1. Introduction

1.1 Sofist Qualidade de Software S.A. ("Sofist", "we", "us", "our"), with address at Avenida Orosimbo Maia 360, Sala 509, Campinas/SP, Brazil, CEP 13010-211, is committed to protecting your personal data and complying with applicable data protection laws, including Brazil's General Data Protection Law (LGPD), the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). This privacy policy describes how and why we collect, use and disclose personal data, and how data subjects can exercise their rights.

‍2. Scope‍

‍2.1. This policy applies to all personal data processed by Sofist, including data from customers, potential customers, website visitors and third parties who interact with us, regardless of their location.

‍3. Personal data we collect‍‍

3.1. We may collect the following categories of personal data:

- Identifiers: First name, last name, e-mail address, telephone number, occupation/position, country, company.
-Information about activities on the Internet or other electronic networks: IP address, browsing history and interactions with our website.
-Professional or employment-related information: Position, employer and professional experience.
-Sensitive data: Where applicable, data relating to personal preferences or behavior, processed only with explicit consent and in accordance with Article 9 of the GDPR and Article 11 of the LGPD.

4. Purposes of processing
‍
4.1. We process personal data for the following purposes:

- Provision of Services: To provide consulting services in information technology and other related services, preparing reports, analyses and other documents related to our activities.
- Business Development: To create opportunities to present our solutions to clients and potential clients.
- Communication: To send invitations, publications and various communications.
- Support: To provide user support and answer questions.
- Legal Compliance: To comply with legal obligations in different jurisdictions.

‍5. How personal data is collected‍

‍5.1. Personal data is collected in the following ways:

- Personal data provided by the data subject: we collect personal data necessary to initiate and maintain a commercial and/or contractual relationship with the data subject via an electronic channel, for inclusion in electronic systems maintained by Sofist or by partners.
- Personal data provided by third parties: we also process personal data that is provided by third parties. For example, data received from our corporate clients regarding users of their digital products, employees, etc.

5.2. We do not knowingly collect, store or otherwise process personal data that is excessive or unnecessary for the provision of our services. Accordingly, we ask you to refrain from sharing sensitive personal data with us, such as those relating to your racial or ethnic origin, religious conviction, political opinion, membership of a trade union or religious, philosophical or political organization, health or sex life, as well as genetic data.
‍
‍6. Purpose of personal data and legal bases for processing‍

‍6.1. Sofist acts as an operator to carry out the data processing activities of our clients.

‍6.2. All personal data collected is used to provide or supply services. The privacy of the data subject is respected. Therefore, all personal data and information is treated as confidential and used only for the purposes described here.

‍6.3. Our processing of personal data is based on the following legal grounds:

-Consent: where you have provided consent for specific processing activities.
- Contractual necessity: to enter into a contract with you or to take steps at your request prior to entering into a contract.
- Legal or regulatory obligation: to comply with the legal and regulatory obligations of the LGPD, GDPR and CCPA, including cases of money laundering or anti-corruption measures.
- Legitimate interests: for the purposes of our legitimate interests, provided that these are not overridden by your data protection rights.
- Regular exercise of rights: for the regular exercise of rights in judicial, administrative or arbitration proceedings - for example, in judicial or administrative defenses in proceedings to which we are a party.

‍7. Personal data retention period‍

7.1. Personal data will be kept for the period necessary to achieve the purposes defined at the time of collection. After the termination of this relationship, they will be kept for as long as necessary to comply with legal obligations or as described in contractual agreements and to exercise your rights, including for the purpose of auditing our activities. Retention periods are reviewed periodically and are in accordance with Article 15 of the LGPD and GDPR.
‍
7.2. Once the purpose of processing personal data has been fulfilled, the information will be disposed of securely, except in the cases legally provided for in Article 16 of the LGPD. In other words, personal information about you that is essential for complying with legal, judicial and administrative orders and/or for exercising the right of defense in judicial and administrative proceedings will be kept, despite the deletion of other data.‍

8. Sharing and disclosure of data

8.1. Personal data may be shared in the following cases:

- Legal determination, request, requisition or court order, obliging the sharing of data with competent judicial, administrative or governmental authorities.
- Use of third-party services or platforms that support our operations, causing personal data to be stored by the service providers, who in turn are contractually obliged to protect your data.
- Corporate movements, such as mergers, acquisitions and incorporations, automatically obliging the sharing of data with future shareholders. Corporate movements, such as mergers, acquisitions and incorporations, automatically obliging the sharing of data with future shareholders.
- Protection of Sofist's rights in any type of conflict, including those of a judicial nature.

8.2. We will only share your personal data with third parties when we can do so under the terms of the law or the contract we have entered into. When we share your data with third parties, we take contractually established security measures so that personal data protection mechanisms appropriate to the law and accepted by us are in place.

8.3. A list of our current sub-processors is available at https://www.sofist.co/en/sub-processors.

9. International data transfers

9.1. We may use third parties located in other countries to perform some services provided by us. As a result, some personal data may be transferred outside the country.

9.2. We take care that all personal data shared with agents abroad is adequately protected and in accordance with standards similar to those we have adopted. If we transfer your personal data outside your jurisdiction, we will ensure that appropriate safeguards are in place, such as Standard Contractual Clauses for GDPR compliance or mechanisms described by the LGPD and CCPA. Transfers comply with Article 33 of the LGPD and Chapter V of the GDPR.‍

‍10. Measures for the security of personal data‍

‍10.1. Sofist has an Information Security Policy that is updated in line with the best information security practices.

‍10.2. The main measures adopted by Sofist for the protection of your personal data are:
‍
-Confidentiality: All Sofist employees are subject to total confidentiality and any third parties hired are required to sign a confidentiality agreement, if this is not part of the main agreement between the parties.
-Transparency: Sofist always keeps users informed of changes in the procedures for processing personal data aimed at protecting privacy and data security, including the establishment of appropriate practices and policies. The data subject can, at any time, request information about where and how personal data is stored, protected and used.
- Isolation: All access to personal data is blocked by default, using a zero privilege policy. Access to personal data is restricted to individually authorized personnel. The area responsible for the data grants authorizations when proven necessary and keeps a record of authorizations granted. Authorized personnel receive minimal access to the database and systems, at the level strictly necessary to carry out their activities.
- Personal data subject rights: Sofist makes it possible for data subjects to exercise their rights in an accessible and user-friendly channel.
- Monitoring: Sofist uses log audit reports and notifications to monitor access patterns and identify and mitigate potential threats. Administrative operations, including system access, are recorded to provide an audit trail in the event of unauthorized or accidental changes.
- Communication of a security incident: In the event of a security incident that may entail a risk or relevant damage to user data, Sofist will notify the National Data Protection Authority (ANPD) in the case of the LGPD and, as the case may be, will notify the holder, in both cases, within a reasonable period of time, with information describing the nature of the personal data affected, including an indication of the technical and security measures used for data protection, related risks and measures that have been or will be adopted to reverse or mitigate the effects of the damage.

10.2.1. For the purposes of the above, "security incident" means a breach of security that leads to unauthorized access, accidental or unlawful destruction, loss, alteration, communication or any form of improper or unlawful processing.

‍10.3. Nevertheless, you should be aware that no Internet security system is guaranteed against unwanted intrusions, and Sofist's commitment is limited to the adoption of protection measures recommended according to the current state of the art.

‍10.3.1. In this regard, Sofist is not responsible for (i) any consequences arising from the negligence, imprudence or malpractice of the data subject in relation to their personal data. We guarantee and are only responsible for the security of the data processing processes and the fulfillment of the purposes described in this instrument; (ii) malicious actions by third parties, such as hacker attacks, unless Sofist's culpable or deliberate conduct is proven, and (iii) inaccuracy of the information entered by the data subject in the records required to use Sofist's services; any consequences arising from false information or information entered in bad faith are entirely the responsibility of the data subject.