1. introduction

Sofist is committed to protecting your personal data and complying with the requirements of the Brazilian General Data Protection Law (Law No. 13,709/18). This privacy policy describes how and why we collect and use personal data and how data subjects exercise their rights. Sofist processes your Personal Data to fulfill its corporate obligations and for various purposes. The means of collection, legal basis for processing, use, disclosure and retention for each purpose may differ.

‍1.2. This is the privacy and data protection policy of Sofist Qualidade de Software S.A., CNPJ No. 08.401.346/0001-03, with address at Avenida Orosimbo Maia, 360, Sala 509, Campinas/SP, CEP 13010-211. In this document, when we refer to "Sofist", "we" or "our", we are referring to this company described above

‍1.3. When we use the expressions "you" or "your", we are referring to you, the owner of the Personal Data: (i) clients and/or potential clients; (ii) visitors; (iii) third parties in general who contact the company through its service channels or at its physical office.

1.4 Personal Data is any information relating to an identified or identifiable person and which requires protection under the General Data Protection Act (LGPD).

2Purpose‍

2.1 This policy describes why and how we collect and use your Personal Data and provides information about the rights of data subjects.

2.2 To learn more about our specific processing activities, please read this policy carefully.

3.Target audience‍

3.1 This privacy policy is aimed at data subjects, whether they are our clients, the public or third parties in general.

4.Personal data collected‍

4.1. Below, we set out the Personal Data we use, as well as the purposes for which it is collected:

4.2. The Personal Data we use and the purposes for which it is collected are set out below:

‍Personal data processed

Name and surname
E-mail
Telephone
Occupation/position/role
Country
Company

Purposes of collection

Providing information technology consultancy services, among other services we provide for our clients, preparing reports, analyses and other documents related to our activities;
Creating opportunities to present our solutions to our clients and potential clients;
Sending invitations, publications and various communications;
Providing support to users.

5.How personal data is collected‍

5.1 . Personal Data is collected in the following ways:

5.1.1 Personal Data provided by the data subject - we collect Personal Data necessary to initiate and maintain a commercial and/or contractual relationship with the data subject via an electronic channel for inclusion in electronic systems maintained by Sofist or partners.

‍5.1.2 Personal Data provided by third parties - we also process Personal Data provided by third parties. For example, data received from our legal entity customers regarding users of their digital products, employees, etc.

5.2 We do not knowingly collect, store or otherwise process personal data that is excessive or unnecessary to provide our services. Accordingly, we ask you to refrain from sharing sensitive personal data with us, such as those relating to your racial or ethnic origin, religious conviction, political opinion, membership of a trade union or religious, philosophical or political organization, health or sex life, as well as genetic data.

6.Purpose of personal data‍

6.1 Sofist acts as an operator to carry out our clients' data processing activities.

6.2 All Personal Data collected is used to provide or supply services. The privacy of the data subject is respected. Therefore, all Personal Data and information is treated as confidential and used only for the purposes described herein.

6.3. Personal Data is processed on the following legal bases (the "Legal Bases"):
‍
‍Consent - we use consent to legitimize the processing of Personal Data in processes that the data subject may choose to carry out or not.
Compliance with legal or regulatory obligation - we use this legal basis to meet legal requirements, such as complying with certain procedures determined by law - for example, in money laundering or anti-corruption measures.
Regular exercise of rights - we use the regular exercise of rights in judicial, administrative or arbitration proceedings - for example, in judicial or administrative defenses in proceedings to which we are a party.
Enforcement of contracts - we use the legal basis of enforcement of contracts for proceedings related to the provision of services.
Legitimate interest - we use legitimate interest to support services that are of interest to our clients, for example, consulting services related to information technology.

7.Personal data retention period‍

7.1 . Personal Data will be kept for the period necessary to achieve the purposes defined at the time of collection. After the termination of this relationship, they will be kept for as long as necessary to comply with legal obligations and exercise your rights, including for the purposes of auditing our activities.

7.2. Once the purpose of processing the Personal Data has been fulfilled, the information will be disposed of securely, with the exception of the hypotheses legally provided for in article 16 of the Brazilian General Data Protection Law (LGPD), namely:

I - compliance with a legal or regulatory obligation by the controller;
II - study by a research body, guaranteeing, whenever possible, the anonymization of personal data;
III - transfer to a third party, provided that the data processing requirements set out in this Law are complied with; or
IV - exclusive use by the controller, with no access by third parties, and provided that the data is anonymized.

In other words, personal information about you that is essential for complying with legal, judicial and administrative orders and/or for exercising the right of defense in judicial and administrative proceedings will be kept, despite the deletion of other data. 

8.Sharing data with third parties in Brazil and abroad‍

8.1. We will only share your personal data with third parties when we can do so under the law or the contract we have entered into. When we share your data with third parties, we take contractually established security measures so that personal data protection mechanisms appropriate to the law and accepted by us are in place.

8.2. We may use third parties located in other countries to perform some services provided by us. As a result, some personal data may be transferred outside the country. We take care to ensure that all personal data shared with agents abroad is adequately protected and in accordance with standards similar to those we have adopted.

8.3 . Personal data may be transferred in the following cases:

Legal determination, request, requisition or court order, with competent judicial, administrative or governmental authorities.
In the event of corporate changes, such as mergers, acquisitions and incorporations, automatically.
Protection of Sofist's rights in any type of conflict, including those of a judicial nature.

8.4. If you have any questions about how we share data, please contact our data protection team at privacy@sofist.co.

9.Measures for the security of personal data‍

9.1 Sofist has an Information Security Policy that is updated in line with the best information security practices.

9.2 Main measures adopted by Sofist for the protection of your Personal Data:

Confidentiality: All Sofist employees are subject to total confidentiality. Any third parties hired must sign a confidentiality agreement if this is not part of the main agreement between the parties.
Transparency: Sofist always keeps users informed of changes in the procedures for processing Personal Data aimed at protecting privacy and data security, including establishing appropriate practices and policies. The data subject may, at any time, request information on where and how Personal Data is stored, protected and used.
‍Isolation: All access to Personal Data is blocked by default, using a zero privilege policy. Access to Personal Data is restricted to individually authorized personnel. The area responsible for the data grants authorizations when proven necessary and keeps a record of authorizations granted. Authorized personnel receive minimal access to the database and systems, at the level strictly necessary to carry out their activities.
‍Personal Data Subject Rights: Sofist makes it possible for data subjects to exercise their rights through an accessible and user-friendly channel.
Monitoring: Sofist uses log audit reports and notifications to monitor access patterns and identify and mitigate potential threats. Administrative operations, including access to the system, are logged to provide an audit trail in the event of unauthorized or accidental changes.
‍Security incident reporting:In the event of a security incident that may result in a relevant risk or damage to user data, Sofist will notify the National Data Protection Authority (ANPD) and, as the case may be, notify the data subject, in both cases within a reasonable period of time, with information describing the nature of the Personal Data affected, including an indication of the technical and security measures used to protect the data, related risks and measures that have been or will be adopted to reverse or mitigate the effects of the damage.