1. Objective

To expose the main guidelines of the Cybersecurity Policy according to the size, risk profile, and business model of Cumbuca, in a way that guides the management of our information systems, ensuring the confidentiality, integrity, and availability of the data and information systems used.

2. Overview

Cumbuca operates in the production and provision of payment services and financial organization. For this purpose, it is necessary to establish secure communication channels between the users of Cumbuca's services and Cumbuca's information systems, such as: effective control functions and the implementation of this Cybersecurity Policy.

3. Scope

This document applies to all interested parties in the manner and procedures adopted by Cumbuca to protect its data and information systems.

4. Applicable rules and regulations

• Law No. 13,709/2018 (General Data Protection Law); 

• Law No. 12,965/2014 (Civil Rights Framework for the Internet); 

• Resolution CMN No. 4,893, of February 26, 2021; 

• Resolution of the Central Bank No. 85, of April 2022; 

• Internal rules and procedures that are periodically revised and approved by the competent authorities and with the due publicity.

5. Guidelines

5.1. We have a dedicated area for cybersecurity protection, to ensure the security of our environment.
5.2. We guarantee that the data processed by us will be managed securely, ensuring that only authorized entities have access to the information with the least privileges.
5.3. Our employees are trained periodically to remain secure in the digital environment, always maintaining a culture that spreads security concepts.
5.4. The data managed by Cumbuca is processed in accordance with the General Data Protection Law and in compliance with the Civil Rights Framework for the Internet.
5.5. We have defined processes to ensure the secure development lifecycle of information.
5.6. We guarantee the protection of our servers’ machines and our employees', which protect against malware and other types of attacks.
5.7. We have methods to ensure the integrity of our data.
5.8. We manage and monitor the resources within our infrastructure that are relevant to the operation of our system.
5.9. We manage all internal and external accesses, whether from employees or partners.
5.10. We classify the relevance of each piece of information.
5.11. We monitor and seek to maintain the best possible infrastructure for our business.
5.12. All partners are analyzed in advance to ensure that they are qualified, meet, and respect the applicable regulations and laws, especially regarding Cybersecurity.
5.13. We manage and prevent incidents from occurring.
5.14. We have a business continuity plan.
5.15. We control the technologies used to ensure they are secure.
5.16. We are always looking to prevent, detect, and reduce vulnerabilities to incidents related to the cyber environment and our systems.
5.17. We have internal processes to prevent the disclosure of unauthorized data.

6. Maintenance of this policy

6.1. This policy will be reviewed at least once a year, or according to updates to procedures, laws, and applicable regulations.