Security and Compliance

At Glass Group, information security and regulatory compliance are fundamental pillars of our operation. We process over 500 million monthly transactions for financial institutions across Brazil, which demands the highest standards of data protection and governance.

1. Certifications and Compliance

1.1. LGPD - Brazilian General Data Protection Law

We are in full compliance with Law No. 13,709/2018 (LGPD):

• Data Protection Officer (DPO): Dedicated professional for privacy management
• Processing Records: Complete mapping of all personal data flows
• Consent: Clear mechanisms for collecting and managing consent
• Data Subject Rights: Established processes for response within 15 days
• Impact Assessment (DPIA): Periodic privacy risk assessments

1.2. PCI-DSS - Payment Card Industry Data Security Standard

We follow the PCI-DSS standard guidelines for payment data protection:

• Secure Network: Firewalls and secure system configurations
• Data Protection: Encryption of card data in transit and at rest
• Vulnerability Management: Updated antivirus and secure systems
• Access Control: Need-based access restriction
• Monitoring and Testing: Access tracking and security testing
• Security Policy: Documentation and employee training

1.3. Central Bank Regulations

Our solutions comply with Central Bank of Brazil requirements:

• CMN Resolution 4,893/2021: Cybersecurity policy
• BCB Circular 3,909/2018: Requirements for payment institutions
• Open Finance: Compliance with open API standards

2. Infrastructure and Technology

2.1. Cloud Computing

Our infrastructure is hosted on world-leading cloud providers:

• Amazon Web Services (AWS): SOC 1/2/3, ISO 27001, PCI-DSS certifications
• Microsoft Azure: ISO 27001, ISO 27018, SOC 1/2 certifications
• Data Centers in Brazil: Data stored on national territory
• Geographic Redundancy: Replication across multiple availability zones

2.2. Encryption

• In Transit: TLS 1.3 for all communications
• At Rest: AES-256 for stored data
• Keys: Key management via AWS KMS / Azure Key Vault
• Hashing: Bcrypt/Argon2 for passwords and sensitive data

2.3. Availability and Resilience

• SLA: 99.9% guaranteed availability
• Redundancy: Multi-AZ architecture with automatic failover
• Backups: Automatic hourly backups, 30-day retention
• Disaster Recovery: RTO < 4 hours, RPO < 1 hour

3. Access Controls

3.1. Authentication

• Mandatory MFA: Multi-factor authentication for all administrative access
• SSO: Single Sign-On with SAML 2.0 / OAuth 2.0
• Strong Passwords: Complexity and rotation policies
• Sessions: Automatic timeout and concurrent session control

3.2. Authorization

• RBAC: Role-Based Access Control
• Least Privilege: Minimum necessary access for each role
• Segregation of Duties: Separation of environments and responsibilities
• Periodic Review: Quarterly permission audits

4. Monitoring and Detection

4.1. Continuous Monitoring

• SIEM: 24/7 security event correlation and analysis
• IDS/IPS: Real-time intrusion detection and prevention
• WAF: Web Application Firewall for application protection
• DDoS Protection: Automatic mitigation of volumetric attacks

4.2. Logs and Auditing

• Centralized Logs: Secure storage for 12 months
• Traceability: Recording of all actions in critical systems
• Alerts: Automatic notifications for suspicious events
• Reports: Compliance dashboards and reports

5. Vulnerability Management

5.1. Security Testing

• Pentest: Annual penetration testing by specialized firms
• Vulnerability Scanning: Weekly automated scans
• Code Review: Security-focused code review
• SAST/DAST: Static and dynamic analysis in CI/CD pipeline

5.2. Patch Management

• Critical Patches: Applied within 24 hours
• High Patches: Applied within 7 days
• Updates: Scheduled maintenance windows

6. Incident Response

6.1. Response Process

We have a structured incident response plan:

• Detection: Identification through monitoring and alerts
• Containment: Immediate isolation of affected systems
• Eradication: Removal of the root cause of the incident
• Recovery: Secure restoration of services
• Lessons Learned: Post-mortem analysis and improvements

6.2. Communication

• ANPD Notification: Within 72 hours for incidents involving personal data
• Client Communication: Transparency about relevant incidents
• Incident Reports: Complete documentation of each occurrence

7. Physical Security

7.1. Data Centers

The data centers we use feature:

• Access Control: Biometrics, card readers, and 24/7 surveillance
• Electrical Redundancy: UPS and generators
• Climate Control: Redundant cooling systems
• Fire Detection: Automatic suppression systems

7.2. Offices

• Controlled Access: Turnstiles and visitor management
• Clean Desk: Clean desk policy
• Secure Disposal: Certified destruction of documents and media

8. Training and Awareness

• Onboarding: Security training for new employees
• Annual Refresher: Mandatory policy update training
• Simulated Phishing: Periodic social engineering tests
• Bulletins: Alerts about new threats and best practices

9. Partners and Suppliers

We require from our partners and suppliers:

• Due Diligence: Security assessment before engagement
• Contractual Clauses: Security and privacy obligations
• Audits: Right to audit critical suppliers
• Certifications: Requirement of relevant certifications (ISO 27001, SOC 2)