Privacy, data protection, and cybersecurity practices for Autosky

Privacy, data protection, and cybersecurity processes and procedures are essential and critical components of Skyone’s operations. The company has aligned its practices with international standards and obtained the ABNT NBR ISO/IEC 27001:2022 certification, which defines the requirements for implementing, maintaining, and continually improving an Information Security Management System (ISMS). Below are the main processes and procedures implemented:

Security analysis routine

Weekly processes are conducted to identify and mitigate risks in the operating system, web interfaces, and databases of the Autosky platform, including but not limited to:

Vulnerability management plan

• External and internal surface vulnerability scanning

• Dark web scanning

• Software patching

• Operating system version updates

• Database version updates

• Scanning and mapping of open ports

Vulnerability mapping and classification Vulnerabilities are categorized according to the Common Vulnerability Scoring System v3.0 (CVSS v3.0 Rating), an open framework for communicating software vulnerability characteristics and severity:

• Critical

• High

• Medium

• Low

Corrective actions are applied regularly based on severity and are registered and handled within the Security Governance process.

Monitoring, detection, and response routine

We perform continuous analysis and management routines through our SOC, responsible for monitoring and generating security alerts using XDR (Extended Detection and Response) technology.

Privacy, data protection, and cybersecurity incident management plan

This plan systematically defines all stages of event and incident handling, conducted by Skyone’s Governance team as part of the privacy, data protection, and cybersecurity program.

Incident communication plan

We maintain a structured incident response plan in which communication initiatives play a strategic role. The objective is to ensure information is transmitted to the correct audience, supporting transparent relationships and strengthening trust. Communications are treated as a cross-functional process essential to both regular operations and crisis situations.

Skyone device security

• All endpoints used are Skyone property and have EDR (Endpoint Detection and Response) installed and monitored by the Security Governance team.

• The use of personal devices for corporate activities is prohibited, including remote work.

• Access is restricted through internal control tools and a perimeter firewall for access to the internal system and customer environments.

• USB ports are blocked to prevent the use of flash drives.

Compliance, mitigation, and monitoring actions related to LGPD and the use of third-party data

Compliance and risk mitigation actions required under the LGPD were structured in 2020. Skyone collects digital data exclusively through:

• Forms on our website and campaign landing pages

• Forms integrated with marketing tools

Guidelines adopted to ensure compliance with the Privacy Policy:

• All communication (marketing or relationship) sent to CRM contacts requires prior consent.

• All website or landing page forms include a privacy policy, cookie controls, and mandatory consent.

• The Governance team systematically audits compliance with these processes.

• Any changes in procedures require approval from the Privacy and Data Protection Committee.

• All supplier contracts have been audited and evaluated regarding privacy clauses.

Skyone follows structured steps for incident management using an incident registration portal, where each phase has a clearly defined purpose. The macro activities are: Registration → Categorization → Diagnosis → Resolution → Closure

Changes in customer environments follow the Change Management process, which includes:

• Identifying the change

• Analyzing affected data and systems

• Defining responsibilities

• Impact assessment

• Pre-change testing plan

• Rollback plan

• Post-change testing plan

GMUD requests must be submitted through the Customer Portal via ticket. After technical validation and approval, the change proceeds to execution according to the scheduled timeline.

In unilateral cancellations before the contractual term, a proportional penalty applies based on the remaining period. Regardless of the termination type, Skyone provides a database backup for 15 (fifteen) days from the termination date. Cancellation requests must be sent to: [email protected]

Currently, we do not have cyber insurance.

Yes. The Code of Ethics and Conduct and the Privacy Policy are public and available to our customers and partners.

Yes. The DPO’s contact information is available in our Privacy Policy: https://skyone.solutions/juridico/politica-de-privacidade/

Skyone’s environments use up-to-date technologies from major public cloud providers (AWS, Google GCP, Azure, and Oracle), in Brazil and abroad.

The use of public clouds implies abstraction of hardware, storage, network, and virtualization layers, with cloud providers responsible for maintenance, updates, and risk mitigation.

Hardware Although the cloud is perceived as virtual, it relies on geographically distributed physical infrastructure consisting of:

• Switches, routers, firewalls, load balancers

• Storage arrays

• Backup devices

• Physical servers

Virtualization connects these servers and abstracts resources such as memory and processing, making them available to users.

Storage Data is distributed across multiple disks in storage arrays, ensuring 99.99% SLA. Management mechanisms ensure correct replication and recovery in case of failure.

Network The network layer on cloud providers is based on:

• VPC (AWS and Google)

• VNET (Azure)

• VCN (Oracle)

Networks are segmented into multiple subnets, enabling isolation, routing, and granular access control.

Virtualization A hypervisor allocates physical resources in virtualized environments, forming the essential cloud layer.

Cloud providers hold certifications and compliance standards such as: PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, NIST 800-17, among others, regularly audited.

Security responsibilities are divided among:

• Cloud provider: physical infrastructure, virtualization layer, and related services

• Skyone: environment management, operating systems, database, templates, security groups

• Customer: application configuration, access, and data hosted

This model distinguishes security of the cloud (provider) from security in the cloud (Skyone + customer).

Autosky is a multicloud orchestration and automation platform that:

• Facilitates migration of client-server applications

• Supports any programming language or database

• Provides stronger security than conventional hosting

• Ensures recurring backups and effective disaster recovery

• Creates temporary servers with dynamic IPs, mitigating brute-force attacks

As a cloud-native platform, Autosky operates with resilience, with components distributed across two Availability Zones. Customers must evaluate criticality and, when needed, contract DR for their environments.

Yes. The platform is continuously evolving and has client-isolated architecture.

1 – Strategic security pillars

• Weekly vulnerability scans

• Semiannual pentests

• Automated patching

2 – Access management

Managed by the Infosec team, with:

• Controlled and logged access grants

• Least privilege

• Periodic audits

3 – Types of access

• Users: no VPN required; auditable; MFA and SAML/SSO

• Administrators: Autosky Panel access with MFA

• Consultants and specialists: access via VPN with credentials issued through ticket

4 – Least privilege principle

Yes, fully applied. Skyone uses a Password Vault for all environment access.

5 – Hardening

• Removal of unnecessary services

• Continuous library updates

• Automated testing

6 – Secure development

Based on privacy by design and security by default, in segregated environments.

7 – Risks in the virtualization layer

This layer is the cloud providers’ responsibility. There have been no recent incidents involving compromise of this layer. If needed, Skyone recreates the environment in a new availability zone.

Recommended:

• Advanced antimalware with XDR

• Surface Protection Service

• Patch maintenance per CVE/Mitre

• EDR adoption

• Centralized access management and recurring password changes

• Mandatory VPN usage

• Firewall rules Controlled via NSG per environment.

• Communication ports Opened only after analysis; risks generate a Risk Notification.

• Operating systems Always provided in recent versions.

• Authentication layer Secure URL access; ReCaptcha, MFA, SSO/SAML; Full audit logs; IP and schedule restrictions.

• Sizing Servers adjust dynamically; IPs rotate periodically, mitigating brute-force attacks.

• Monitoring 24x7 monitoring with dashboards.

• Anti-malware Standard basic version; advanced optional.

• Skyone Autosky Defender Mitigates brute-force attacks by blocking IPs in real time.

• Standard backup policy Instance and database server snapshots; 7-day retention.

• Additional options Custom granularity, retention, and destination.

• Backup storage Snapshots stored in object storage services (S3, OCI Object Storage, Azure Object Storage, Google Cloud Storage) with 11 nines durability (99.999999999%). Storage isolated from servers. OCI backups include automatic encryption.

• Backup evidence Available in the Customer Portal per environment/server.

• Recovery request Can be submitted directly through the Portal; the request creates an automatic ticket.

• Recovery tests Must be requested by the customer via ticket.