This policy defines the principles, responsibilities, and controls that ClikFlow adopts to protect the confidentiality, integrity, and availability of customer and company information. It is based on the controls of ISO/IEC 27001:2022 and the LGPD (Law 13,709/2018).
1 Scope and objectives
This policy applies to:
- All infrastructure, systems, and source code of the ClikFlow platform;
- Customer and user data processed by the platform;
- All employees, contractors, and partners with access to ClikFlow systems or data.
Core objectives:
- Protect Customer Data against unauthorised access, disclosure, and modification;
- Ensure service availability in accordance with service-level agreements;
- Comply with LGPD, the Brazilian Internet Act, and all other applicable regulations;
- Proactively and continuously manage security risks.
2 Responsibilities
| Role | Responsibilities |
| Board / CEO |
Policy approval; resource allocation; strategic risk management |
| CISO / Security Lead |
Implement and monitor controls; conduct periodic reviews; incident response |
| DPO (LGPD Officer) |
Interface with ANPD; handling data subject requests; LGPD compliance oversight |
| Engineering team |
Secure development (SDL); code review; vulnerability management |
| All staff |
Follow this policy; report incidents; complete mandatory training |
3 Access control
- Least-privilege principle: each employee and system receives only the access necessary for their role.
- RBAC (Role-Based Access Control): access profiles defined by function — Administrator, Analyst, Read-Only.
- MFA mandatory for all access to production infrastructure and administrative panels.
- Semi-annual access reviews and immediate revocation upon end of employment.
- Zero-trust: no internal access is implicitly trusted; all communication is authenticated and authorised.
- System passwords meet minimum complexity requirements and are never stored in plaintext.
4 Encryption
- In transit: TLS 1.2+ mandatory for all external connections; certificates renewed automatically.
- At rest: customer data encrypted with AES-256 at the cloud provider level.
- Passwords: stored as bcrypt hashes (cost factor ≥ 12).
- Encryption keys: managed via the cloud provider's KMS with annual rotation.
- API tokens: generated with sufficient entropy (256-bit); never logged.
5 Secure development (SDL)
- Mandatory peer code review before every merge to production;
- Static security analysis (SAST) integrated into the CI/CD pipeline;
- Dependency scanning (SCA) for known vulnerabilities (CVEs);
- Annual external penetration test conducted by a specialist third party;
- Responsible disclosure policy for security researchers;
- Production data is never used in development or test environments.
6 Vulnerability management
| Severity | Remediation SLA | Notification |
| Critical (CVSS ≥ 9.0) | 24 hours | Immediate to board and CISO |
| High (CVSS 7.0–8.9) | 72 hours | Within 4 hours |
| Medium (CVSS 4.0–6.9) | 30 days | Next weekly report |
| Low (CVSS < 4.0) | 90 days | Next monthly report |
7 Incident response
Our incident response process follows four phases:
- Detection and containment — immediate identification and scoping of the incident.
- Analysis and eradication — root-cause investigation and removal of the threat.
- Recovery — restoration of services from verified backups.
- Lessons learned — post-incident report and control improvements.
For incidents involving personal data:
- Affected customers are notified within 72 hours of incident confirmation;
- The ANPD is notified within the statutory timeframes (LGPD art. 48);
- An incident register is maintained internally for at least 5 years.
8 Business continuity and backup
- Automated daily backups of production data with a 30-day retention period;
- Backups stored in a different geographic region from production (geo-redundancy);
- Quarterly restoration tests;
- RTO (Recovery Time Objective): 4 hours; RPO (Recovery Point Objective): 24 hours for critical data.
9 Vendor and sub-processor management
All vendors and sub-processors with access to ClikFlow or customer data must:
- Sign a confidentiality agreement (NDA) and/or DPA before the relationship begins;
- Demonstrate equivalent security compliance (ISO 27001, SOC 2, or equivalent);
- Be assessed annually for security and privacy risks.
The list of approved sub-processors is maintained and available upon request.
10 Monitoring and audit
- Access and critical-activity logs retained for a minimum of 6 months;
- Continuous anomaly monitoring via SIEM;
- Internal semi-annual compliance review against this policy;
- Annual external security audit;
- Enterprise plan customers may request compliance reports (SOC 2 Type II or equivalent).
11 Awareness and training
- Mandatory security training for all new employees (onboarding);
- Annual refresher training on security and privacy;
- Periodic phishing and social-engineering simulations;
- Secure channel for reporting suspected incidents.
12 Security contact
To report vulnerabilities or security incidents:
For critical incidents, we respond within 4 hours on business days.