# Privacy, Data Protection, and Cybersecurity Practices

### **Overview**

Skyone integrates its Information Security and Operations teams throughout the entire infrastructure service lifecycle, working continuously on the detection, prevention, mitigation, and response to privacy, data protection, and cybersecurity incidents. Our commitment is to maintain increasingly reliable, available, and secure computing environments.

Below, we present consolidated answers to the most frequently asked questions in audits and RFPs regarding our practices in these areas.

If you need additional information, please contact us at: [**governanca@skyone.solutions**](mailto:governanca@skyone.solutions).

***

### **Governance and Operations**

<details>

<summary>Privacy, Data Protection, and Cybersecurity Processes and Procedures</summary>

Skyone operates under structured and certified practices in compliance with **ABNT NBR ISO/IEC 27001:2022**, ensuring continuous improvement of its Information Security Management System.

**Security Analysis Routine**

We perform weekly activities focused on identifying and mitigating risks in operating systems, web interfaces, and databases, including:

* Application of software patches and updates
* Operating system and database updates
* Port scanning and mapping of open ports

**Vulnerability Management and Classification**

We use **CVSS v3.0** to classify vulnerabilities (Critical, High, Medium, Low), applying fixes according to severity level, with documented evidence in our governance processes.

**Monitoring, Detection, and Response**

Our SOC operates with **XDR (Extended Detection and Response)** technology for continuous monitoring and security event response.

**Incident Management**

We maintain a structured plan for handling privacy, data protection, and cybersecurity events and incidents, led by our Governance team.

**Incident Communication Plan**

We adopt a strategic communication model, ensuring appropriate information is provided to stakeholders during incidents and critical situations.

**Endpoint Security**

* All devices are corporate-owned and equipped with EDR monitored by the Security team.
* The use of personal devices is not permitted, even in remote work arrangements.
* USB ports are blocked to prevent unauthorized access.

**LGPD Compliance**

Since 2020, we have executed ongoing actions to comply with the LGPD. We collect data only through:

* Forms on our website and hotsites
* Tools integrated into marketing campaigns

**Applied guidelines:**

* Consent required for all communications sent to CRM contacts
* Privacy policy notice and cookie management on all forms
* Periodic governance audits
* Changes only with approval from the Privacy Committee
* Contractual review of suppliers regarding privacy clauses

</details>

<details>

<summary>Incident Communication</summary>

We follow a standardized workflow through a dedicated portal, covering:\
**Logging → Categorization → Diagnosis → Resolution → Closure**

</details>

<details>

<summary>Change Management (GMUD)</summary>

All changes in customer environments go through a full analysis, including:

* Identification of the change
* Impact and affected systems
* Pre- and post-change test plan
* Rollback plan
* Formal approval through a ticket in the Customer Portal

</details>

<details>

<summary>Contract Termination</summary>

In case of termination:

* Penalties follow proportional calculation based on remaining contract time.
* Skyone provides a database backup for **15 days** after cancellation.
* Requests must be sent to: ***<cancelamento@skyone.solutions>***

</details>

<details>

<summary>Cyber Insurance</summary>

Skyone does not currently maintain cyber insurance.

</details>

<details>

<summary>Code of Ethics, Conduct, and Privacy Policy</summary>

All documents are publicly available on our website.

</details>

<details>

<summary>DPO (Data Protection Officer)</summary>

Skyone has an appointed DPO. Information is available at:\
<https://skyone.solutions/juridico/politica-de-privacidade/>

</details>

## **Platforms and Cloud Providers**

<details>

<summary>Technologies Used</summary>

We operate with state-of-the-art technologies provided by leading public cloud providers:

**AWS, Google Cloud Platform (GCP), Microsoft Azure, and Oracle Cloud**, in Brazil and abroad.

</details>

<details>

<summary>Platforms and Environment Components</summary>

Public cloud architecture abstracts hardware, storage, network, and virtualization layers, with cloud providers responsible for updates and risk mitigation.

**Hardware**

Composed of datacenters with:

* Switches, routers, and firewalls
* Load balancers
* Storage arrays
* Physical servers
* Backup infrastructure

**Storage**

High availability (**99.99% SLA**) with redundancy and indexing for failure recovery.

**Network**

Provider-specific structures:

* **VPC** (AWS and Google)
* **VNET** (Azure)
* **VCN** (Oracle)

Multi-subnet configurations enable isolation, traffic segmentation, and mitigation of lateral attacks.

**Virtualization**

Virtualized resources via hypervisors forming pools of memory, processing, and storage that compose the cloud environment.

</details>

<details>

<summary>Cloud Provider Security Assurance</summary>

Providers adhere to and are audited under recognized standards, such as:\
**PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, NIST 800-17.**

</details>

<details>

<summary>Shared Responsibility Model</summary>

Security is shared among:

* Public cloud provider
* Skyone
* Customer

**Responsibilities:**

**Cloud Provider**

* Physical infrastructure
* Virtualization
* Facility security

**Skyone and Customer**

* Operating systems and patches
* Database configuration and security
* Applications
* Security groups and policies

</details>

<details>

<summary>Security Measures for Risk Mitigation</summary>

**a. Strategic Pillars**

* Weekly vulnerability scans
* Semiannual penetration tests
* Continuous application of automated patch/fix packs

**b. Access Management**

Managed by the Information Security team, with:

* Access granted through formal request
* Principle of least privilege
* Periodic audits

**c. Types of Access**

* **End users:** secure access without VPN, with logging and MFA/SSO (SAML) options
* **Consultants and administrators:** VPN access with credentials issued via ticket

**d. Least Privilege Principle**

Skyone uses a password vault for administrative access, reducing the risk of credential exposure.

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.skyone.cloud/english/governance-and-security/privacy-data-protection-and-cybersecurity-practices.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.