Privacy, Data Protection, and Cybersecurity Practices

Overview

Skyone integrates its Information Security and Operations teams throughout the entire infrastructure service lifecycle, working continuously on the detection, prevention, mitigation, and response to privacy, data protection, and cybersecurity incidents. Our commitment is to maintain increasingly reliable, available, and secure computing environments.

Below, we present consolidated answers to the most frequently asked questions in audits and RFPs regarding our practices in these areas.

If you need additional information, please contact us at: [email protected].

Governance and Operations

Privacy, Data Protection, and Cybersecurity Processes and Procedures

Skyone operates under structured and certified practices in compliance with ABNT NBR ISO/IEC 27001:2022, ensuring continuous improvement of its Information Security Management System.

Security Analysis Routine

We perform weekly activities focused on identifying and mitigating risks in operating systems, web interfaces, and databases, including:

  • Application of software patches and updates

  • Operating system and database updates

  • Port scanning and mapping of open ports

Vulnerability Management and Classification

We use CVSS v3.0 to classify vulnerabilities (Critical, High, Medium, Low), applying fixes according to severity level, with documented evidence in our governance processes.

Monitoring, Detection, and Response

Our SOC operates with XDR (Extended Detection and Response) technology for continuous monitoring and security event response.

Incident Management

We maintain a structured plan for handling privacy, data protection, and cybersecurity events and incidents, led by our Governance team.

Incident Communication Plan

We adopt a strategic communication model, ensuring appropriate information is provided to stakeholders during incidents and critical situations.

Endpoint Security

  • All devices are corporate-owned and equipped with EDR monitored by the Security team.

  • The use of personal devices is not permitted, even in remote work arrangements.

  • USB ports are blocked to prevent unauthorized access.

LGPD Compliance

Since 2020, we have executed ongoing actions to comply with the LGPD. We collect data only through:

  • Forms on our website and hotsites

  • Tools integrated into marketing campaigns

Applied guidelines:

  • Consent required for all communications sent to CRM contacts

  • Privacy policy notice and cookie management on all forms

  • Periodic governance audits

  • Changes only with approval from the Privacy Committee

  • Contractual review of suppliers regarding privacy clauses

Incident Communication

We follow a standardized workflow through a dedicated portal, covering: Logging → Categorization → Diagnosis → Resolution → Closure

Change Management (GMUD)

All changes in customer environments go through a full analysis, including:

  • Identification of the change

  • Impact and affected systems

  • Pre- and post-change test plan

  • Rollback plan

  • Formal approval through a ticket in the Customer Portal

Contract Termination

In case of termination:

  • Penalties follow proportional calculation based on remaining contract time.

  • Skyone provides a database backup for 15 days after cancellation.

  • Requests must be sent to: [email protected]

Cyber Insurance

Skyone does not currently maintain cyber insurance.

Code of Ethics, Conduct, and Privacy Policy

All documents are publicly available on our website.

DPO (Data Protection Officer)

Skyone has an appointed DPO. Information is available at: https://skyone.solutions/juridico/politica-de-privacidade/

Platforms and Cloud Providers

Technologies Used

We operate with state-of-the-art technologies provided by leading public cloud providers:

AWS, Google Cloud Platform (GCP), Microsoft Azure, and Oracle Cloud, in Brazil and abroad.

Platforms and Environment Components

Public cloud architecture abstracts hardware, storage, network, and virtualization layers, with cloud providers responsible for updates and risk mitigation.

Hardware

Composed of datacenters with:

  • Switches, routers, and firewalls

  • Load balancers

  • Storage arrays

  • Physical servers

  • Backup infrastructure

Storage

High availability (99.99% SLA) with redundancy and indexing for failure recovery.

Network

Provider-specific structures:

  • VPC (AWS and Google)

  • VNET (Azure)

  • VCN (Oracle)

Multi-subnet configurations enable isolation, traffic segmentation, and mitigation of lateral attacks.

Virtualization

Virtualized resources via hypervisors forming pools of memory, processing, and storage that compose the cloud environment.

Cloud Provider Security Assurance

Providers adhere to and are audited under recognized standards, such as: PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, NIST 800-17.

Shared Responsibility Model

Security is shared among:

  • Public cloud provider

  • Skyone

  • Customer

Responsibilities:

Cloud Provider

  • Physical infrastructure

  • Virtualization

  • Facility security

Skyone and Customer

  • Operating systems and patches

  • Database configuration and security

  • Applications

  • Security groups and policies

Security Measures for Risk Mitigation

a. Strategic Pillars

  • Weekly vulnerability scans

  • Semiannual penetration tests

  • Continuous application of automated patch/fix packs

b. Access Management

Managed by the Information Security team, with:

  • Access granted through formal request

  • Principle of least privilege

  • Periodic audits

c. Types of Access

  • End users: secure access without VPN, with logging and MFA/SSO (SAML) options

  • Consultants and administrators: VPN access with credentials issued via ticket

d. Least Privilege Principle

Skyone uses a password vault for administrative access, reducing the risk of credential exposure.

PreviousHow to install Bitdefender security agentsNextPrivacy, data protection, and cybersecurity practices for Autosky

Last updated