine whether corporate assets lack security updates, and be aware of the dangers associated with connecting and transmitting corporate data over insecure networks.

6. Data Retention, Availability, and Backup
6.1. Internet connection logs and Internet applications are categorized in accordance with item VI of article 5 of Law No. 12.965/2014 (Brazilian Civil Framework of the Internet), as well as the following information:

6.1.1. Start and end date and time of the connection to the Internet and/or Internet application, duration of the connection, IP address and respective logical port of origin and the time zone of the server or system used to provide access.
6.1.2. RD Station stores connection records related to Internet applications it provides for a period of 05 (five) years.
6.1.3. All records, both for Internet connections and connections to Internet applications, may be made available:

6.1.3.1. Upon request of the Data Subject;
6.1.3.2. By court order;
6.1.3.3. To safeguard the rights of the customer.

6.2. RD Station performs periodic backups of user data to ensure data integrity and availability.

6.3. Backups are stored securely and used exclusively for recovery in case of a system failure or data loss.

7. Customer Responsibility for Information Security
7.1. As a user of our service, the customer shares the responsibility for information security. This commitment includes but is not limited to:

7.1.1. Maintaining confidentiality and not sharing access credentials;
7.1.2. Not sharing passwords with third parties;
7.1.3. Using strong passwords and update them periodically;
7.1.4. Protecting devices from unauthorized access.

7.2. Notifying immediately of any unauthorized or suspected use of accounts or security breaches.

7.3. Ensuring that the data storage and shared through our service complies with applicable laws and regulations.

7.4. Complying with our terms of use and safety guidelines when using our services.

7.5. When collaborating and sharing information through our service, the customer must consider the security and privacy implications and act responsibly.

8. Security Incident Response
8.1. RD Station maintains a security incident response plan that includes procedures for dealing with data breaches, information leaks, and other security threats.

8.2. Our company reports any data breaches that may affect customers’ personal information in accordance with applicable laws.

9. Continuous Improvement
9.1. The Information Security Management System (ISMS) is subject to periodic reviews to improve applicability, suitability, and effectiveness.

10. Review and Communication of the General Information Security Policy
10.1. The Information Security Policy will be reviewed annually or whenever significant changes occur in order to provide for its continued applicability, adequacy and effectiveness.

10.2. Any and all changes will be widely shared with customers through RD Station’s official channels.

Updated on 06/12/2023
Version: 12.01-2023-12-06