Política de Segurança da Informação

Information Security and Privacy Policy

INFORMATION SECURITY AND PRIVACY POLICY

1. OBJECTIVE
CARE establishes its Information Security and Privacy Policy as an integral part of its
corporate management system, aligned with good market practices and international standards
accepted and the relevant Brazilian legislation, with the aim of guaranteeing adequate levels of protection to
information and personal data operated by the organization, its customers and employees under its control
responsibility.

2. PURPOSE

• This policy aims to:
• Establish Information Security and Privacy guidelines and standards that allow
CARE employees adopt safe behavior standards;
• Provide guidance on the adoption of controls and processes to meet Security requirements
Information and Privacy of Personal Data;
• Safeguard CARE information, ensuring basic confidentiality requirements,
integrity and availability;
• Prevent possible incidents and legal liability involving the institution, employees,
customers, suppliers and partners;
• Minimize the risks of financial losses, market losses, customer confidence losses or other impacts
negative impact on CARE's business as a result of security breaches.

3. POLICY
This policy applies to all CARE employees, suppliers and partners who have access
to CARE's personal information and data and/or make use of computing resources included in the
internal infrastructure.

3.1. It is CARE's Policy:
• Develop, implement and fully follow security policies, standards and procedures
of information, ensuring that the basic requirements of confidentiality, integrity and
availability of information and personal data operated at CARE are achieved through
the adoption of controls against threats from both external and internal sources
internal;
• Make security policies, standards and procedures available to all interested parties
and authorized parties, such as: Employees, contracted third parties, suppliers and, where
relevant, customers.
• Ensure education and awareness about information security practices and
data privacy adopted by CARE for Employees, contracted third parties,
suppliers and, where relevant, customers.
• Fully meet information security and data privacy requirements
applicable personal data or required by regulations, laws and/or contractual clauses;

• Fully handle information security incidents and data privacy
personal data, ensuring that they are properly recorded, classified, investigated,
corrected, documented and, where necessary, communicating to the appropriate authorities;
• Ensure business continuity through adoption, deployment, testing and improvement
continuous continuity and disaster recovery plans;
• Continuously improve Information Security and Privacy Management through
definition and systematic review of security objectives at all levels of the organization.

4. ROLES AND RESPONSIBILITIES
4.1. Information Security Steering Committee – CGSI
The Information Security Management Committee – CGSI is hereby established, with the participation of,
at least one Technology Director, one Information Technology Manager and at least two
members with knowledge in information technology, both with infrastructure support and
with systems.
4.2. It is the responsibility of the CGSI:
• Analyze, review and propose the approval of security-related policies and standards
of information;
• Ensure the availability of the resources necessary for effective Management of
Information Security;
• Ensure that information security and data privacy activities are
executed in accordance with the PSIP;
• Promote the dissemination of PSIP and take the necessary actions to disseminate a
culture of information security and privacy of personal data in the environment
CARE

5. PRINCIPLES OF USE OF AI
All AI solutions must be designed and implemented with robust mechanisms for
security to protect data against unauthorized access, leaks, and improper modifications
and other types of cyberattacks. AI models must be trained and validated in such a way that
minimize risks to the integrity and confidentiality of information.

The use of AI must be carried out in compliance with current data protection legislation, such as
the General Data Protection Law (LGPD) and the General Data Protection Regulation (GDPR), when
applicable. The processing of personal data by AI must be done transparently, ensuring
the appropriate consent of data subjects, whenever necessary.

6. CLASSIFICATION AND TREATMENT OF INCIDENTS
Every information security incident must be classified according to its criticality and impact,
and handled in accordance with established procedures. Reporting critical incidents
must be immediately reported to the CGSI, and containment and mitigation actions must be initiated immediately.

7. SANCTIONS AND PUNISHMENTS

Violations of this policy or other security standards, even by omission, will be subject to
penalties ranging from verbal warnings to dismissal for just cause for CLT employees,
and immediate termination of contracts for third parties or suppliers. The CGSI is responsible for analyzing
each infraction and decide on the punishments.

In cases of violation that involve illegal activities or damage to the organization, the offender will be
held accountable and subject to appropriate legal action. The application of sanctions and punishments will be carried out
according to the analysis of the Information Security Management Committee, and the
severity of the infraction, effect achieved and recurrence, and the CGSI may pass on the information of
infraction to the immediate Manager who will apply the penalty when the serious offense is identified.

In the case of third-party contractors or service providers, the CGSI must analyze the occurrence and
deliberate on the implementation of sanctions and punishments in accordance with the terms set out in the contract;

In the case of violations that involve illegal activities, or that may result in damage to
Organization, the offender will be held responsible for the damages, and the measures will be applied
relevant judicial decisions.

6. OMISSIONS
Omitted cases will be evaluated by the Information Security Management Committee for later
deliberation.
The guidelines established in this policy and in other security standards and procedures do not apply to
are exhausted due to continuous technological evolution and the constant emergence of new threats. This
form, it does not constitute an enumerative list, and it is the obligation of the user of CARE information to adopt,
whenever possible, other security measures in addition to those provided here, with the aim of guaranteeing
protection of personal information and data.