At Zallpy Software LTDA, information security is treated as a strategic pillar for business sustainability, data protection, and preservation of the trust of clients, suppliers, partners, and other stakeholders.

Our commitment to security goes beyond technological protection: it involves processes, governance, people, and continuous controls aimed at ensuring the protection of information throughout its entire lifecycle.

This public policy presents, in a summarized manner, the main commitments and practices adopted by Zallpy to ensure the adequate protection of the information under its responsibility.

Zallpy adopts structured practices to protect corporate information, client data, technological assets, and information shared by third parties.

Our commitment is based on five essential pillars:

Confidentiality: We ensure that information is accessed exclusively by authorized individuals, according to their business need and permission level.

Integrity: We adopt mechanisms to ensure that information remains accurate, complete, and protected against improper or unauthorized alterations.

Availability: We maintain controls to ensure that information, systems, and services are available whenever necessary to support operations and commitments with clients.

Authenticity: We ensure identity, origin, and legitimacy validation mechanisms for information and transactions performed within our environments.

Traceability: We maintain records and audit trails that allow monitoring, investigation, and accountability of actions performed in our systems.

Information security at Zallpy is structured through a formal governance model, with a clear definition of responsibilities, risk management processes, and security controls. Our model includes:

• definition of internal policies and standards;

• continuous risk management;

• periodic audits;

• monitoring of environments and assets;

• continuous review and improvement of implemented controls.

This model enables constant evolution in response to technological, regulatory, and cyber threat changes.

• Estabelecer cláusulas para a preservação da confidencialidade, propriedade intelectual, o sigilo as informações e a proteção de dados pessoais (LGPD) que devem ser respeitadas e cumpridas antes, durante e após a prestação dos serviços dos fornecedores através de acordos entre as partes envolvidas.

The protection of personal data and sensitive information is treated with a high level of priority.

Zallpy adopts practices to ensure that data is processed based on the principles of:

• purpose limitation;

• necessity;

• adequacy;

• data minimization;

• adequate retention;

• secure disposal.

Access to corporate information and systems is controlled based on the principle of least privilege, ensuring that each user has only the accesses strictly necessary to perform their activities.

Our controls include:

• individual authentication;

• access segregation;

• periodic permission reviews;

• immediate revocation in cases of termination or role change;

• multi-factor authentication, when applicable.

These controls reduce the risks of unauthorized access and data exposure.

Adicionalmente, implementamos controles técnicos e administrativos para prevenir acessos indevidos, vazamentos ou uso inadequado de informações.

Zallpy’s technological infrastructure is protected by security mechanisms aimed at the prevention, detection, and response to threats.

Among the adopted controls are:

• endpoint protection;

• event monitoring;

• vulnerability management;

• patch and update management;

• encryption;

• network protection;

Zallpy maintains formal processes for the identification, registration, analysis, containment, and handling of information security incidents.

When an incident is identified, proportional measures are adopted to:

• contain the impact;

• preserve evidence;

• restore operations;

• evaluate root cause;

• implement preventive improvements.

Our objective is to ensure a fast, efficient, and structured response.

• backup e recuperação de dados.

Esses mecanismos contribuem para redução da superfície de ataque e aumento da resiliência operacional.

We maintain operational continuity mechanisms to minimize impacts resulting from failures, unavailability, or incidents that may affect our services.

This includes:

• backup routines;

• recovery tests;

• contingency processes;

• operational recovery measures.

Our focus is to ensure stability, availability, and efficient recovery.

Nosso objetivo é garantir resposta rápida, eficiente e estruturada.

Information security is also considered in our relationship with suppliers, partners, and third parties.

Third parties that have access to Zallpy’s data, systems, or environments must comply with minimum security, confidentiality, and information protection requirements.

Whenever necessary, we conduct risk assessments and compliance validations.

• processos de contingência;

• medidas de recuperação operacional.

Nosso foco é garantir estabilidade, disponibilidade e recuperação eficiente.

We believe that information security depends on technology, processes, and human behavior.

Therefore, we promote continuous awareness and internal training initiatives to strengthen the culture of information protection, security best practices, and incident prevention.

Strong security is not born from a firewall. It is born from culture. The firewall only prevents the problem from entering; culture prevents it from being invited.

Zallpy maintains a permanent commitment to the continuous improvement of its security processes and controls, seeking constant evolution in maturity, regulatory compliance, and alignment with market best practices.

Our security environment is continuously reviewed to respond to the evolution of threats and business needs.

Segurança forte não nasce de firewall. Nasce de cultura. O firewall só impede que o problema entre; a cultura impede que ele seja convidado.

Requests related to Information Security, privacy, compliance, or security requirements from suppliers and clients may be forwarded through our official communication channels.

Zallpy maintains a formal channel for the evaluation of security requirements, supplier due diligence, and matters related to information protection.

Effective date: June 05, 2026, rev.: 04.

A Zallpy mantém canal formal para avaliação de requisitos de segurança, diligências de fornecedores e tratativas relacionadas à proteção da informação.

Data de vigência: 20/05/2026, rev.: 04.