CF
ClikFlow
Sign In Get Started
SaaS B2B · Sensitive Data

Information Security Policy

Last updated: May 21, 2026 Version 1.0 Classification: Public

This policy defines the principles, responsibilities, and controls that ClikFlow adopts to protect the confidentiality, integrity, and availability of customer and company information. It is based on the controls of ISO/IEC 27001:2022 and the LGPD (Law 13,709/2018).

1 Scope and objectives

This policy applies to:

  • All infrastructure, systems, and source code of the ClikFlow platform;
  • Customer and user data processed by the platform;
  • All employees, contractors, and partners with access to ClikFlow systems or data.

Core objectives:

  • Protect Customer Data against unauthorised access, disclosure, and modification;
  • Ensure service availability in accordance with service-level agreements;
  • Comply with LGPD, the Brazilian Internet Act, and all other applicable regulations;
  • Proactively and continuously manage security risks.
2 Responsibilities
RoleResponsibilities
Board / CEO Policy approval; resource allocation; strategic risk management
CISO / Security Lead Implement and monitor controls; conduct periodic reviews; incident response
DPO (LGPD Officer) Interface with ANPD; handling data subject requests; LGPD compliance oversight
Engineering team Secure development (SDL); code review; vulnerability management
All staff Follow this policy; report incidents; complete mandatory training
3 Access control
  • Least-privilege principle: each employee and system receives only the access necessary for their role.
  • RBAC (Role-Based Access Control): access profiles defined by function — Administrator, Analyst, Read-Only.
  • MFA mandatory for all access to production infrastructure and administrative panels.
  • Semi-annual access reviews and immediate revocation upon end of employment.
  • Zero-trust: no internal access is implicitly trusted; all communication is authenticated and authorised.
  • System passwords meet minimum complexity requirements and are never stored in plaintext.
4 Encryption
  • In transit: TLS 1.2+ mandatory for all external connections; certificates renewed automatically.
  • At rest: customer data encrypted with AES-256 at the cloud provider level.
  • Passwords: stored as bcrypt hashes (cost factor ≥ 12).
  • Encryption keys: managed via the cloud provider's KMS with annual rotation.
  • API tokens: generated with sufficient entropy (256-bit); never logged.
5 Secure development (SDL)
  • Mandatory peer code review before every merge to production;
  • Static security analysis (SAST) integrated into the CI/CD pipeline;
  • Dependency scanning (SCA) for known vulnerabilities (CVEs);
  • Annual external penetration test conducted by a specialist third party;
  • Responsible disclosure policy for security researchers;
  • Production data is never used in development or test environments.
6 Vulnerability management
SeverityRemediation SLANotification
Critical (CVSS ≥ 9.0)24 hoursImmediate to board and CISO
High (CVSS 7.0–8.9)72 hoursWithin 4 hours
Medium (CVSS 4.0–6.9)30 daysNext weekly report
Low (CVSS < 4.0)90 daysNext monthly report
7 Incident response

Our incident response process follows four phases:

  1. Detection and containment — immediate identification and scoping of the incident.
  2. Analysis and eradication — root-cause investigation and removal of the threat.
  3. Recovery — restoration of services from verified backups.
  4. Lessons learned — post-incident report and control improvements.

For incidents involving personal data:

  • Affected customers are notified within 72 hours of incident confirmation;
  • The ANPD is notified within the statutory timeframes (LGPD art. 48);
  • An incident register is maintained internally for at least 5 years.
8 Business continuity and backup
  • Automated daily backups of production data with a 30-day retention period;
  • Backups stored in a different geographic region from production (geo-redundancy);
  • Quarterly restoration tests;
  • RTO (Recovery Time Objective): 4 hours; RPO (Recovery Point Objective): 24 hours for critical data.
9 Vendor and sub-processor management

All vendors and sub-processors with access to ClikFlow or customer data must:

  • Sign a confidentiality agreement (NDA) and/or DPA before the relationship begins;
  • Demonstrate equivalent security compliance (ISO 27001, SOC 2, or equivalent);
  • Be assessed annually for security and privacy risks.

The list of approved sub-processors is maintained and available upon request.

10 Monitoring and audit
  • Access and critical-activity logs retained for a minimum of 6 months;
  • Continuous anomaly monitoring via SIEM;
  • Internal semi-annual compliance review against this policy;
  • Annual external security audit;
  • Enterprise plan customers may request compliance reports (SOC 2 Type II or equivalent).
11 Awareness and training
  • Mandatory security training for all new employees (onboarding);
  • Annual refresher training on security and privacy;
  • Periodic phishing and social-engineering simulations;
  • Secure channel for reporting suspected incidents.
12 Security contact

To report vulnerabilities or security incidents:

Security security@clikflow.com
PGP key Available on request

For critical incidents, we respond within 4 hours on business days.

Contents
  1. Scope and objectives
  2. Responsibilities
  3. Access control
  4. Encryption
  5. Secure development
  6. Vulnerability management
  7. Incident response
  8. Continuity and backup
  9. Vendor management
  10. Monitoring
  11. Training
  12. Security contact
CF
ClikFlow
© 2026 ClikFlow. All rights reserved.
Privacy Policy Cookie Policy Terms of Use Information Security DPA Data Subject Portal