Privacy, Data Protection, and Cybersecurity Practices
Overview
Skyone integrates its Information Security and Operations teams throughout the entire infrastructure service lifecycle, working continuously on the detection, prevention, mitigation, and response to privacy, data protection, and cybersecurity incidents. Our commitment is to maintain increasingly reliable, available, and secure computing environments.
Below, we present consolidated answers to the most frequently asked questions in audits and RFPs regarding our practices in these areas.
If you need additional information, please contact us at: [email protected].
Governance and Operations
Privacy, Data Protection, and Cybersecurity Processes and Procedures
Skyone operates under structured and certified practices in compliance with ABNT NBR ISO/IEC 27001:2022, ensuring continuous improvement of its Information Security Management System.
Security Analysis Routine
We perform weekly activities focused on identifying and mitigating risks in operating systems, web interfaces, and databases, including:
Application of software patches and updates
Operating system and database updates
Port scanning and mapping of open ports
Vulnerability Management and Classification
We use CVSS v3.0 to classify vulnerabilities (Critical, High, Medium, Low), applying fixes according to severity level, with documented evidence in our governance processes.
Monitoring, Detection, and Response
Our SOC operates with XDR (Extended Detection and Response) technology for continuous monitoring and security event response.
Incident Management
We maintain a structured plan for handling privacy, data protection, and cybersecurity events and incidents, led by our Governance team.
Incident Communication Plan
We adopt a strategic communication model, ensuring appropriate information is provided to stakeholders during incidents and critical situations.
Endpoint Security
All devices are corporate-owned and equipped with EDR monitored by the Security team.
The use of personal devices is not permitted, even in remote work arrangements.
USB ports are blocked to prevent unauthorized access.
LGPD Compliance
Since 2020, we have executed ongoing actions to comply with the LGPD. We collect data only through:
Forms on our website and hotsites
Tools integrated into marketing campaigns
Applied guidelines:
Consent required for all communications sent to CRM contacts
Privacy policy notice and cookie management on all forms
Periodic governance audits
Changes only with approval from the Privacy Committee
Contractual review of suppliers regarding privacy clauses
Incident Communication
We follow a standardized workflow through a dedicated portal, covering: Logging → Categorization → Diagnosis → Resolution → Closure
Change Management (GMUD)
All changes in customer environments go through a full analysis, including:
Identification of the change
Impact and affected systems
Pre- and post-change test plan
Rollback plan
Formal approval through a ticket in the Customer Portal
Contract Termination
In case of termination:
Penalties follow proportional calculation based on remaining contract time.
Skyone provides a database backup for 15 days after cancellation.
Requests must be sent to: [email protected]
DPO (Data Protection Officer)
Skyone has an appointed DPO. Information is available at: https://skyone.solutions/juridico/politica-de-privacidade/
Platforms and Cloud Providers
Technologies Used
We operate with state-of-the-art technologies provided by leading public cloud providers:
AWS, Google Cloud Platform (GCP), Microsoft Azure, and Oracle Cloud, in Brazil and abroad.
Platforms and Environment Components
Public cloud architecture abstracts hardware, storage, network, and virtualization layers, with cloud providers responsible for updates and risk mitigation.
Hardware
Composed of datacenters with:
Switches, routers, and firewalls
Load balancers
Storage arrays
Physical servers
Backup infrastructure
Storage
High availability (99.99% SLA) with redundancy and indexing for failure recovery.
Network
Provider-specific structures:
VPC (AWS and Google)
VNET (Azure)
VCN (Oracle)
Multi-subnet configurations enable isolation, traffic segmentation, and mitigation of lateral attacks.
Virtualization
Virtualized resources via hypervisors forming pools of memory, processing, and storage that compose the cloud environment.
Cloud Provider Security Assurance
Providers adhere to and are audited under recognized standards, such as: PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, NIST 800-17.
Shared Responsibility Model
Security is shared among:
Public cloud provider
Skyone
Customer
Responsibilities:
Cloud Provider
Physical infrastructure
Virtualization
Facility security
Skyone and Customer
Operating systems and patches
Database configuration and security
Applications
Security groups and policies
Security Measures for Risk Mitigation
a. Strategic Pillars
Weekly vulnerability scans
Semiannual penetration tests
Continuous application of automated patch/fix packs
b. Access Management
Managed by the Information Security team, with:
Access granted through formal request
Principle of least privilege
Periodic audits
c. Types of Access
End users: secure access without VPN, with logging and MFA/SSO (SAML) options
Consultants and administrators: VPN access with credentials issued via ticket
d. Least Privilege Principle
Skyone uses a password vault for administrative access, reducing the risk of credential exposure.
Last updated
Was this helpful?