1. OBJECTIVE

Jspreadsheet Ltd establishes its Information Security Policy as an integral part of its corporate management system, aligned with market best practices, internationally accepted standards, and applicable Brazilian legislation, with the objective of ensuring adequate levels of protection for the information handled by the organization, its clients, and employees under its responsibility.

2. PURPOSE

This policy aims to:

Establish guidelines and standards for Information Security that allow Jspreadsheet employees to adopt secure behavior patterns;
Provide guidance on the adoption of controls and processes to meet Information Security requirements;
Safeguard Jspreadsheet’s information, ensuring the basic principles of confidentiality, integrity, and availability;
Prevent possible causes of incidents and legal liabilities for the institution and its employees, clients, suppliers, and partners;
Minimize the risks of financial losses, market share reduction, loss of customer trust, or any other negative impact on Jspreadsheet’s business as a result of security breaches.

3. POLICY

This policy applies to all Jspreadsheet employees, suppliers, and partners who have access to Jspreadsheet’s information and/or use computing resources included in the internal infrastructure.

3.1 IT IS THE POLICY OF JSPREADSHEET LTD TO:

Develop, implement, and fully comply with information security policies, standards, and procedures, ensuring that the basic requirements of confidentiality, integrity, and availability of information operated within Jspreadsheet are achieved through the adoption of controls against threats from both external and internal sources;
Make security policies, standards, and procedures available to all interested and authorized parties such as employees, contracted third parties, suppliers, and, where appropriate, clients;
Ensure education and awareness regarding the information security practices adopted by Jspreadsheet for employees, contracted third parties, suppliers, and, where appropriate, clients;
Fully comply with applicable or required information security requirements under regulations, laws, and/or contractual clauses;
Fully address information security incidents, ensuring that they are properly recorded, classified, investigated, corrected, documented, and, when necessary, reported to the appropriate authorities;
Ensure business continuity through the adoption, implementation, testing, and continuous improvement of continuity and disaster recovery plans;
Continuously improve Information Security Management through the systematic definition and review of security objectives at all levels of the organization.

4. ROLES AND RESPONSIBILITIES

Information Security Management Committee

The Information Security Management Committee is established, composed of at least one Information Technology and Development Manager, one Administrative Manager, and at least two members with knowledge in information technology, both in infrastructure support and systems.

The Information Security Management Committee is responsible for:

Analyzing, reviewing, and proposing the approval of policies and standards related to information security;
Ensuring the availability of the necessary resources for effective Information Security Management;
Ensuring that information security activities are carried out in accordance with the ISPP;
Promoting the dissemination of the ISPP and taking necessary actions to foster a culture of information security within Jspreadsheet.

5. SANCTIONS AND PENALTIES

Violations of this policy — even if by mere omission or unsuccessful attempts — as well as other security standards and procedures, will be subject to penalties including verbal warning, written warning, unpaid suspension, and termination for cause for employees under CLT contracts. For contractors or cooperated professionals, this may result in the immediate termination of the contract between the parties;

The application of sanctions and penalties will be carried out based on the analysis of the Information Security Management Committee, taking into account the severity of the infraction, the impact caused, and recurrence. The CGSI may refer the infraction to the immediate manager, who will apply the penalty in cases of serious misconduct;

In the case of contracted third parties or service providers, the CGSI shall analyze the occurrence and deliberate on the application of sanctions and penalties according to the terms provided in the contract;

In the event of violations involving illegal activities or actions that may cause damage to Jspreadsheet, the offender will be held accountable for the losses, and appropriate legal measures will be taken.

6. OMITTED CASES

Any omitted cases will be evaluated by the Information Security Management Committee for further deliberation;

The guidelines established in this policy and in other security standards and procedures are not exhaustive due to the continuous evolution of technology and the constant emergence of new threats. Therefore, this document is not to be considered an exhaustive list, and it is the responsibility of Jspreadsheet’s information users to adopt, whenever possible, additional security measures not listed here to ensure the protection of information.