Menu

Cybersecurity Policy

Version updated on December 14, 2021

INTRODUCTION

Hotmart Cybersecurity Policy encompasses guidelines, objectives and controls concerning Information Security in the Company IT environment, in order to safeguard its operations, users and third parties. All employees and providers shall be aware of its directives and act in strict accordance with them.

ROLES AND RESPONSIBILITIES

Cybersecurity responsibilities are distributed between the following organizational levels:

  • Technology Vice Presidency and Directory
  • Cybersecurity Management
  • Privacy and Regulations Management
  • Internal Controls Management
  • All employees (Troopers)
  • Third parties, vendors and IT service providers

GUIDELINES

The Company adopts a set of actions, guidelines and procedures in order to reduce cybersecurity vulnerabilities and risk exposures, in convergence with the pillars that sustain all the Company data processing:

  • Confidentiality: the information shall not be disclosed to unauthorized people.
  • Integrity: the information shall not be altered without proper authorization.
  • Availability: information shall be stored, accessed and protected at any given time.

Security information guidelines and rules adopted by the Company address the following objectives:

  • Efficient monitoring of adopted processes and controls effectiveness in order to mitigate cybersecurity risks.
  • Timely detection of emergent cybersecurity risks.
  • Continuous optimization of the capability to prevent, detect, contain, eradicate and recover from cybersecurity incidents.
  • Ongoing dissemination of cybersecurity culture and awareness, as well as the defense of data protection through the principle of security and privacy by design

INFORMATION SECURITY PROGRAM

Hotmart information security program consists of a broad process that, according to the established principles and goals, guides the implementation of the following controls and techniques:

  • Information Classification

In order to protect and adequately process information, it shall be classified in accordance with its confidentiality level. The classification shall be carried out on the basis of information value, sensitivity, criticity and regulatory standards, and the Company shall label the information accordingly.

  • Development focused on privacy and data protection

Hotmart has dedicated teams to which the creation of security features and optimization of application security are assigned, in accordance with personal data protection standards and the industry best practices.

  • Proprietary rights

The Company shall respect all aspects of intellectual property within its operations and claims that anyone to whom may come to knowledge any of Hotmart’s internal or proprietary information shall not use it for illegitimate particular purposes.

  • Management of information assets

Information assets are any resource employed in the organization 's data lifecycle. At Hotmart, these assets are protected against unauthorized access, and all employees shall use them carefully for daily activities, acting with integrity and good judgment, in accordance also with specific rules concerning mobile devices connected to the network.

  • Access management

The Company establishes formal procedures to access management within its whole IT environment, including processes of access granting, revoking, transfering, review and authentication.

  • Change management

Hotmart establishes a variety of change controls over the Company’s systems, including procedures for code review, integrity check, data tracking, version control, continuous integration cycle and testing management.

  • Network management and cryptography

By means of network management, Hotmart safeguard the data flow between its systems components, maintaining safe network segmentation, security baselines and strong cryptography.

  • Vulnerability management

Hotmart performs recurring scans and tests in its IT environment, by a team specialized in security tests, to measure flaws and vulnerabilities in its systems, which are handled by its cyber security and secure development teams.

  • Malicious code protection

Protection mechanisms are implemented against malicious code at entry and exit points of Hotmart systems. These points include firewalls, remote access servers, workstations, email servers, web servers, proxy servers and mobile devices.

  • Vendors managemen

Based on received information and internal checks, Hotmart assesses the risks involved in contracting each supplier, to ensure compliance with the Company's cyber security rules, in accordance with the provided services nature.

  • Audit logs generation and analysis

Automated audit trails are implemented for Hotmart's system components, enabling the tracking of security events, authentication, and users actions.

  • Data breach preventions

Hotmart applies technical controls over the transmission of information in its IT environment, through automated solutions which detect, restrict and alert the improper sharing of data. Controls are associated with the classification of this information.

  • Contingency Plan

Hotmart maintains a plan for the safe recovery of data processed by the company and of the functionalities of its systems, in case of unavailability of critical technology services that support its operation. The company maintains data backup in more than one datacenter.

  • Information Security training and awareness

With the aim of disseminating cyber security culture and continuous improvement, the Company promotes training and regular awareness initiatives related to Cyber Security for all its employees.

  • Incident management

Hotmart's incident management process is designed to prevent, detect, respond and recover from an unexpected event that generates any sort of instability, violation of internal policy, or which may do any harm to the Company.

All incidents reported in Hotmart's technology environment are subject to identification, analysis, classification and communication procedures, in accordance with their impact and urgency, and taking into account the interest of the parties eventually involved and possibly affected.

In case of identification, by the external public, of any inconsistency or failure in the Hotmart environment, the Company provides a channel for receiving the respective communication, by the e-mail security@hotmart.com.

POLICY VIOLATION

Any action that does not comply with the Information Security Program guidelines, defined in this Policy, constitutes a serious offense and entails the application of sanctions in accordance with current legislation.

The employee or service provider who deliberately fails to report violations of this policy will also be subject to the aforementioned sanctions.