Policies
Information Security (ISP) Policy
Last updated on 18/02/2026 at 18:24
INFORMATION SECURITY POLICY (ISP) - GOATCOM
1. Introduction and Objective
1.1. This Information Security Policy (ISP) of Goatcom establishes the guidelines, rules, and security standards to be followed by all employees, service providers, and partners. As a sub-acquirer, Goatcom operates under strict regulations, aiming for compliance with BCB Resolution No. 85/2021.
1.2. The main objective of this ISP is to safeguard information assets, ensuring the Confidentiality, Integrity, and Availability (CIA) of data and systems. Adherence to this policy is essential to protect the company's reputation, mitigate financial risks, and maintain trust in the payment ecosystem.
2. Scope and Applicability
2.1. This Policy covers all Goatcom information assets, including:
- Information Systems: Payment processing platforms, CRM, financial systems, and fraud monitoring systems.
- Data: Customer information (personal and transactional), card data (in compliance with PCI-DSS), and strategic data.
- Technological Infrastructure: Servers, network equipment, mobile devices, and cloud infrastructure.
- Human Resources: All employees, directors, service providers, and business partners.
3. Governance and Responsibilities
3.1. Roles and Responsibilities
| Role | Key Responsibilities |
|---|---|
| Executive Board | Formal approval of the ISP, resource allocation, and promotion of security culture. |
| Director of Cybersecurity | Lead the implementation of the ISP, manage risks, and act as a focal point with the Central Bank (BACEN). |
| Security Committee | Review ISP updates, deliberate on serious incidents, and evaluate new technologies. |
| Collaborators | Comply with ISP guidelines, protect assets, and report incidents immediately. |
3.2. Information Security Risk Management
3.2.1. Goatcom adopts a proactive approach that includes continuous threat identification, impact analysis, risk treatment, and monitoring of the effectiveness of implemented controls.
4. Information Classification
4.1. Goatcom adopts a four-level classification system to ensure adequate protection according to data sensitivity:
| Level | Description | Examples |
|---|---|---|
| 1. Public | Disclosure without restrictions. | Marketing material, press releases. |
| 2. Internal | Exclusive use by collaborators. | Procedure manuals, corporate emails. |
| 3. Confidential | Disclosure may cause significant damage. | Business strategies, contracts with partners. |
| 4. Restricted | Highest sensitivity (Bank Secrecy/LGPD). | Customer data, card data, cryptographic keys. |
5. Access Control and Identity
5.1. Based on the principles of Least Privilege and Need to Know. Each user has a unique identity, and credential sharing is strictly prohibited.
5.2. Security Requirements:
- Strong Passwords: Minimum of 12 characters, mandatory complexity, and change every 90 days.
- MFA (Multi-Factor Authentication): Compulsory for remote access (VPN), administration consoles, and critical systems.
- Segregation of Duties (SoD): Responsibilities divided to prevent a single individual from controlling critical processes.
- Access Revocation: In case of termination, access is removed within 2 hours.
6. Security in Payment Methods and PCI-DSS
6.1. Goatcom strictly adheres to PCI-DSS requirements. It implements tokenization and PAN masking, and strictly prohibits the storage of sensitive authentication data (CVV/CVC) after authorization.
6.2. Compliance includes quarterly vulnerability scans (ASV), annual penetration tests, and periodic audits by QSAs.
7. Secure Software Development (DevSecOps)
7.1. Security is integrated into all phases of the software development life cycle (SDLC). Includes code review (SAST), dynamic testing (DAST), and third-party component analysis (SCA).
7.2. Critical vulnerabilities must be fixed within 48 hours. Development, Staging, and Production environments are strictly segregated.
8. Incident Management and Threat Response
8.1. 24/7 monitoring through SIEM and IDS/IPS systems. All security logs are retained for at least 5 years.
8.2. The Incident Response Plan (IRP) covers the phases of Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Relevant incidents are reported to the Central Bank of Brazil in accordance with BCB Resolution No. 85.
9. Business Continuity and Disaster Recovery
9.1. Daily backups stored in geographically distinct locations with semi-annual restoration tests. The Disaster Recovery Plan (DRP) defines Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
10. Third-Party Management and Cloud Computing
10.1. Critical suppliers undergo security due diligence and must meet contractual requirements for regulatory compliance, audit rights, and incident notification.
11. Awareness and Training
11.1. Mandatory annual training and regular awareness campaigns (including phishing simulations) to foster a robust security culture.
12. Physical and Environmental Security
12.1. Access control to restricted areas via biometrics, 24/7 CCTV monitoring, and "Clean Desk and Clean Screen" policies. Media disposal is performed securely and irreversibly.
13. Audit and Compliance
13.1. Annual internal audits and submission to external regulatory audits (BACEN) and certification audits (PCI-DSS). The ISP is reviewed annually or in response to significant changes in the threat landscape.
14. Final Provisions
14.1. Non-compliance with this Policy will subject the violator to disciplinary measures, contract termination, and possible civil and criminal liabilities. This Policy enters into force on the date of its approval by the Goatcom Executive Board on January 14, 2026 (Version 1.0).
14.2. GOAT COMMERCE LTDA - CNPJ: 60.126.754/0001-14
Our team of specialists is ready to help you scale. Talk to a consultant now.