Uncover is committed to protecting the information of its clients, employees, partners, and the organization itself. Information security is a strategic value and a shared responsibility for everyone who interacts with our systems, data, and processes.
This commitment is formalized through our Information Security Management System (ISMS), structured based on the standards ABNT NBR ISO/IEC 27001:2022 and ISO/IEC 27002:2022, and translates into the continuous protection of the confidentiality, integrity, and availability of the information entrusted to us.
This General Information Security Policy establishes the principles, commitments, and guidelines that guide information security management at Uncover. Its objective is to:
Protect the information of clients, employees, partners, and the organization;
Ensure compliance with applicable legal, regulatory, and contractual requirements;
Promote an organizational culture of data protection responsibility;
Ensure service continuity and the resilience of information systems.
This policy applies to all employees, service providers, partners, and suppliers who access, process, store, or transmit Uncover's or its clients' information, regardless of employment regime, work modality, or location.
Information security management at Uncover is guided by the following fundamental principles:
Confidentiality — Information is accessible only to duly authorized individuals, processes, and systems. Access is granted based on the principle of least privilege.
Integrity — Information is kept accurate, complete, and protected against unauthorized alterations throughout its entire lifecycle.
Availability — Information and the systems that support it are available to authorized users whenever necessary, with appropriate continuity and recovery mechanisms.
Accountability — Every action performed on Uncover's systems and information is traceable to its responsible party, ensuring auditability and accountability.
Compliance — Uncover operates in compliance with applicable laws, regulations, and standards, including General Data Protection Law (LGPD — Law No. 13,709/2018) and the ISO/IEC 27001:2022.
Information security is everyone's responsibility at Uncover:
Top Management — Approve and support the information security policy, ensure the necessary resources for ISMS operation, and promote a security culture within the organization.
Information Security Committee — Coordinate strategic security management, approve policies and plans, analyze risks, and deliberate on critical incidents.
InfoSec (Information Security) — Implement, operate, and monitor ISMS controls, coordinate incident response, conduct the awareness program, and ensure regulatory compliance.
Area Managers — Ensure their teams comply with this policy, identify and report risks in their processes, and ensure the proper use of information under their responsibility.
Employees and Service Providers — Comply with this policy and internal security standards, protect information accessed in the performance of their duties, and immediately report any security event or suspected incident.
INFORMATION SECURITY MANAGEMENT SYSTEM POLICY
“Continuously provide quality products and services, guarantee information security (confidentiality, integrity, and availability) and data privacy, mitigate risks related to information assets, seeking to meet the needs of its stakeholders, considering applicable legal requirements, and striving for continuous improvement.”
The policy:
It was established by Senior Management.
It provides a framework for establishing the objectives of the MS – Management System as described in the item “Objectives of the MS – Management System”.
It is communicated to Uncover through formal internal announcements and made available on Notion.
It is also communicated to relevant external parties, as appropriate.
It is complemented by the ISP – Information Security Policy, which presents a set of guidelines for information protection, including a commitment to compliance.
Access to Uncover's information and systems is granted based on business need and the principle of least privilege. All access grants, modifications, and revocations are carried out through a formal process. All critical systems use multi-factor authentication (MFA).
Uncover's information is classified into four levels — Public, Corporate, Confidential, and Secret — and handled with safeguards corresponding to their level of sensitivity.
Uncover processes personal data in compliance with the LGPD and with the guidelines of the National Data Protection Authority (ANPD). Incidents involving personal data are reported to the competent authorities within the applicable legal deadlines.
Uncover conducts a continuous process of identifying, analyzing, evaluating, and treating information security risks, based on ISO/IEC 27005:2023, with a formal review at least once a year.
Uncover maintains a structured information security incident management process, with capabilities for detection, response, containment, recovery, and post-incident analysis. All employees are responsible for reporting suspicious events.
Uncover maintains continuity and recovery plans to ensure the availability of critical services in adverse situations, with periodic testing and continuous review.
Uncover subjects its ISMS to periodic internal and external audits to verify compliance with ISO 27001:2022 and other applicable requirements. The results are reviewed by Senior Management.
All employees receive information security training during the onboarding process and throughout the year, developing the necessary knowledge to protect information in the performance of their duties.
Information security requirements are extended to suppliers and partners who process Uncover's information, through contractual clauses and periodic compliance assessments.
Non-compliance with this policy subjects the offender to disciplinary sanctions provided for in the applicable contractual instruments, which may include warning, contract termination, and civil and criminal liability, in accordance with current legislation.
Questions, requests, and reports of information security incidents or vulnerabilities should be directed to Uncover's InfoSec team through the internal channels provided by the organization.
For matters related to personal data protection (LGPD), contact with the Data Protection Officer (DPO) can be made via: privacidade@uncover.co
The internal documents listed below detail the processes and controls that implement this policy. These documents are restricted access and made available as per business need:
Document: Information Security Policy (full) — Scope: Internal
Document: Risk Management Procedure — Scope: Internal
Document: Incident Management Procedure — Scope: Internal
Document: Access Management Procedure — Scope: Internal
Document: Privacy Management Procedure — Scope: Internal
Document: Vulnerability Management Procedure — Scope: Internal
Document: Awareness and Training Plan — Scope: Internal
Document: Risk Treatment Plan — Scope: Internal
Document: Business Continuity Plan — Scope: Internal
This policy comes into effect on its approval date and is reviewed annually or whenever there are significant changes in the organizational, technological, or regulatory context that justify its early update.
