Legal

Cyber Security Policy

Created: March 12, 2024

1. Objective

The objective of this Cyber Security Policy (“Policy”) is to define guidelines regarding the security of information contained in the Dealboard platform’s database (“Dealboard”), providing instructions on the handling, treatment, control, and protection of information, whether confidential or not, throughout its lifecycle, against destruction, modification, or unauthorized disclosure to unauthorized accesses, whether accidental or intentional.

In addition to the information itself, this Policy also applies to any means used at any stage of the information lifecycle, whether it be a technological asset or not.

2. Scope

The following guidelines apply to all partners, employees, interns, apprentices, service providers of Dealboard, as well as other related parties directly or indirectly involved in the handling, treatment, and control of Dealboard’s database (“Employees”), as well as users who utilize and maintain confidential or non-confidential information under Dealboard’s custody.

3. Information security principle

Cybersecurity, also known as information technology security, is a system of protecting computers, networks, programs, and data from unauthorized or unintentional access, alteration, or destruction.

The three objectives of information security are:

  • Confidentiality;
  • Integrity; and
  • Availability.

Confidentiality: refers to the protection of information against unauthorized access or disclosure. Ensuring confidentiality ensures that those authorized to access information can do so, and those who are not authorized are prevented from doing so.

Integrity: refers to the protection of information against unauthorized modification or destruction. Ensuring integrity ensures that information and systems are accurate, complete, and uncorrupted.

Availability: refers to the protection of information systems and information from unauthorized interruption. Ensuring availability ensures the timely and reliable access and use of information systems.

4. Information treatment and protection

The following are non-exhaustive rules and guidelines regarding the protection and treatment of Dealboard’s information, and any doubts or clarifications should be immediately directed through the channels available on Dealboard’s websites.

4.1 Perimeter protection

  • Dealboard utilizes Firewall as the first line of defense against cyber-attacks.
  • The Intrusion Prevention module monitors attempts at unauthorized access against the computer network.
  • The Web Filtering function blocks malicious and unauthorized websites according to the pre-established information security.
  • With the Advanced Threat Protection function activated, a barrier against ransomware attacks is created.

4.2 Antivirus

  • Dealboard uses corporate antivirus (client/server) with centralized management.
  • Updates are carried out daily, and users do not have access to the settings, which are protected by passwords known only to the technology department.
  • Integrity and critical areas of the computer are checked daily at a pre-established time.
  • Weekly scans are scheduled to analyze all machine files, also at a pre-established time.
  • Desktop servers are configured differently according to their operational characteristics.
  • Alerts for non-updated devices, corrupted databases, intrusion or attack detection, antivirus firewall activated/deactivated, infected objects, objects in quarantine, and other warnings are sent via email to the technology department for immediate action.

4.3 Guest Wi-Fi

  • Dealboard provides Wi-Fi service to its employees and visitors, duly registered and identified.
  • The equipment installed on the company’s premises allows for a high degree of reliability and security, as well as individualized access records for each device through vouchers with specific validity for each case. Whether visitor or internal collaborator, all have registration and traceability with the aim of protecting both users and the company.

4.4 Email — Google Workspace

  • Employee email access is through Google Workspace.
  • We rely on Google’s cloud security to provide the service to our employees.
  • Two-factor authentication (2FA) adds an extra layer of protection against unauthorized access to employees’ email accounts.
  • The Google Vault module allows total traceability for audit purposes.

4.5 Vulnerability assessment

  • Dealboard uses a centralized manager that consolidates vulnerability scans and other pertinent cybersecurity information.
  • It is a framework of various services and scripts for penetration testing with a focus on security vulnerability verification, which is responsible for scanning the Dealboard network.

5. Security testing

The following verification tests are performed to identify anomalies, threats, accesses, components, or unauthorized devices:

RoutinePeriodicity
BackupDaily

Updated inventories of hardware and software used by Dealboard are maintained.

Whenever there is a significant change in Dealboard’s technological structure, vulnerability analyses will be conducted.

6. Response to cyber incidents

Dealboard adopts the following incident response action plans based on identified threats:

Internal threatSeverity (classification)Action plan
File loss on the network or corrupted file.HighFile restoration from backup.
Backup failure.HighTreatment of failure and rescheduling of backup.
Employees who have been terminated still have their data active in the company.HighReview of user access and keeping the log active.
  • It is the responsibility of the Compliance and Risk Team to communicate the contingency to other Dealboard employees, guiding them on the appropriate posture and measures, according to the nature and severity of the contingency.
  • It is the responsibility of the Compliance and Risk Team to develop reports on the damages, percentage of affected activities, financial impacts, also suggesting measures to be taken to enable the activities to return to normal. Such reports shall be submitted to the decision-making bodies of Dealboard, which will take the necessary initiatives to return to normalcy as quickly as possible.
  • After returning to normalcy, to prevent incidents of the same nature, Dealboard will study preventive procedures to be implemented and included in this business continuity plan.

7. Main recommendations for customers and users

7.1 Authentication and password

The customer is responsible for acts performed with their identifier (login/acronym), which is unique and accompanied by a password exclusive for individual identification/authentication in accessing information and technology resources.

We recommend that:

  • Maintain confidentiality, memorize, and do not record the password anywhere. In other words, do not tell anyone and do not write it down on paper;
  • Change the password whenever there is any suspicion of compromise;
  • Develop quality passwords, making them complex and difficult to guess;
  • Prevent the use of your equipment by others while it is connected/logged in with your identification; and
  • Always lock the equipment when away.

7.2 Antivirus

We recommend that the customer maintains an updated antivirus solution installed on the computer used to access the services offered by Dealboard. Also, have the operating system updated with the latest updates applied.

7.3 Social engineering

Social engineering, in the context of information security, refers to the technique by which one person seeks to persuade another, often abusing the user’s naivety or trust, aiming to deceive, scam, or obtain confidential information.

7.4 Phishing

A technique used by cybercriminals to deceive users through sending malicious emails, in order to obtain personal information such as passwords, credit card numbers, CPF (Brazilian taxpayer registry number), bank account numbers, among others. Phishing email approaches can occur in the following ways:

  • When they seek to attract users’ attention, whether for the possibility of obtaining some financial advantage, out of curiosity, or for charity;
  • When they attempt to impersonate official communications from well-known institutions such as banks, e-commerce stores, among other popular websites; and
  • When they try to induce users to fill out forms with their personal and/or financial data, or even to install malicious software aimed at collecting sensitive user information.

7.5 Spam

These are unsolicited emails, usually sent to many people, typically containing advertising content. In addition, spam is directly associated with security attacks, being one of the main culprits for spreading malicious code, illegal product sales, and disseminating scams.

7.6 False phone contact

These are techniques used by fraudsters to obtain information such as personal data, passwords, tokens, mobile device identification code (IMEI), or any other type of information for the purpose of fraud.

8. Communication

Any indications of irregularities in compliance with the provisions of this Policy will be subject to internal investigation and must be reported immediately to our service channels.

9. Validity

This Policy may be revised annually or, when necessary, if there is a need to change, add, or delete any of the security procedures contained in this Policy. This Policy is available on the Dealboard website, and therefore, we recommend always reading it to check the most recent version.