# Privacy, data protection, and cybersecurity practices for Autosky
Skyone, within the scope of providing Licensing Services for the Use of Skyone Autosky and configuring the environment(s) defined at the time of contracting by the end customer, involves its Governance and Operations teams in detecting, resolving, preventing, and mitigating incidents related to privacy, data protection, and cybersecurity. In doing so, the company ensures the delivery of increasingly relevant, available, and reliable computational solutions.\
Below are answers to the most frequent questions raised in RFPs and audits, specifically related to Skyone’s practices in privacy, data protection, and cybersecurity.
{% hint style="info" %}
If the information in this document does not address your questions, please send your inquiries or request a meeting by emailing your contact information to [**governanca@skyone.solutions**](mailto:governanca@skyone.solutions).
{% endhint %}
***
What privacy, data protection, and cybersecurity processes and procedures has Skyone implemented?
Privacy, data protection, and cybersecurity processes and procedures are essential and critical components of Skyone’s operations. The company has aligned its practices with international standards and obtained the **ABNT NBR ISO/IEC 27001:2022** certification, which defines the requirements for implementing, maintaining, and continually improving an Information Security Management System (ISMS).\
Below are the main processes and procedures implemented:
**Security analysis routine**
Weekly processes are conducted to identify and mitigate risks in the operating system, web interfaces, and databases of the Autosky platform, including but not limited to:
**Vulnerability management plan**
* External and internal surface vulnerability scanning
* Dark web scanning
* Software patching
* Operating system version updates
* Database version updates
* Scanning and mapping of open ports
**Vulnerability mapping and classification**\
Vulnerabilities are categorized according to the **Common Vulnerability Scoring System v3.0 (CVSS v3.0 Rating)**, an open framework for communicating software vulnerability characteristics and severity:
* Critical
* High
* Medium
* Low
Corrective actions are applied regularly based on severity and are registered and handled within the Security Governance process.
**Monitoring, detection, and response routine**
We perform continuous analysis and management routines through our SOC, responsible for monitoring and generating security alerts using **XDR (Extended Detection and Response)** technology.
**Privacy, data protection, and cybersecurity incident management plan**
This plan systematically defines all stages of event and incident handling, conducted by Skyone’s Governance team as part of the privacy, data protection, and cybersecurity program.
**Incident communication plan**
We maintain a structured incident response plan in which communication initiatives play a strategic role. The objective is to ensure information is transmitted to the correct audience, supporting transparent relationships and strengthening trust.\
Communications are treated as a cross-functional process essential to both regular operations and crisis situations.
**Skyone device security**
* All endpoints used are Skyone property and have **EDR (Endpoint Detection and Response)** installed and monitored by the Security Governance team.
* The use of personal devices for corporate activities is prohibited, including remote work.
* Access is restricted through internal control tools and a perimeter firewall for access to the internal system and customer environments.
* USB ports are blocked to prevent the use of flash drives.
**Compliance, mitigation, and monitoring actions related to LGPD and the use of third-party data**
Compliance and risk mitigation actions required under the LGPD were structured in 2020. Skyone collects digital data exclusively through:
* Forms on our website and campaign landing pages
* Forms integrated with marketing tools
**Guidelines adopted to ensure compliance with the Privacy Policy:**
* All communication (marketing or relationship) sent to CRM contacts requires prior consent.
* All website or landing page forms include a privacy policy, cookie controls, and mandatory consent.
* The Governance team systematically audits compliance with these processes.
* Any changes in procedures require approval from the Privacy and Data Protection Committee.
* All supplier contracts have been audited and evaluated regarding privacy clauses.
How is an incident communicated?
Skyone follows structured steps for incident management using an incident registration portal, where each phase has a clearly defined purpose. The macro activities are:\
**Registration → Categorization → Diagnosis → Resolution → Closure**
Change Management Procedure (GMUD)
Changes in customer environments follow the Change Management process, which includes:
* Identifying the change
* Analyzing affected data and systems
* Defining responsibilities
* Impact assessment
* Pre-change testing plan
* Rollback plan
* Post-change testing plan
GMUD requests must be submitted through the Customer Portal via ticket. After technical validation and approval, the change proceeds to execution according to the scheduled timeline.
How does the transition plan work in case of contract termination with Skyone?
In unilateral cancellations before the contractual term, a proportional penalty applies based on the remaining period. Regardless of the termination type, Skyone provides a database backup for **15 (fifteen) days** from the termination date.\
Cancellation requests must be sent to: [**cancelamento@skyone.solutions**](mailto:cancelamento@skyone.solutions)
Does Skyone have insurance that covers cyberattacks or data breaches?
Currently, we do not have cyber insurance.
Does Skyone have a Code of Ethics, Conduct, and a Privacy Management Policy?
Yes. The Code of Ethics and Conduct and the Privacy Policy are public and available to our customers and partners.
Is there a designated DPO for the organization?
Yes. The DPO’s contact information is available in our Privacy Policy:\
### **About the Autosky Platform**
What technologies does Skyone use?
Skyone’s environments use up-to-date technologies from major public cloud providers (AWS, Google GCP, Azure, and Oracle), in Brazil and abroad.
What platforms, solutions, standards, machines, and switches/firewalls make up the Skyone environment?
The use of public clouds implies abstraction of hardware, storage, network, and virtualization layers, with cloud providers responsible for maintenance, updates, and risk mitigation.
**Hardware**\
Although the cloud is perceived as virtual, it relies on geographically distributed physical infrastructure consisting of:
* Switches, routers, firewalls, load balancers
* Storage arrays
* Backup devices
* Physical servers
Virtualization connects these servers and abstracts resources such as memory and processing, making them available to users.
**Storage**\
Data is distributed across multiple disks in storage arrays, ensuring 99.99% SLA. Management mechanisms ensure correct replication and recovery in case of failure.
**Network**\
The network layer on cloud providers is based on:
* VPC (AWS and Google)
* VNET (Azure)
* VCN (Oracle)
Networks are segmented into multiple subnets, enabling isolation, routing, and granular access control.
**Virtualization**\
A hypervisor allocates physical resources in virtualized environments, forming the essential cloud layer.
How can you validate that the cloud provider ensures security and risk mitigation?
Cloud providers hold certifications and compliance standards such as:\
PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, NIST 800-17, among others, regularly audited.
What is the shared responsibility model in the public cloud?
Security responsibilities are divided among:
* **Cloud provider:** physical infrastructure, virtualization layer, and related services
* **Skyone:** environment management, operating systems, database, templates, security groups
* **Customer:** application configuration, access, and data hosted
This model distinguishes **security of the cloud (provider)** from **security in the cloud (Skyone + customer)**.
How does the Autosky Platform work?
Autosky is a multicloud orchestration and automation platform that:
* Facilitates migration of client-server applications
* Supports any programming language or database
* Provides stronger security than conventional hosting
* Ensures recurring backups and effective disaster recovery
* Creates temporary servers with dynamic IPs, mitigating brute-force attacks
Does the Autosky Platform have DR (Disaster Recovery)?
As a cloud-native platform, Autosky operates with resilience, with components distributed across two Availability Zones.\
Customers must evaluate criticality and, when needed, contract DR for their environments.
Is the Autosky Platform secure?
Yes. The platform is continuously evolving and has client-isolated architecture.
**1 – Strategic security pillars**
* Weekly vulnerability scans
* Semiannual pentests
* Automated patching
**2 – Access management**
Managed by the Infosec team, with:
* Controlled and logged access grants
* Least privilege
* Periodic audits
**3 – Types of access**
* **Users:** no VPN required; auditable; MFA and SAML/SSO
* **Administrators:** Autosky Panel access with MFA
* **Consultants and specialists:** access via VPN with credentials issued through ticket
**4 – Least privilege principle**
Yes, fully applied. Skyone uses a Password Vault for all environment access.
**5 – Hardening**
* Removal of unnecessary services
* Continuous library updates
* Automated testing
**6 – Secure development**
Based on privacy by design and security by default, in segregated environments.
**7 – Risks in the virtualization layer**
This layer is the cloud providers’ responsibility. There have been no recent incidents involving compromise of this layer.\
If needed, Skyone recreates the environment in a new availability zone.
How to protect the customer environment?
Recommended:
* Advanced antimalware with XDR
* Surface Protection Service
* Patch maintenance per CVE/Mitre
How to mitigate risks when employees and consultants access the environment?
* EDR adoption
* Centralized access management and recurring password changes
* Mandatory VPN usage
How does Autosky mitigate risks in the customer environment?
* **Firewall rules**\
Controlled via NSG per environment.
* **Communication ports**\
Opened only after analysis; risks generate a Risk Notification.
* **Operating systems**\
Always provided in recent versions.
* **Authentication layer**\
Secure URL access;\
ReCaptcha, MFA, SSO/SAML;\
Full audit logs;\
IP and schedule restrictions.
* **Sizing**\
Servers adjust dynamically; IPs rotate periodically, mitigating brute-force attacks.
* **Monitoring**\
24x7 monitoring with dashboards.
* **Anti-malware**\
Standard basic version; advanced optional.
* **Skyone Autosky Defender**\
Mitigates brute-force attacks by blocking IPs in real time.
Backup process on the Autosky Platform
* **Standard backup policy**\
Instance and database server snapshots;\
7-day retention.
* **Additional options**\
Custom granularity, retention, and destination.
* **Backup storage**\
Snapshots stored in object storage services (S3, OCI Object Storage, Azure Object Storage, Google Cloud Storage) with **11 nines durability (99.999999999%)**.\
Storage isolated from servers.\
OCI backups include automatic encryption.
* **Backup evidence**\
Available in the Customer Portal per environment/server.
* **Recovery request**\
Can be submitted directly through the Portal; the request creates an automatic ticket.
* **Recovery tests**\
Must be requested by the customer via ticket.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.skyone.cloud/english/governance-and-security/privacy-data-protection-and-cybersecurity-practices-for-autosky.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.