Strategic Information Security Policy
- Ensure that Information Security and Data Privacy are aligned with VAAS business goals and always treated as strategic areas.
- Prevent Information Security and Data Privacy incidents.
- Maintain business continuity, ensuring delivery of the Platform and Services to clients.
- Ensure clarity and transparency in the information delivered to clients.
- Ensure protection and security in the receipt, handling and delivery of information from clients.
- Ensure protection and security throughout the entire data processing lifecycle.
- Ensure compliance, through information security, with national legislation on data protection and privacy, especially the LGPD.
Introduction
VAAS Tecnologia LTDA ("we", "our" or "VAAS") values the privacy of users of our data platform and is committed to protecting the personal information collected during use of our services, in compliance with Brazil's Lei Geral de Proteção de Dados (LGPD).
This Privacy Policy describes how we collect, use, share and protect your personal data. By accessing or using our data platform, you agree to the terms described in this policy.
Reference documents
- Federal Law 13.709/2018. Lei Geral de Proteção de Dados Pessoais (LGPD).
Terms and definitions
- Information classification: the process of identifying, analyzing and evaluating information according to its confidentiality level, taking into account its importance to the organization, applicable legal requirements, and its sensitivity to unauthorized disclosure or modification.
- Confidentiality: the property of information not being available or disclosed to unauthorized individuals, entities or processes.
- LGPD: Federal Law 13.709/2018, known as the Lei Geral de Proteção de Dados.
- Information custodian: a person, group or entity that has authority over information and can decide on its classification and handling.
- Availability: the property of information being accessible and usable on demand by an authorized entity.
- Governance structure: the person or group of people responsible for the organization's performance and compliance.
- Information security event: an identified occurrence in a system, service or network state indicating a possible information security breach, control failure, or a previously unknown situation that may be relevant to security.
- Information security incident: a single or series of unwanted or unexpected information security events that have a significant probability of compromising business operations or threatening information security.
- Integrity: the property of accuracy and completeness of information.
- Information need: the view required to manage objectives, goals, risks and issues.
- Data privacy or information privacy: ensuring the fundamental rights of personal data subjects as established in applicable law.
- Information security: preservation of the confidentiality, integrity and availability of data and information.
- Personal data processing: any operation performed with personal data, including but not limited to: collection, transmission, storage, processing, retention and disposal.
Information collected
We collect personal information in various ways, including but not limited to:
- Registration information: when you create an account on our platform, we collect information such as name, email address, phone number and password.
- Usage information: we record information about how you use our platform, such as activity logs, pages visited, geolocation data, time spent on our platform and interactions with other users.
- Contact information: we may collect additional contact information, such as mailing address, to provide support and personalized services.
Use of information and legal bases under the LGPD
As a registered user of the VAAS Platform, your personal data is in our care, in our role as data controller. We use your personal information for the following purposes:
- Provide and improve our services: we use your information to operate and enhance our services, personalize your experience and fulfill our contractual obligations to you.
- Communication: we will send account-related communications such as updates, transaction confirmations and security notifications. We may also send newsletters and other promotional communications if you consent to receive them.
- Customer support: we use your information to answer questions, resolve issues and provide customer support.
- Data analysis: we perform data analysis to improve our services, develop new features and ensure platform security.
We process your personal data under one or more of the following legal bases provided by the LGPD:
- Preparation or execution of contracts;
- Regular exercise of rights;
- Legitimate interest of the controller.
Sharing of information
We will not share your personal information with third parties except in the following circumstances:
- Business partners: we may share information with business partners to provide services related to our platform, always requiring that those partners also comply with LGPD privacy requirements and information security best practices.
- Legal compliance: when necessary, we may disclose information to comply with legal or regulatory obligations.
International data transfer
The VAAS Platform does not currently perform international data transfers. Its infrastructure is hosted on a highly reliable and available cloud computing service with infrastructure located in Brazil.
In the future, data may flow and be stored and processed in data centers located in both Brazil and the United States. The cloud services provider is GCP (Google Cloud Platform), which provides all guarantees that data is processed securely and in compliance with national and international privacy legislation (GCP holds, among others, ISO 27001, ISO 27701, ISO 27017 and ISO 27018 certifications).
Personal data is therefore protected and processed in compliance with the LGPD (Lei Geral de Proteção de Dados).
Information security
We maintain appropriate security measures to protect your personal information against loss, unauthorized access, disclosure, alteration or destruction. Please note that no security system is 100% foolproof. We are SOC certified (SOC 1 and SOC 2 Type 2 reports) and follow ISO 27001 requirements.
Your rights and contact
You have rights regarding your personal data, including the right to access, correct, update or delete personal information. To exercise these rights, contact us using the information provided at the end of this policy.
Details on data subject rights can be found in the official LGPD text (Brazil's Lei Geral de Proteção de Dados).
You may also contact VAAS's data protection officers (our DPOs) for any matter relating to personal data processing.