Linkana is committed to protecting the security, confidentiality, and integrity of the information entrusted to us. This Public Information Security Policy provides an accessible overview of how we safeguard customer, partner, and employee data across our systems and operations.

This document reflects the principles and controls defined in Linkana’s internal Information Security Policy, which follows international standards such as ISO 27001, ISO 27017, and industry security best practices.

1. Security Commitment

Linkana maintains a comprehensive Information Security Management System (ISMS) supported by company leadership and aligned with our strategic objectives.

Our mission is to ensure that all information processed by Linkana—whether internal or belonging to customers or partners—is protected against unauthorized access, misuse, loss, alteration, or destruction.

2. Scope of Protection

Our security practices apply to:

• information processed by Linkana systems;

• infrastructure, applications, networks, and cloud environments used in our operations;

• company-owned devices and authorized personal devices used to access Linkana systems;

• third parties and service providers who process information on our behalf.

Security controls extend to both on-premise and cloud environments, following a shared responsibility model.

3. Cloud Infrastructure and Key Providers

Linkana operates primarily in secure cloud environments provided by industry-leading vendors, including:

• Heroku (AWS) – for application hosting and runtime management;

• CrunchyData (Crunchy Bridge PostgreSQL) – fully managed database with continuous backups, PITR, and monitoring;

• Google Cloud (Workspace) – document storage, productivity, and collaboration tools.

All providers maintain robust security certifications such as ISO/IEC 27001, ISO/IEC 27017, SOC 2, and GDPR-aligned controls. Linkana regularly reviews provider compliance and contractual security requirements.

4. Data Protection & Security Controls

To protect information at every stage, Linkana maintains a strong set of technical and organizational controls, including:

• Encryption of data at rest and in transit;

• Least-privilege access controls and role-based permissions;

• Multi-factor authentication (MFA) on critical systems;

• Continuous monitoring, security logging, and incident detection;

• Secure software development practices aligned with OWASP and ISO;

• Malware protection, antivirus, and firewalls;

• Risk assessments and management of security vulnerabilities;

• Continuous backups and disaster recovery capabilities;

• Compliance with privacy laws, including LGPD, GDPR, CCPA/CPRA, and others.

5. Device Security & Remote Access

All devices used to access Linkana systems—whether corporate or BYOD—must comply with security requirements such as:

• strong passwords or biometric authentication;

• automatic screen lock after inactivity;

• prohibition of account sharing;

• updated antivirus and security patches;

• using VPN or equivalent protections on public networks.

Linkana enforces a Clear Desk & Clear Screen approach to reduce exposure of sensitive information in offices or shared environments.

6. Cloud Security Responsibilities

As a Cloud Service Customer, Linkana follows the ISO 27017 framework, ensuring:

• secure configuration of cloud environments;

• strong access and identity management;

• protection against misconfigurations and vulnerabilities;

• continuous monitoring of provider compliance.

Cloud infrastructure providers secure the underlying platform, while Linkana secures its application layer, data, and configurations.

7. Security Incident Management

Linkana maintains a Security Incident Response Process designed to:

• quickly identify and assess security events;

• contain and mitigate potential impacts;

• notify affected clients and authorities when required by law or contract;

• document and investigate root causes to prevent recurrence.

All employees and contractors must promptly report any suspected incident, vulnerability, or policy violation.

8. Data Privacy & Regulatory Compliance

Linkana processes personal data in accordance with global privacy regulations, including:

• LGPD (Brazil)

• GDPR / UK GDPR (EU & UK)

• CCPA/CPRA (California)

• Other applicable international privacy laws

Our Privacy Policy explains:

• what personal data we collect;

• how we use and share data;

• legal bases for processing;

• data retention and international transfers;

• rights of data subjects and how to exercise them;

• DPO contact information.

9. Employee Training & Awareness

To maintain a strong security culture, Linkana provides employees with ongoing training on:

• information security best practices;

• secure use of systems and data;

• privacy obligations;

• phishing and social engineering risks;

• incident reporting responsibility.

10. Third-Party & Supplier Security

Before engaging with third parties that may process data or access systems, Linkana:

• conducts security and compliance evaluations;

• ensures contractual clauses related to confidentiality, privacy, and incident notification;

• monitors ongoing compliance and service delivery expectations.

11. Audits, Monitoring & Continuous Improvement

Linkana performs:

• regular internal monitoring;

• independent audits (internal and external);

• reviews of risks and controls;

• periodic updates to policies and procedures.

Our internal Information Security Policy is reviewed at least annually.

12. Reporting Security Issues

If you identify or suspect any vulnerability, misuse, or security concern involving Linkana systems or data, please notify us immediately:

• 📧 security@linkana.com (security)

• 📧 dpo@linkana.com (data privacy)