Security Policy and Terms of Use

Version 1.2 – 07/19/2021

1. Overview

This Security Policy and Terms of Use document aims to define general security and privacy rules in all areas of the company. Our IT department is committed to protecting its employees, third parties, partners, customers and WEBJUMP itself from illegal actions or damages carried out by individuals and processes accidentally, intentionally or unlawfully.

All WEBJUMP infrastructure such as Internet, Intranet or related systems, including but NOT limited to computers, network equipment, peripherals, software, operating systems, email accounts, media storage devices, WEBJUMP licensed software are the property of WEBJUMP itself. These systems and equipment MUST be used for the sole purpose of working and serving the interests of WEBJUMP, its customers and users in its operations.

When it comes to computers, devices and information used for work, it is the responsibility of each user to follow all recommendations, activities and conduct strictly in accordance with this document.

2. Purpose

The purpose of this Security Policy is to describe the acceptable use of electronic assets used during professional activities to access, store, transmit or process WEBJUMP and customer information, including but NOT limited to personally identifiable information. Assets may be owned or owned by third parties and include, but are not limited to, laptops, desktops, servers, mobile phones and software. These rules exist to protect employees and WEBJUMP.

Improper use of equipment and information exposes WEBJUMP to risks, including virus attacks, compromise of network systems and services, intrusions, data leakage and legal issues.

All employees, suppliers, third parties or employees are responsible for this security, so it may be necessary for you to add specific rules in certain situations, motivated by risk or for compliance with customer or legal provisions.

3. Scope

This Policy applies to: (i) all WEBJUMP employees, temporary employees, contractors (including suppliers of goods and services), departments, external consultants working for or on behalf of WEBJUMP that are connected with a system, platform or application, data network, servers or computers (personal or commercial) located at sites belonging and not belonging to WEBJUMP that use, manage, transmit or store information from WEBJUMP, including all systems that belong, are managed or used for WEBJUMP’s business, hereinafter referred to as ”Contributor” ‘ or “Employees”; (ii) all information from WEBJUMP, including that which is electronic, printed or verbally communicated, as well as computer services, computers and devices, (including platforms, software, Infrastructure Services, Systems and Cloud Computing Services), including applied and pervasive digital structures, computing systems and applications that support or transmit such files and information.

All WEBJUMP businesses and departments must comply with all laws and regulations in Brazil and other countries in which it operates, which will supersede any conflicting aspects of this policy and related standards.

4. Policy

4.1. Knowledge and Responsibilities of Employees

All Employees hired by WEBJUMP MUST have knowledge and understanding of the Security Policy document, and are also responsible for the exercise, propagation and application of the rules described herein, and cannot claim ignorance of the importance and responsibility of the data and information accessed, whether confidential, sensitive or private.

4.2. data classification

Confidential: Applicable to most data with business information, which use is restricted to WEBJUMP and its customers. The UNauthorized exposure of this type of information, whether written, digital or even verbal, can have a great impact on the company, shareholders/partners, business partners, service providers and/or customers. (eg business strategies, customer data, surveys, reports and any other information deemed ‘Confidential’ shared between our Customers and WEBJUMP that may or may NOT give competitors a competitive advantage);

Sensitive: Applicable to market research, customer and customer data, backups or documents containing actual customer data of our customers;

Private: Personal data and information, such as internal processes, procedures, tools, and any other document restricted to WEBJUMP, its employees and customers;

4.3. General uses and ownership

(a) Despite WEBJUMP’s commitment to providing a reasonable level of privacy to its Employees, all Employees MUST be aware that the data created within the company’s networks and systems are the property of WEBJUMP. WEBJUMP does not guarantee confidentiality of personal information transmitted over the network or stored on our devices, which is why the Collaborator must NOT use personal or sensitive data for purposes other than work or performance of their work functions;

(b) WEBJUMP’s electronic resources that are distributed to collaborators are intended for WEBJUMP’s commercial use. To the extent consistent with applicable laws, WEBJUMP reserves the right to enter, access, scan, monitor and record any WEBJUMP-owned or non-WEBJUMP resources connected to WEBJUMP’s network to ensure productivity, behavior ethics and compliance with relevant WEBJUMP security policies and standards. This includes, among others:

• Monitoring of visited websites;
• Monitoring and reviewing material downloaded or uploaded on the Internet;
• Reviewing electronic communications sent and received by WEBJUMP users (eg, email or instant messaging applications);
• Traffic monitoring and network activity owned by WEBJUMP; and
• Digitization of electronic content from WEBJUMP systems.

(c) Collaborators will have the responsibility to immediately notify any leak, theft or UNauthorized disclosure of information owned by WEBJUMP or customers, to their Manager and IT Department or superiors related to their function;

(d) During the performance of their duties, if any current or future failure or risk is identified, the Employee MUST immediately notify their Manager so that the necessary measures are applied to ensure the integrity and protection of any information or restricted/sensitive data or private. These flaws are NOT just limited to software development systems or processes, but also in relation to information security in general. Any problem or failure that could pose risks in any area or department of the company MUST immediately be reported to the appropriate Manager of the area;

(e) Employees are responsible for good judgment regarding reasonable personal use. Personal use MUST NOT conflict with WEBJUMP’s business objectives or interests, organizational values or standards of conduct. In the absence of such policies, Employees MUST consult their supervisor or manager regarding personal use. WEBJUMP’s IT department recommends that any information that users deem sensitive or vulnerable be password protected;

(f) The Collaborator MUST limit himself to having access to information and data for the project in which he is allocated, and MUST NOT access, copy or distribute any information without prior written authorization (eg e-mail) by his Manager. In this sense, we request that the Contributor deactivate or remove his user from projects or services in which he is no longer working. The Collaborator must be fully aware of the project or department in which he/she is allocated providing services, being responsible for the sanitation/access limits to which he/she needs to work.

(g) It is the responsibility of each Employee to GUARANTEE the security of the sensitive data existing on their computer, whether personal or corporate, keeping them protected and encrypted, preventing access in case of loss, theft or robbery and/or unauthorized access;

(h) Contributor MUST encrypt the hard drive and other storage drives of his computer; When in doubt about how to do this, consult the in-house technical support team.

(i) If the Employee needs to leave his computer unattended, he must turn it off IMMEDIATELY, end his session or manually activate the screen lock, which requires a password to unlock it.

It is mandatory that you ALWAYS enable password protection on login and inactivity on your computer after inactivity for more than 5 minutes;

(j) Collaborators must create passwords compatible with the security level of their activities. It is always recommended to use passwords of at least 10 characters, including at least three types of characters, such as uppercase and lowercase letters, numbers and special characters (eg @#$);

(k) Employees MUST take all necessary measures to prevent UNauthorized access to confidential, sensitive and private information. Any measure that can guarantee information security is understood as necessary;

(l) It is recommended that the Contributor ALWAYS use individual users to access any WEBJUMP system, project or service; NEVER share accounts or login credentials with other people, including your team; NEVER request access credentials from any employee, service provider or supplier. If you need to access some type of service, request access credentials for you.

(m) Keep your passwords and access keys secure. You are solely responsible for ensuring the security of your passwords and accounts, and you MUST take precautions and prevent your credentials from being accessed by third parties of any level, including family members and relatives;

(n) Each account’s privileges and access MUST be restricted to the functions necessary for its activities. The Collaborator is responsible for notifying his Manager if his own access or that of third parties has permissions beyond those necessary to carry out his functions. These accesses are associated with, but NOT limited to: corporate e-mail. Customer contact tools or not (Ex: Financial Systems, Commercial Systems, ERPs, CRMs…), e-commerce restricted areas or any other tool and administrative panel that may contain customer data or features that may bring some risk if used illegally or damage caused by human error (eg, changing settings, reports or data export); Ensure that your level of access is as low as possible to prevent the entire chain involved from unnecessary risks;

(o) Regardless of formal authorization from the customer, confidential, sensitive or private data MUST be completely deleted after use. The client does not have the power to override any WEBJUMP rule. The same procedure must be adopted if the Collaborator is allocated in another project, department, function or activity, being necessary to remove any information from the previous project from his equipment (Ex: deletion of databases, tar, zip, gz files, project, spreadsheets or any information), as well as requesting the restriction of accesses that are no longer necessary for the current activity (Ex: Employee of the commercial department who starts to perform another function in the company should no longer have access to the contents, credentials or systems used by the Department Commercial);

(P) In technical development scenarios where it is NOT possible to locally simulate situations that occur in a production environment and if it is necessary to use restricted data in their equipment to simulate errors or solve problems, it is mandatory that the Employee ask the Manager/Customer and the IT leadership formal authorization for access to this sensitive data (It is understood as a formal document, email, letter or via that can be archived to ensure that permission has been granted). The information MUST be deleted immediately after its use, and it is the employee’s responsibility to eliminate this data from any environment in which it has been uploaded to carry out its activities, as well as to document with the customer, who must be aware that this information has been destroyed. This practice should ONLY be used as a last resort, ALWAYS avoiding the possession of restricted data under your responsibility. If you need to keep this data for more than 15 days, it is necessary to obtain an additional approval, extending the usage time;

(q) WHENEVER it is necessary for the Employee to export “confidential, sensitive or private” data, he/she must use encryption means and/or means that guarantee the secure transfer of data, thus preventing the exposure of information to unauthorized persons;

(r) Ensuring during development that administrative functionality is ALWAYS protected by access control ACL (ACL, from English Access Control List, is a list that defines a user’s access permissions to a certain component or service of a system, such as a file or directory);

(s) The Contributor must analyze the source code of third parties before its use, to ensure that there is NO violation of any item described in this document, such as, for example, generation of files for download that contain sensitive, private or confidential data, keyloggers, or that directly or indirectly affect the security of the application; If so, discard the use of the third party code and immediately communicate to the Area Manager the reason why such code cannot be used by WEBJUMP even in the future;

(t) All log files generated MUST NOT contain personal data and sensitive data in terms of law no. 13.709/2019, General Law for the Protection of Personal Data or confidential data, including but not limited to credit card data, document with personal information of people or customers, access passwords, etc., being necessary to mask them WHENEVER needed (eg: ******1234, etc);

(u) WHENEVER it is necessary to send access credentials (user/password/keys), the Collaborator must use different and isolated means, such as: user via e-mail and password via SMS or voice; Whenever possible, send data with explicit instructions that credentials must be changed IMMEDIATELY. Such measures protect credentials in the event of information leakage;

(v) The Contributor must ALWAYS enable two-factor authentication (2FA) in administrative panels of portals, platforms and services for third parties, such as but not limited to repositories (GitHub and BitBucket), social networks (Twitter, Facebook, Instagram), communication (email, Slack) and/or any service that may pose risks to information security;

(w) The Collaborator must ALWAYS prioritize access to environments (eg integration servers, QA, UAT) using individual user and/or keys for each collaborator. In the impossibility of individual access, all users with access to such resource and authorization and formal awareness must be mapped through the RISK CHARTER of the client in question, exempting WEBJUMP from any liability for the risk and the NON-existence of a specific report per user actions on the accessed resource. It is also the responsibility of the Client and Project Manager at WEBJUMP to inform any employee termination, for restriction or even modification of the access key or password to the resource;

(x) The employee may NOT use real personal data or data from third parties to carry out tests or simulations in any situation or environment; as described in item 1, it is not possible to control and guarantee the privacy of this information.

(y) WEBJUMP has documents with its clients that guarantee the confidentiality of their projects. All information on a specific project should NEVER be shared with other clients, EVEN IF the information is at a basic level. In any meeting, formal or informal, we should NEVER mention the name of other clients, even if it is to exemplify something we have already done at WEBJUMP. This conduct must be observed by everyone and IMMEDIATELY stopped if you are participating in a meeting and any employee makes any type of citation related to confidential information.

(z) The Collaborator must IMMEDIATELY advise any client who requests information from other projects to the impossibility of providing any information in accordance with our Security Policy, even if this information may seem harmless, such as the software version used, language, architecture, integrated systems or any related data. NO data should be disclosed.

4.4. prohibited practices

Activities related to systems and networks

(a) Export or store any source code, layout or documents from WEBJUMP or its customers on cloud environments or personal, public or private computers NOT authorized by WEBJUMP, including but not limited to repositories in personal Github accounts, e- mail and cloud backup services.

(b) Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property or similar laws or regulations, including but not limited to the installation or distribution of “pirated” or other software products is not duly licensed for use by WEBJUMP;

(ç) Unauthorized copying of copyrighted material, including but not limited to scanning and distributing photographs from magazines, books or other copyrighted sources, copyrighted music, and installing any copyrighted software for which WEBJUMP or the end user does not have an active license;

(d) Removable media, including but not limited to: CD; DVD; external hard drive and “USB” flash drive, may not be used to copy or transfer “confidential, sensitive or private” data without prior approval from IT leadership or executive;

It is prohibited to access data, a server or an account for any purpose other than performing WEBJUMP activity/work, even if you have authorized access;

(e) Exporting software, technical information, encryption software or technology in violation of international or regional export control laws is illegal. Appropriate management MUST be consulted prior to exporting any material at issue;

(f) Introduction of malicious programs onto the network or server (eg viruses, worms, Trojan horses, etc.);

(g) Use WEBJUMP equipment to actively participate in the acquisition or transmission of material that violates sexual harassment or hostile workplace laws in the user’s local jurisdiction;

(h) Making fraudulent offers for products, items or services from any WEBJUMP account;

(i) Making warranty representations, express or implied, unless it forms part of normal job duties;

(j) Make security breaches or interruptions in network communication. Security breaches include, but are not limited to, accessing data for which the Contributor is NOT an intended recipient, or logging into a server or account that the Contributor is NOT expressly authorized to access, unless these actions are within the scope of of regular tasks. For purposes of this section, “interruption” includes, but is NOT limited to, network sniffing, pinged floods, packet spoofing, denial of service, and routing information forged for malicious purposes;

(k) Port scanning or security scanning is expressly prohibited unless prior notice is given and approved by WEBJUMP’s IT department;

(l) Perform any form of network monitoring that intercepts data NOT intended for the Contributor’s host/computer, unless such activity is part of the Contributor’s normal work;

(m) Hack the user authentication or security of any host, network or account;

(n) Interfere with or attempt to bring down services to any user other than the contributor’s host/computer (eg, DOS – Denial of Service Attack or DDOS – Distributed Denial of Service) active;

(o) Using any program/script/command or sending messages of any kind, with the intent to interfere with or disable the user’s terminal session, by any means, locally or via the Internet/Intranet;

(p) Provide information or lists of WEBJUMP Contributors to third parties outside of WEBJUMP;

(q) Adding personal hardware or software to WEBJUMP’s computers or network infrastructure is prohibited unless approved by the department leader and WEBJUMP’s IT department;

(r) Contributors may ONLY use software on local networks or on multiple machines, in accordance with the software license agreement entered into with WEBJUMP. WEBJUMP prohibits the duplication and illegal use of software and its related documentation;

(s) Generation and availability of backup files, dumps or other files that contain any sensitive/confidential/private information, in an insecure way through URL without password protection, or authentication. (Example: www.sitexpto.com.br/dump.sql.gz, www.sitexpto.com.br/backup.tgz, www.sitexpto.com.br/foobar.tar.bz2, www.sitexpto.com.br /media/boleto123.pdf, www.sitexpto.com.br/media/report.pdf etc;

(t) Downloading dumps or customer data to local machine without express and formal authorization from the customer with a formal acceptance of risks;

(u) Keep sensitive data (backup, database, etc.) from productive environments/real consumer data on your personal/corporate computer or in environments under WEBJUMP’s responsibility.

(v) Use of personal accounts (those not linked to WEBJUMP) to exchange information or corporate data (eg personal Google Drive, personal E-mails, etc.);

(w) Storage of credit/debit card data in the application, logs or any other digital or physical medium. When it is necessary to transmit this data, all the risks and good security practices to be applied must always be taken into account, such as the use of secure protocols (SSL, TLS), data encryption, tokenization or any other means that protect the secure transfer of this information;

(x) NEVER respond or provide information specifying or exemplifying a customer;

(y) Not to discuss, quote or converse about solutions, projects, clients or any information regarding WEBJUMP and its clients in public places; (Example: elevators, restaurants, airports or any place where there are third parties who can listen and take advantage of confidential information or competitive advantages);

(z) It is forbidden to open or repair computers or other equipment owned by Webjump that are not performed or formally authorized by the technical support team of Webjump.

communication activities

(a) Sending unsolicited email messages, including sending “junk email” or other advertising material to individuals who have not specifically requested such material (email spam);

(b) Unauthorized access to other people’s email accounts;

(c) Automatically forward WEBJUMP email messages to a non-WEBJUMP corporate account, unless approved in writing by the person in charge of processing personal data;

(d) Requests from commercial ventures, religious or political causes, external organizations or any other type of request unrelated to your activity;

(e) Sending harassing, offensive or disruptive messages in any form. Examples of messages considered offensive are those that contain sexual implications, slurs of racism, gender-specific comments or any other comments that offend someone’s age, sexual orientation, religious or political beliefs, national origin or disability;

(f) Unauthorized use or falsification of email header information;

(g) Create or forward “chains” or other “pyramid” schemes of any kind;

(h) Use WEBJUMP’s network for political causes or activities, religious activities or any type of gambling;

(i) Sending or posting messages that disparage another organization’s products or services.

5. Exceptions

Those who detect violations of this policy MUST report the violation to their line manager immediately and report it to IT and/or Human Resources, as appropriate.

Management will determine the extent of risk that any non-compliance condition presents and the necessary remediation activities.

• Measuring Compliance – IT staff will verify compliance with this policy through various contract methods, including reporting tools, internal and external audits, and feedback to the policy owner.
• Exceptions – Any exception to the policy MUST be approved in advance by the IT leadership team.
• Noncompliance – Any employee who violates the policy may be subject to disciplinary action, up to and including termination of employment.

No employee is authorized to change the default security settings in order to reduce the level of protection. Any such alteration will ONLY be allowed with the legal authorization of the client together with the formal acceptance of the directors of WEBJUMP.

The information in this document can be changed at any time, without prior notice, if it is necessary to complement or correct any information mentioned herein, and its change is always notified through e-mail, newsletter or other means of formal communication adopted by WEBJUMP.

All items in this document are effective immediately after their disclosure to all employees, suppliers and service providers of WEBJUMP, and must be read and understood by all involved.

6. Knowledge

All employees, suppliers and service providers must confirm receipt and understanding of this policy.