Information security

The Ayko Technology Group operates based on information security principles with the aim of ensuring the confidentiality, integrity and availability of information. As part of this commitment, we implement cryptographic controls in communications and in the processing of personal data whenever necessary to protect information against unauthorized access and ensure that data is kept secure at all stages of processing. In addition, the Ayko Technology Group is certified in ISO 27001 with the scope: Integrated Management System applied to SOC and Data Center processes, reflecting our commitment to best security practices.

Our Integrated Management System (IMS) is independently audited at least twice a year, thus providing independent validation of the effectiveness of our security controls.

1. Purpose, scope and users

The purpose of this high-level Policy is to define the purpose, direction, principles and basic rules for information security management.

This policy applies to the entire Integrated Management System (IMS), as defined in the IMS scope document.

The users of this document are employees of Ayko Technology, as well as relevant external parties.

2. Reference documents

  • ISO/IEC 27001:2022 standard, clauses 5.1, 5.2, 5.3 and A.5.1, A.5.2
  • MA-SGI-001 – SGI Manual
  • ME-SGI-001 – Risk assessment and treatment methodology
  • DE-SGI-001 – Statement of Applicability
  • Control of Legal, Regulatory and Contractual Obligations

3. Terminology

Confidentiality – characteristics of information that are available only to authorized persons or systems.

Integrity – characteristics of information that are only changed by people in a permitted manner.

Availability – characteristics of information that can only be accessed by authorized persons when necessary.

Information security – preservation of confidentiality, integrity and availability of information.

Integrated management system – is a set of policies, procedures and technologies used to manage and protect the assets associated with an organization's information and personal data.

4. Managing information security

4.1 Objectives and measurement

The general objectives for information security management are as follows:

  • Meet the requirements of Senior Management related to market demands for the area of ​​information security;
  • Raise awareness among employees about the importance of information security;
  • Ensure the effectiveness of applicable security controls to ensure the confidentiality, integrity and availability of information.

To achieve the objectives defined for the SGI, the Annual SGI Objectives Planning is determined and this is periodically monitored in the SGI critical analysis meetings, where the service rates are verified according to defined indicators.

The Presidency, Executive Board, and Information Security Steering Committee are committed to effective Information Security management at Ayko Technology. Therefore, they adopt all appropriate measures to ensure that this policy is adequately communicated, understood, and followed at all levels of the organization. Periodic reviews will be conducted to ensure its continued relevance and adequacy to Ayko Technology's needs.

4.2 Information security requirements

This Policy and the entire IMS must comply with the legal and regulatory requirements imposed on the organization in the area of ​​information security, as well as with contractual obligations.

Contractual and legal requirements will be recorded and controlled.

4.3 Information security controls

The processes for selecting controls (safeguards) are defined in the Risk Assessment and Risk Treatment Methodology.

The selected controls and their implementation status are listed in the Statement of Applicability.

4.4 Responsibilities

The basic responsibilities for the SGI are:

  • The Chief Operations Officer – COO must:
    • Ensure that the IMS is implemented in accordance with this Policy and to ensure all necessary resources.
    • For the operational coordination of the SGI, as well as reporting on the performance of the SGI.
    • Implement, together with HR, a Training and Awareness Actions program on information security for employees and all people who have a role in information security management.
  • The DPO must:
    • Ensure that privacy management is carried out in accordance with this Policy and has all the necessary resources.
    • Manage and report on privacy performance.
    • Report to the Chief Operations Officer – COO any concerns related to Information Security.
    • Implement, together with HR, a privacy training and awareness program for employees and all people who may impact privacy.
  • The Management System Steering Committee (CSGI) must:
    • Review the IMS at least once a year or whenever a major change occurs and prepare minutes of the meeting. The purpose of the management review is to determine the adequacy and effectiveness of the IMS.
    • Ensure that information security activities are carried out in accordance with the IMS.
    • Take the necessary actions to disseminate a culture of information security within the Ayko Technology environment.
  • The Information Security team must:
    • Propose methodologies, processes and initiatives aimed at information security.
    • Promote employee awareness regarding the relevance of information security for Ayko Technology, through joint actions with HR.
    • Agree with managers on the level of service that will be provided and incident response procedures.
    • Segregate administrative, operational, and educational functions to restrict each individual's powers to the minimum necessary and eliminate, or at least reduce, the existence of individuals who can delete the logs and audit trails of their own actions.
    • Ensure special security for systems with public access, safeguarding evidence that allows traceability for audit or investigation purposes.
    • Enable an audit trail with sufficient detail to track potential failures and fraud in critical transactions. For trails generated and/or maintained electronically, implement integrity controls to make them legally valid as evidence.
  • The IT Support team must:
    • Configure the equipment, tools and systems granted to employees with all necessary controls to comply with the security requirements established in this policy and by complementary information security standards.
    • Manage, protect and test backups of programs and data related to critical and relevant processes for Ayko Technology.
  • People and/or Process Managers must:
    • Have an exemplary stance in relation to information security, serving as a model of conduct for employees under your management.
    • Check whether employees under your management, during the hiring and formalization phase of individual employment and service provision contracts, were informed of this policy and whether their acceptance was obtained.
    • Adapt the standards, processes, procedures and systems under your responsibility to comply with this information security policy.
  • The Quality Office must:
    • Monitor compliance and quality controls.
    • Support the Security Director in control records.
  • Users of the Information must:
    • Read, understand and fully comply with the terms of the Information Security Policy, as well as other SGI security standards and procedures.
    • Forward any questions and/or requests for clarification regarding the Information Security Policy, and the Information Security standards and procedures or, when applicable, to the Information Security Management Committee.
    • Report to the Chief Operations Officer – COO any event that violates this Policy or puts/may put at risk the security of Ayko Technology’s information or computing resources.
    • Sign the Acceptance Term formalizing knowledge and full acceptance of the provisions of the Information Security Policy, as well as other security standards and procedures, assuming responsibility for their compliance.
    • Respond for non-compliance with the Information Security Policy, security standards and procedures, as defined in the sanctions and punishments item.
    • Protecting the integrity, availability and confidentiality is the responsibility of the owner of each asset.
    • All incidents and security weaknesses must be reported to the Chief Operations Officer – COO, who will determine which information related to information security will be communicated to which internal and external stakeholders, by whom, and when.

4.5 Policy Communication

The Chief Operations Officer – COO must ensure that all Ayko Technology employees, as well as all appropriate external parties, are aware of this Policy.

4.6 Sanctions and Punishments

Violations, even if by mere omission or unfulfilled attempt, of this policy, as well as other safety standards and procedures, will be subject to penalties that include verbal warning, written warning, unpaid suspension and dismissal for just cause.

The application of sanctions and punishments will be carried out according to the analysis of the Integrated Management System Committee (CSGI), considering the severity of the infraction, effect achieved, recurrence and the hypotheses provided for in article 482 of the Consolidation of Labor Laws, and the CGSI, in the exercise of the disciplinary power attributed to it, may apply the penalty it deems appropriate when a serious offense is typified.

In the case of contracted third parties or service providers, the CSGI must analyze the occurrence and deliberate on the implementation of sanctions and punishments in accordance with the terms set forth in the contract.

In the event of violations that involve illegal activities, or that may cause damage to Ayko Technology, the offender will be held liable for the damages, and the relevant legal measures will be applied without prejudice to the terms described in item 4.6 of this policy.

5. Support for SGI implementation

Therefore, the senior management of Ayko Technology declares that the implementation of the SGI and its continuous improvement will be supported by the appropriate resources to achieve all the objectives defined in this Policy, as well as meet all the identified requirements.

6. Document validity and management

This document is valid from the date of its approval.

O Chief Operations Officer – COO is responsible for periodically reviewing this document and updating it whenever necessary.

07/03/2025 – Version 5.0