Privacy policy

  1. Objective

This document defines:

  • Guidelines that must be met by 2innovateIT employees. The third parties involved (suppliers, contractors, others) must be included in the requirements of this Policy in a mandatory manner.
  • Establishment of a framework for all processes and their security mechanisms.
  • Classification of the information and definition of the fundamental principles to ensure it is in accordance with the business objectives in the field of information security.
  • Minimum requirements for information management, access control, physical security, communications, operations and systems development.
  1. Reach

This Policy applies to:

  • All information that is created, received, stored, processed, transmitted, delivered and discarded, using any system or storage medium.
  • The Company and its employees, as well as external personnel and/or suppliers who interact directly or indirectly with customers.

3 Policies

3.1 Roles and Responsibilities

  • Certain privileged or sensitive tasks should be separated from daily ones, to minimize the risk of abuse of privilege and to maximize the ability of those who have the function to control the tasks of others.
  • Respecting the principle of segregation of duties, some roles must be performed by different individuals or groups, such as: access management or control over operating systems, normal use of systems and applications, auditing and security management.

3.1.1 Users

  • Users must be regularly informed about the existing regulatory framework, and must receive training when necessary.
  • Security awareness may be achieved through multiple methods of communication and education to staff (for example: posters, letters, memos, web-based training, meetings, etc.).
  • New personnel joining 2innovateIT must be instructed on the sensitivity of information systems. Cybersecurity awareness must be created and maintained. It must be delivered at least once a year.

3.1.2 Clients

  • Clients should not share any password provided by 2innovate. The company will never ask you for such information.
  • If an employee asks you for confidential information, it must be through the email or through the contacts on the website, this must not contain card data, passwords or Home Banking keys.
  • If you have any questions, send an email to

3.1.3 Third parties involved

The third parties involved must abide by the guidelines established by this Policy.

3.2 Risk Analysis and Information Classification

  • An adequate risk analysis and classification must be carried out, it must identify the threats, vulnerabilities related to the information and be carried out, at least, annually.
  • Some risk assessment methodologies to consider may be: OCTAVE, ISO-IEC 31000, ISO-IEC 27005 and NIST SP 800-30, among others.
  • The information must be classified, according to its classification level.

3.3 Access Control

  • 2innovateIT’s access policy is based on the least privilege possible, meaning that users who need access will be given the lowest level of privilege possible to fulfill their job functions.
  • The computer resources made available to users by 2innovateIT are intended to be used in the development of daily activities.
  • 2innovateIT reserves the right to access all equipment and systems used in the development of its business, for operational support purposes and/or for the protection of its assets.

3.3.1 Business Guidelines for Access Control

  • Information systems and networks must have defined and implemented security mechanisms to provide an appropriate level of protection to the information handled.
  • In order for a user to have access to systems or applications, their access rights must be authorized and their identity verified by at least their line manager or a company officer/manager.
  • Operational auditing mechanisms should be used to monitor the use of application access rights and to ensure that the level of access granted is consistent with each user’s role.
  • Users must be responsible for the granted use of their devices and authentication data (users, passwords, PINs, others).
  • Sharing access credentials and authentication devices is prohibited, they must be kept secret and secure.
  • Access to systems is monitored to ensure compliance with access standards.

3.4 Physical Security of Information

  • All IT resources that are critical to the continuity of 2innovateIT’s business must be physically secured.
  • Physical access to the network and communications infrastructure must be limited to authorized users.
  • Every time staff leave your office or desk, you must ensure that no confidential information or other sensitive material is left unprotected.

3.5 Protection Against Malicious Software

  • The company provides adequate tools for the protection of computer equipment against malware threats.
  • Users should follow security practices to minimize risk, such as not using unauthorized software or not opening email messages from unknown or questionable sources.

3.6 Classification of Information

  • All information in physical, written or printed format must be classified in accordance with its security requirements.

The classification policy is based on the following 3 levels:

  • Level 1 – Public Information
  • Level 2 – Confidential information
  • Level 3 – Confidential Information

3.7 Destruction of Information

  • The discarding of information storage media of any kind is treated in accordance with the classification level of the stored data.
  • In the case of sensitive information, the medium must be physically destroyed or duly erased if it is intended to be reused.

3.8 Email Use for Business

  • 2innovateIT email systems must be used for business purposes. Personal use is permitted to the extent that:
    • Does not consume significant resources.
    • Do not hinder any business activity.
  • Employees are prohibited from using any electronic mail system other than
  • 2innovateIT to send or receive information related to 2innovateIT business.
  • All messages sent from 2innovateIT must comply with this policy, local legislation and the Company’s standards regarding content.
  • Confidential or strictly confidential information must not be sent by email, unless it is encrypted according to authorized standards.

3.9 Internet

  • 2innovateIT employees can be provided with Internet access to assist them in the development of their work.
  • The use of the Internet must be specifically focused on the tasks that the user develops within the Company, personal use is allowed within reasonable limits and provided that the sites accessed are not illegal or inappropriate for a well-controlled work environment (for example, : sites related to pornography, gambling, drugs, others).
  • The use of the Internet must not be used to violate intellectual property rights or any computer system or networks.
  • Access to resources other than Internet pages is reserved for authorized users.
  • Downloading electronic files from the Internet is not permitted, unless it is a necessary part of the User’s job.

3.10 File Transfer

  • Sensitive information must not be sent through any file transfer mechanism, unless it is encrypted in accordance with 2innovateIT standards.

3.11 Remote Access

  • The access made by 2innovateIT personnel to the Company’s resources outside the internal network must be made through the secure Remote Access mechanism such as VPN or dedicated links.

3.12 Start-up

  • The software must be put into production in a controlled manner. All systems in production must have versioning and their respective change control.
  • The key tasks and responsibilities in the production environment must be segregated to guarantee the proper opposition of interests and minimize the abuse of privileged functions.
  • The effectiveness of the security mechanisms designed into the systems must be controlled through formal security testing, before they are put into production, and verified regularly.
  • All third party software must be obtained from reliable sources and must be used strictly in accordance with the terms of the license. The software’s intellectual property right must be respected and observed in all cases.

3.13 Software Development

  • The development and maintenance of the software used in 2innovateIT must follow the security standards defined by the Company.
  • The security design and requirements must be compatible and integrated with the existing security design for 2innovateIT networks and systems.
  • The development, test and production environments must be segregated.
  • Any such access must be granted in exceptional circumstances, be temporary, justified and recorded.
  • Employees involved in software development must be trained in the security aspects of system evaluation, installation, and maintenance.

3.14 Network Connectivity

  • 2innovateIT networks must be protected against unauthorized access.
  • All 2innovateIT networks must be classified as reliable and unreliable according to the level of security they have.
  • All communications between internal and external networks (for example: Internet) or between network areas with variable security classification, must be safeguarded through security devices.
  • Appropriate security mechanisms must be applied at the point of connection when connecting to a third-party network, a public network, or an untrusted internal network segment.

3.15 Incident Response

  • The company acts in situations or events where the systems have been compromised or could be compromised. This has the ability to detect intrusions, perform tracking and identification tasks and forensic analysis of the computer systems where the incidents have occurred.

3.16 Processing Continuity

  • The company performs risk management that threatens the continuity of the processing of critical information for the operation of the business and consequently implements preventive controls and recovery plans to reduce them to acceptable levels.

3.17 Use of Critical Technology

  • For the use of Critical Technology, the following aspects must be taken into account:
    • All assets must be inventoried and accepted/approved by the institution.
    • You must have secure authentication for the use of critical technology.
    • It must have a person in charge in case there is any need for treatment or use of the asset.
    • Activation of remote access technologies for suppliers and business partners should be done only when necessary, with immediate deactivation after use.
    • No unauthorized removable media should be used. These may contain malicious software that could affect the company’s security.

3.18 Supplier Policy

  • Vendors entering company assets must comply with at least the following security policies:
    • Have a confidentiality agreement or confidentiality clause in the contract.
    • Comply with the security policies that apply to them.
    • Be certified in accordance with the safety standards or regulations that apply to them or accept reviews/audits if necessary.
    • Responsibility to report any security incident.
    • Responsibility in case of reputational or patrimonial damage to the institution due to fraud or negligence of their assigned personnel.
    • Provide security training to employees assigned to the institution.