RiskPulse

Privacy and Personal Data Protection Policy

Sofist Qualidade de Software S.A. — Last updated: August 14, 2025.

1. Purpose

Sofist Qualidade de Software S.A. ("Sofist", "we", "our"), located at Avenida Orosimbo Maia 360, Sala 509, Campinas/SP, Brazil, CEP 13010-211, commits to protecting personal data and complying with applicable protection laws, including Brazil's General Data Protection Law (LGPD). This policy describes how the company collects, uses, and discloses personal information, and outlines how individuals can exercise their rights.

2. Scope

This policy applies to all users accessing Sofist's website and its pages, contact forms, newsletters, integrated services, and all personal data processed by Sofist, including customer and potential customer data, regardless of location.

3. Roles and Responsibilities

3.1. Data Controller (Organization responsible for the website)

  • Ensuring compliance with personal data protection regulations;
  • Keeping the privacy notice up to date and accessible to users;
  • Ensuring response mechanisms for data subjects (access, correction, deletion requests).

3.2. Data Protection Officer (DPO)

  • Acts as communication channel between data subjects, organization, and National Data Protection Authority (ANPD);
  • Monitors and provides guidance on privacy practices adopted on the website.

3.3. Website Users

  • Read and understand this notice before providing personal information;
  • Use indicated channels to exercise rights under the LGPD.

4. General Guidelines

4.1. Personal Data Collected

The company may collect the following categories of personal data:

  • Identifiers: First name, last name, email address, telephone number, occupation/position, country, company.
  • Internet/Electronic Network Activity Information: IP address, browsing history, website interactions.
  • Professional/Employment Information: Position, employer, professional experience.
  • Sensitive Data: Personal preferences or behavior data, processed only with explicit consent per LGPD Article 11.
  • Employee Hiring Information: Identifiers, sensitive personal data, emergency contacts (identifying data of contacts), bank details, personal documents (voter registration, ID, reservist card, CPF, work permit, driver's license), and where applicable, identifying and sensitive data of dependents.
  • Recruitment/Selection Information: Any data in any format provided through official recruitment channels, CVs, and letters.

4.2. Purposes of Processing

Personal data is processed for the following purposes:

  • Provision of Services: Delivering IT consulting and related services, preparing reports, analyses, and related documents.
  • Business Development: Creating opportunities to present solutions to clients and potential clients.
  • Communication: Sending invitations, publications, and various communications.
  • Support: Providing user support and answering questions.
  • Hiring, Recruitment, Selection: Collecting candidate personal data for background assessment where applicable.
  • Legal Compliance: Complying with legal obligations in different jurisdictions.

4.3. How Personal Data is Collected

4.3.1. Personal data is collected in the following ways:

  • Personal data provided by the data subject: Information necessary to initiate and maintain commercial/contractual relationships via electronic channels or for inclusion in Sofist's electronic systems or partner systems.
  • Personal data provided by third parties: Information provided by third parties, such as data from legal entity clients regarding users, employees, etc.

4.3.2. The company does not knowingly collect, store, or process excessive or unnecessary personal data. Users are asked to refrain from sharing sensitive personal data such as: "racial or ethnic origin, religious belief, political opinion, membership of a trade union or religious, philosophical or political organization, health or sex life, as well as genetic data."

4.4. Purpose of Personal Data and Legal Bases for Processing

4.4.1. Sofist acts as an operator carrying out data processing activities for clients.

4.4.2. All collected personal data is used for service provision. Data subject privacy is respected, with all information treated as confidential and used only for described purposes.

4.4.3. Legal grounds for processing:

  • Consent: Where consent has been provided for specific processing activities.
  • Contractual Necessity: To enter into a contract or take steps at request prior to contract entry.
  • Legal/Regulatory Obligation: Complying with LGPD and regulatory obligations, including money laundering or anti-corruption measures.
  • Legitimate Interests: For the company's legitimate interests, provided these are not overridden by data protection rights.
  • Regular Exercise of Rights: For regular exercise of rights in judicial, administrative, or arbitration proceedings.

4.5. Period of Retention of Personal Data

4.5.1. Personal data is kept for the period necessary to achieve defined purposes at collection time. After relationship termination, data is retained as needed to comply with legal obligations or contractual agreements and exercise rights, including for auditing purposes. Retention periods are reviewed periodically per LGPD Article 15.

4.5.2. Once processing purposes are fulfilled, information is disposed of securely, except in cases legally provided for in LGPD Article 16. Personal information essential for legal, judicial, and administrative compliance or exercising defense rights in judicial/administrative proceedings is retained despite other data deletion.

4.6. Sharing and Disclosure of Data

4.6.1. Cases where data may be shared:

  • Legal determination, request, requisition, or court order requiring data sharing with competent judicial, administrative, or governmental authorities.
  • Use of third-party services or platforms supporting operations, causing personal data storage by service providers contractually obliged to protect data.
  • Corporate movements such as mergers, acquisitions, incorporations, automatically forcing data sharing with future shareholders.
  • Protection of Sofist's rights in any conflict type, including judicial conflicts.

4.6.2. Personal data is shared with third parties only when legally permissible or contractually permitted. When sharing data, the company implements contractually established security measures ensuring appropriate personal data protection mechanisms.

4.7. International Data Transfers

4.7.1. The company may use third parties in other countries to perform services, resulting in some personal data transfer abroad.

4.7.2. The company ensures all personal data shared internationally is adequately protected per standards similar to adopted ones. International transfers include appropriate safeguards such as Standard Contractual Clauses per LGPD mechanisms, complying with LGPD Article 33.

4.8. Measures for Personal Data Security

4.8.1. Sofist maintains an Information Security Policy updated per best information security practices.

4.8.2. Main security measures:

  • Confidentiality: All employees are subject to total confidentiality; third parties sign confidentiality agreements if not in main agreements.
  • Transparency: The company keeps users informed of personal data processing procedure changes for privacy/security protection, establishing appropriate practices and policies. Data subjects can request information about personal data storage, protection, and use locations at any time.
  • Isolation: All personal data access is blocked by default using zero privilege policy. Access is restricted to individually authorized personnel. The responsible area grants authorizations when proven necessary with authorization records. Authorized personnel receive minimal database/system access strictly necessary for activities.
  • Personal Data Subject Rights: Sofist enables data subjects to exercise rights through accessible, user-friendly channels.
  • Monitoring: The company uses log audit reports and notifications to monitor access patterns and identify/mitigate potential threats. Administrative operations including system access are recorded for audit trails addressing unauthorized/accidental changes.
  • Security Incident Communication: For incidents potentially entailing user data risks or relevant damage, Sofist notifies ANPD under LGPD and, as applicable, notifies the holder. Notifications occur within reasonable timeframes with affected personal data nature descriptions, technical/security measures used for protection, related risks, and adopted/planned measures to reverse or mitigate damage effects.

4.8.2.1. For these purposes, "security incident" means: "a breach of security that leads to unauthorized access, accidental or unlawful destruction, loss, alteration, communication or any form of improper or unlawful processing."

4.8.3. No Internet security system is guaranteed against unwanted intrusions. Sofist's commitment is limited to protection measures adoption per current art standards.

4.8.3.1. Sofist is not responsible for: (i) consequences from data subject negligence, imprudence, or malpractice regarding their personal data — the company guarantees and is responsible only for data processing security and described purposes fulfillment; (ii) malicious third-party actions like hacker attacks, unless Sofist culpable or deliberate conduct is proven; (iii) information accuracy entered by data subjects in required records — consequences from false or bad faith information are entirely the data subject's responsibility.

4.9. Data Subjects' Rights

4.9.1. Data subjects may exercise rights directly or through legally constituted representatives.

4.9.2. Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Right to Know: Requesting information about collected personal data categories and specific data.
  • Right of Access: Obtaining personal data copies.
  • Right to Erasure: Requesting personal data erasure, subject to certain exceptions.
  • Right to Correction: Requesting inaccurate personal data correction.
  • Right to Data Portability: Receiving personal data in structured, commonly used, machine-readable formats.
  • Right to Cancel Sale: Directing the company not to sell personal data. Sofist emphasizes it does not sell personal data.
  • Right to Non-Discrimination: Receiving equal service and price despite exercising privacy rights.
  • Right to Restrict Processing: Per LGPD, requesting processing restriction in specific circumstances.

4.9.3. To exercise these rights, contact us at privacy@sofist.co.

5. Changes to This Policy

5.1. The company may update this privacy policy periodically. Significant changes are posted here with updated effective dates. Users are recommended to periodically request this document for change awareness.

6. Terms and Definitions

  • ANPD: National Data Protection Authority.
  • Employees: All Sofist employees regardless of position, function, or employment form.
  • LGPD: General Data Protection Law.
  • Newsletter: Digital email publication containing information, news, updates, or relevant content on specific topics for previously registered interested audiences.

7. Contact

7.1. For questions, concerns, or complaints about this privacy policy or data practices, contact us at privacy@sofist.co.

7.2. For LGPD-related questions, contact Brazil's National Data Protection Authority (ANPD), responsible for ensuring personal data subject rights respect in Brazil. Visit the ANPD channel for rights information or complaint procedures.

7.3. For other questions, contact the Data Protection Officer (DPO) at dpo@sofist.co.

Last updated: August 14, 2025.