Global Privacy Policy and Protection of Personal Data from Brandvakt

1. Introduction

Brandvakt is a global information security consultancy and cybersecurity, committed to the highest standards of privacy and data protection
personal data. This Policy aims to establish unified and comprehensive guidelines on how we collect, use, store, share and protect data
personal data, in accordance with the legal and regulatory frameworks applicable in the countries where we operate.

2. Scope and Applicability

This Policy applies to all Brandvakt units, employees, partners,
customers, suppliers and third parties acting on behalf of the company, in the countries where
we operate directly or indirectly, including:
• European Union (GDPR – General Data Protection Regulation);
• Brazil (LGPD – General Data Protection Law);
• South Africa (POPIA – Protection of Personal Information Act);
• Angola (Law no. 22/11 – Personal Data Protection Law);
• Nigeria (NDPR – Nigeria Data Protection Regulation);
• Middle Eastern countries (such as UAE – UAE Data Protection Law);
• Rules and recommendations from OECD, APEC, ISO/IEC 27701, among others.

3. Important Definitions

• Personal Data: Any information related to a natural person
identified or identifiable.
• Sensitive Data: Data about race, ethnicity, religion, political opinions, health,
biometrics, among others.
• Processing: Any operation carried out with personal data, such as collection, use,
archiving, deletion, etc.
• Data Holder: Natural person to whom the data refers.
Global Privacy and Personal Data Protection Policy – Brandvakt |
www.brandvakt.com | Last updated: April 17, 2025
• Controller: Entity that decides on the processing of data.
• Operator/Subcontractor: Who carries out the processing on behalf of the controller.
• International Transfer: Moving personal data out of the country
origin of the holder.

4. Principles of Personal Data Processing

Brandvakt adopts the following principles, common to global legislation:
• Lawfulness, Loyalty and Transparency
• Specific Purpose
• Data Minimization
• Accuracy and Update
• Security and Confidentiality
• Responsibility and Accountability
• Free, Specific, Informed and Unambiguous Consent (when
necessary)

5. Legal Basis for Treatment

We use different legal bases, as applicable:
• Execution of contract or pre-contractual measures;
• Compliance with legal or regulatory obligations;
• Legitimate interest, as long as the rights of the holder are respected;
• Consent of the holder, when required;
• Regular exercise of rights in judicial, administrative or arbitration proceedings;
• Protection of the life or physical integrity of the holder or third parties.

6. Collection of Personal Data

We collect data directly (forms, contracts, emails) or indirectly (cookies,
traffic analysis, third party systems). Examples:
• Full name, position, telephone number, email;
• Authentication data (login, IP, geolocation);
• Contractual, financial and tax information;
Global Privacy and Personal Data Protection Policy – Brandvakt |
www.brandvakt.com | Last updated: April 17, 2025
• Professional and academic data;
• Sensitive data, when strictly necessary (e.g. for recruitment or
accessibility).

7. Purposes of Treatment

Personal data is used to:
• Provision of specialized cybersecurity and consultancy services;
• Relationship with customers, partners and users;
• Human resources and payroll management;
• Marketing activities, subject to consent;
• Compliance with legal obligations and audits;
• Protection of Brandvakt systems and networks.

8. Data Sharing

Brandvakt may share data with:
• Commercial partners and contracted service providers;
• Government authorities, subject to legal obligation;
• Companies from the same economic group;
• Technological platforms used in operations;
• Third parties authorized with the owner’s consent.
All contracts with third parties provide for specific privacy and
security.

9. International Data Transfer

When necessary, we transfer personal data between countries, adopting safeguards
as:
• Standard contractual clauses (Standard Contractual Clauses – SCCs);
• Assessment of jurisdictional risks;
• Certification mechanisms and equivalent level of protection agreements;
• Explicit consent of the holder (when required by local legislation).
Global Privacy and Personal Data Protection Policy – Brandvakt |
www.brandvakt.com | Last updated: April 17, 2025

10. Data Subject Rights

Brandvakt ensures the rights of holders, such as:
• Confirmation of the existence of treatment;
• Access to processed data;
• Correction of inaccurate or incomplete data;
• Data portability;
• Anonymization, blocking or deletion;
• Information about shares;
• Opposition to treatment;
• Revocation of consent;
• Recovery to data protection authorities.
Transmissions can be made in accordance with section 14 (DPO Channel).

11. Security and Governance Measures

We have adopted a robust Privacy and Security Governance program
Information, based on ISO/IEC 27001 and 27701 standards, including:
• Data encryption and pseudonymization;
• Access based on least privilege;
• Monitoring and responding to incidents;
• Continuous awareness training;
• Internal security and privacy policies;
• Data Protection Impact Assessments (DPIA);
• Internal and external audits.

12. Responsibility and Compliance

Brandvakt maintains a Privacy Compliance Program with:
• Formal designation of Data Officer (DPO);
• Privacy and Information Security Committee;
• Periodic reports to senior management;
• Active relationship with regulatory authorities and holders.
Global Privacy and Personal Data Protection Policy – Brandvakt |
www.brandvakt.com | Last updated: April 17, 2025

13. Data Retention and Deletion

We store personal data for as long as necessary to fulfill the purpose of the
treatment, or as required by local laws and regulations. After the deadline, the data is
securely deleted or anonymized, as applicable.

14. DPO (Data Protection Officer) Contact

To exercise your rights or clarify doubts about this Policy or the treatment of
your personal data, please contact our Data Protection Officer:

Name: Josean Siqueira Santos
Position: Data Protection Officer (DPO) – Brandvakt
Email: dpo@brandvakt.com
Address: Av. Brig. Faria Lima, 3729 – 4th floor – Itaim Bibi, São Paulo – SP, 04538-905,
Brazil
Website: www.brandvakt.com/privacidade

15. Policy Updates

This Policy may be updated at any time to reflect changes in
legislation or in Brandvakt’s internal processes. We recommend periodic review
of your content.
Last updated: April 17, 2025.