Illustration - Information Security Policy

Information Security Policy

1. Objective

Dock Ltd. and its subsidiaries, hereafter only "Dock", because of its commitment to the protection of the information it owns and is responsible for, aims to establish guidelines for the treatment of information assets and acceptable levels of reliability.

2. Scope

It is aimed at all its employees, interns, and Third Parties, who work under contract, and who, in their duties and/or contract execution, make use of business or administrative information.

3. Guidelines

All information is protected according to the rules defined in this policy. The adoption of procedures that ensure Information Security is a constant priority in Dock's areas, in order to reduce failures and damages that may compromise its image or bring losses to others.
This policy ensures that applicable Central Bank regulations and circulars are monitored and complied with by Dock and that the processes involved in handling card data have the controls defined by the Payment Card Industry – Data Security Standard (PCI-DSS).

3.1. Principles of Information Security

The principles of Information Security cover the following aspects:

Confidentiality: Ensuring that access to information is obtained only by authorized persons.

Integrity: Ensuring that information is maintained in its original state, aiming to protect it, in the process, transport, and storage, against undue alterations, whether intentional or accidental.

Availability: Ensuring that authorized employees gain access to the corresponding information and assets whenever necessary.

Authenticity: It validates the user's authorization (through credentials and authentication process) to access, transmit, and receive certain information, confirming the identity of employees before releasing access to systems and resources, ensuring that they do not impersonate unauthorized persons.

Non-repudiation: Or non-retractability. It ensures that a person or entity cannot deny authorship of the information provided, as in the case of using digital certificates for online transactions and signing electronic documents.

3.2. Awareness Program

Dock has awareness and training programs with the objective of raising the level of training of all its employees on the themes of cyber-attacks and Information Security guidelines.

3.3. Information Classification, Treatment and Traceability

All information is classified and controlled so that the principles of integrity, confidentiality, availability, authenticity, and non-repudiation are applied, ensuring traceability according to its degree of secrecy.

3.4. Access Control and Authentication

All access to the Dock environment is controlled, monitored, restricted, periodically reviewed, and revoked in a timely manner at the end of the employee's or Third Party's employment contract.

3.5. Physical and Environmental Security

Dock areas and facilities are classified into security levels for physical access control purposes. The cryptographic key ceremony complies with the security requirements defined in the latest version of the PCI-DSS.

3.6. Cloud Security

At Dock, the use of cloud services is an important strategy to gain availability, reliability, and scale in its services.

3.7. Cryptographic Controls

Dock develops and implements cryptographic controls, strong encryption standards in transit and on standby, key management and ceremonial, according to the best practices of security frameworks, current legislation and internal rules.

3.8. Secure Development

Dock has security guidelines for the development and maintenance of applications and systems, in order to direct the creation and execution of these processes in a secure way, ensuring a higher level of service reliability.

3.9. Backup and Business Continuity

Dock works to provide the highest level of security and availability for its products. All information and systems necessary for the support and continuity of Dock's services are submitted to backup processes and Business Continuity Plan for permanent restoration and recovery of operations and activities during a service interruption event.

3.10. Security Tests

Dock periodically conducts internal and external intrusion tests, ensuring that its environments meet Information Security needs.

3.11. Corporate Network and Network Segmentation

At Dock, networks and subnets are segmented to ensure restricted access control, protection and isolation of critical environments, according to PCI-DSS best practices to ensure secure communication.

3.12. Electronic Mail, Messaging and Secure Transmission

The electronic mail service, messaging, as well as other means of communication made available shall be used exclusively to meet Dock's specific business purposes, support, services and objectives.

3.13. Vulnerability Management

Dock periodically runs environment scans in order to identify possible weaknesses and vulnerabilities that could compromise the systems. In addition, it has the analysis of security requirements from the conception (security by design) of new products.

3.14. Environment monitoring

The Dock has monitoring and auditing mechanisms for workstations, servers, email, Internet connections, and mobile devices. As well as protective, preventive, detective, and corrective mechanisms and practices to ensure the security of Dock's information.

3.15. Intrusion Detection and Prevention Systems

In order to prevent data leakage, Dock uses solutions specialized in monitoring alerts about suspicious atypical movements, including information transfers via e-mail.

3.16. Antivirus and Antispyware Systems

Dock has Antivirus and Antispyware solutions installed on all its servers and employee workstations.

3.17. Hardware and Software

All processes involving the life cycle of corporate systems, including Dock hardware and software, follow best practices and recommendations in Information Security.

3.18. Res Planpostaa Information Security Incidents

Dock has strategies for monitoring, observing, and responding to Information Security incidents, covering all critical products, and always observing the legislation in force that is applicable to the operation.

3.19. Incident Scenarios

Dock conducts tabletop testing in order to prove the effectiveness of cyber-attack response plans, for relevant scenarios. In addition, continuous improvements are made according to the observed results.

3.20. Privacy

The privacy of customers, employees, and partners is a priority issue for Dock. For more details on how personal data is handled, collected, used, and disclosed, please visit Dock's Privacy Portal.

4. Definitions

Dock Ltd. and its subsidiaries/Dock: They include all the companies and CNPJs in the Dock Tech group, Dock Ip, Bpp, Cacao, Dock Colombia, and the other Latam companies.

PCI DSS: Acronym for the Payment Card Industry Data Security Standard was developed to encourage, enhance the security of cardholder data, and promote the widespread adoption of consistent data security measures worldwide.

Logical Access: A set of hardware and software controls designed to protect information and provide access only to those employees who have permission.

Third Parties: Supplier companies, service providers, business partners or third parties in the strict sense (Human resource, a simple legal person that is not part of Dock's internal organizational structure, allocated for a certain period to provide the service).