1. Purpose
This policy aims to establish guidelines, controls, and responsibiliities for the use and sharing of confidential information within the scope of Lopti’s activities, including professional conduct, contracts, and/or any legal transactions entered into or intended to be entered into with Lopti.
It is expected by Lopti’s Senior Management that each professional takes responsibility for the company’s integrity through compliance with this Policy.
2. Scope of Application
Unit/Location: This policy applies to all Lopti units.
Unidade/Localidade: esta política aplica-se a todas as unidades da Lopti.
3. Eligibility
This policy applies to all Lopti professionals.
4. References
- Brazilian General Data Protection Law (LGPD – Law No. 13.709/2018)
- Brazilian Civil Rights Framework for the Internet (Law No. 12.965/2014)
5. Definitions
- a) Confidential Information: Any and all information, data, documents, projects, reports, contracts, contract drafts, correspondence, technical or material specifications, regardless of format — written, oral, electronic, visual, digital, or any other means — that is not publicly known and has been disclosed, transmitted, accessed, or otherwise made available to Lopti or by Lopti to authorized third parties.
This definition includes, but is not limited to, financial, accounting, legal, strategic, technical, operational, commercial, economic, marketing, engineering, software development, system architecture, business models, process flows, expansion plans, ongoing negotiations, and data relating to clients, suppliers, and partners, as well as any other knowledge, methods, procedures, formulas, source code, algorithms, databases, and know-how, whether of a technical or non-technical nature.
- b) Disclosing Party: A natural or legal person who makes Confidential Information available or shares it with another party, whether directly or indirectly.
- c) Receiving Party: A natural or legal person who receives, accesses, or becomes aware of the Confidential Information provided by the Disclosing Party.
- d) Non-Disclosure Agreement (NDA): A legal document entered into by the parties with the purpose of protecting shared Confidential Information, establishing rights, duties, and penalties.
- e) Personal Data: Information related to an identified or identifiable natural person, as defined under the Brazilian General Data Protection Law (LGPD).
- f) Sensitive Data: Information related to racial or ethnic origin, religious beliefs, political opinions, genetic or biometric data, health status, or sexual orientation.
6. Specific Guidelines
General principles described in this policy must be expanded through other policies, rules, and procedures to ensure proper implementation.
6.1. Information Classification
Information classification is essential to ensure appropriate protection and access control. All information produced, received, or stored by Lopti must be classified according to its sensitivity and potential impact if improperly disclosed:
- Public: Information that may be freely disclosed to the public without harm to the company, such as institutional content, previously published promotional material, or legally required public disclosures.
- Internal Use (Restricted): Information intended solely for use by authorized employees and service providers, where leakage could cause operational impacts or compromise internal processes. Example: internal policies, work instructions, project schedules.
- Confidential: Information that must be strictly limited in access, where unauthorized disclosure could cause strategic, financial, or legal harm to the company. Includes, but is not limited to, contracts, client data, technical software specifications, business strategies, and commercial information.
- Highly Confidential (Critical): Information of the highest strategic, operational, or technological value, the disclosure of which could seriously compromise the company’s continuity or competitive advantage. Example: proprietary source code, exclusive algorithms, acquisition and merger strategies, undisclosed financial data.
All information must be labeled according to its classification, and company systems must allow for the application of this categorization in storage and access control.
6.2. Handling of Confidential Information
The handling of confidential information must adhere to the following principles and practices:
- Principle of least privilege: Access should be granted only to individuals strictly necessary to perform a specific task or role.
- Environment segregation: Confidential information must be processed in segregated and secure environments, such as internal servers with multifactor authentication, VPN networks, and encrypted repositories.
- Access control: Access must be monitored, logged, and periodically reviewed. All access grants and revocations must be documented.
- Verbal confidentiality: Discussions involving confidential information must occur in controlled environments, avoiding exposure in public settings such as shared offices, hallways, public transport, or social networks.
- Mobility: Confidential information must not be accessed or transported on unauthorized devices. If remote access is necessary, information security guidelines for external work must be followed (e.g., VPN, secure authentication, managed devices).
- Third-party sharing: Any external sharing must be authorized in writing, preceded by the signing of a Non-Disclosure Agreement (NDA), and limited to what is strictly necessary.
6.3. Sharing
Sharing of confidential information must follow criteria of necessity, authorization, and traceability. The main requirements are:
- Prior authorization: No confidential information may be shared with third parties without the express authorization of Management, Legal, or the Information Security Officer.
- Formalization via NDA: Sharing with third parties (clients, suppliers, partners, service providers) must be subject to the signing of a Non-Disclosure Agreement (NDA) with specific clauses regarding scope, term, penalties, and the obligation to return or destroy data at the end of the relationship.
- Internal sharing: Even within internal departments, sharing must respect the classification levels and be limited to individuals directly involved in related activities.
- Authorized media and channels: Confidential information must be shared only through authorized and secure channels, such as encrypted corporate email, approved internal platforms, or systems with permission control.
- Sharing record: All relevant external sharing actions must be recorded, including the date, responsible party, content involved, and the reason for sharing.
6.4. Storage and Disposal
Protecting confidential information depends on correct storage and secure disposal of sensitive documents and files. The guidelines are as follows:
Physical storage:
- Printed confidential documents must be stored in locked cabinets or restricted-access rooms.
- Access must be limited to authorized individuals, with entry and exit controls.
Digital storage:
- Files must be stored exclusively in authorized corporate systems with automatic backups and encryption of data at rest and in transit.
- The use of USB drives, external hard drives, or non-corporate cloud services (e.g., personal Google Drive, Dropbox, etc.) is strictly prohibited.
Version control and logs:
- Confidential information must have version control and change history to ensure traceability and auditing.
- Access to such documents must be logged and monitored.
Physical disposal:
- Confidential documents must be destroyed using shredders or certified secure disposal services.
- Common disposal (trash, recycling) is strictly prohibited for this type of material.
Digital disposal:
- Digital confidential files must be securely deleted using overwriting or permanent deletion tools.
- Data stored on returned equipment (such as laptops and servers) must be securely and permanently erased in advance.
7. Procedure and Responsibility Matrix
7.1 Responsibility Matrix
Area/Position |
Responsibility/Authority |
Professional |
- Comply fully with all the terms of this Confidentiality Policy and the Non-Disclosure Agreements signed;
- Ensure that all confidential information to which access is granted is stored, used, and shared securely, restrictively, and in accordance with internal guidelines;
- Prevent the leakage, disclosure, copying, or misuse of confidential information, even after the termination of the relationship with the company;
- Adopt good information security practices, including strong passwords, care with mobile devices, and use of secure channels;
- Participate in training and awareness actions promoted by Lopti on confidentiality, data protection, and information security;
- Request formal authorization before sharing any information with third parties, even within Lopti.
|
Leadership |
- Evaluate doubts and questions from professionals, providing the necessary clarifications to eliminate any uncertainty about the Confidentiality Policy;
- Ensure compliance with the Confidentiality Policy;
- Supervise and validate the control of access to confidential information under their responsibility;
- Approve or deny requests for access to classified information, based on the principle of least privilege;
- Act promptly in case of incidents, leading or assisting in internal investigations when necessary;
- Ensure that confidential information from projects or processes under their management is properly classified, protected, and access is restricted.
|
Legal Department |
- Draft, review, and validate contracts and Non-Disclosure Agreements (NDAs);
- Provide guidance on legal risks related to the improper exposure of confidential information; and
- Support the implementation of appropriate legal measures in the event of a violation of this policy.
|
8. Updates and Information Regarding this Policy
Uncovered or conflicting situations must be reported to notify@lopti.ai, with decisions justified and approved.
Lopti reserves the right to amend the terms of this Policy at any time, and it is the responsibility of the concerned party to remain informed.
Any and all changes will be communicated via email and will take effect within 15 days of their disclosure.