Privacy Policy

1. OBJECTIVE

1. The Privacy and Data Protection Policy for Customers, Users and Candidates ("POLICY") aims to inform about the practices related to the processing of Personal Data ("PD") adopted by Atlas Governance Tecnologia LTDA., Atlas Governance International S.A. and Atlas Insurance Ltda ("ATLAS") in the provision of their services through its Portal, website, events, newsletters and/or all forms in which PD is shared.

2. SCOPE

1. This document applies to anyone who:
   

   • Interacts with ATLAS through customer service channels and social networks;

   • Browse the website;

   • Registers for events;

   • Expresses interest in acquiring Atlas GOV, Atlas AGM, Atlas Sign and Atlas Insurance services on behalf of an organization or on their own behalf;

   • Contracts Atlas GOV, Atlas AGM, Atlas Sign and Atlas Insurance services; or

   • Participates in the selection process for open positions in the company.

3. REFERENCES

Internal

• MA GSI 01 – Information Security and Privacy Management System Manual;
• PL GSI 01 - Information Security Policy;
• PL CCE 01 – Personal Data Protection Policy; and
• PL CCE 07 – Cookies Policy.

External

• Brazilian General Data Protection Law (Law nº 13.709/2018);
• ABNT NBR ISO/IEC 27701:2019: Privacy - Requirements and guidelines;
• ABNT NBR ISO/IEC 27018:2021: Code of practice for the protection of personal data (PD) in public clouds that act as PD processors; and
• ABNT NBR ISO/IEC 27001:20122: Information security, cybersecurity and privacy protection - SGSI – requirements.

4. GLOSSARY

ANONYMIZATION - Process in which reasonable and available technical means are applied so that data can no longer be directly or indirectly linked to an individual.

ATLAS AGM - ATLAS Software as a Service ("SaaS") destined for the execution and management of meetings.

ATLAS AI - ATLAS GOV functionality that captures audio and transcribes it, generating information about the meeting, and thereby facilitating the recording of planned tasks and decision-making.

ATLAS GOV - ATLAS Software as a Service ("SaaS”) destined for the digitalization of the governance decision-making process.

ATLAS INSURANCE - ATLAS GOV and ATLAS AGM functionality destined for the storage of insurance policies such as D&O (Directors & Officers) and Cyber Risk, as well as the provision of services (online and offline) for quoting and contracting Insurance.

ATLAS SIGN - ATLAS GOV and ATLAS AGM functionality for electronic or digital signatures of documents submitted through the Portal Services.

SHARING - Communication, transfer, interconnection of personal data or shared process between processing agents.

CONSENT - Free, informed and unequivocal manifestation by which the subject agrees to the processing of their personal data for a specific purpose.

CONTROLLER - Natural or legal person, whether public or private, who is responsible for decisions regarding the processing of PD.

PERSONAL DATA ("PD") - All information related to the identified or identifiable natural person (individual). The concept covers direct information, such as name, RG, CPF and address, as well as indirect information, such as location data and other electronic identifiers.

SENSITIVE PERSONAL DATA - Data that relates to the most intimate sphere of the person, such as data about racial or ethnic origin, religious conviction, political opinion, affiliation with unions or organization of a religious, philosophical or political nature, data related to health or sex life, and genetic or biometric data, when linked to a natural person.

DPO or DELEGATE - Data Protection Officer or Delegate of PD, responsible for the communication between ATLAS, the data subjects and the National Data Protection Authority ("ANPD").

ELIMINATION - Definitive exclusion of data or a set of data stored in a database, regardless of the procedure employed.

GOVERNANCE OFFICER - The Governance Officer ("GO") is a governance agent whose role is to support and carry out activities related to the proper functioning of the organization's governance, also contributing to its continuous improvement.

PROCESSOR - Natural or legal person, whether public or private, who performs the PD processing on behalf of the controller.

PORTAL - It is the ATLAS platform that provides services for the digitalization of the corporate governance decision-making process; conducting and management of meetings; processing and storage of data related to the communication of boards of directors, committees and internal departments of companies, as well as conducting and management of meetings, and providing electronic and digital signature services for documents submitted through the Portal Services. The Portal offers Atlas GOV, Atlas AGM, Atlas SIGN and Atlas Insurance services ("Services").

DATA SUBJECT - Natural person to whom the PD that is the object of processing refers.

PROCESSING - Any activity carried out with PD, such as, for example, the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction.

5. GUIDELINES

5.1. Processing of Personal Data on the ATLAS Portal

• The Atlas Portal is composed of the Atlas GOV, Atlas AGM, Atlas Sign and Atlas Insurance services provided to the PD Controller Organizations (Customers).

• In the following table, we detail the PD processing carried out by ATLAS as a Processor during the provision of portal services for the purpose of fulfilling the contract signed with the Client, based on legitimate interest.

• We emphasize the importance of you, the Portal user, consulting the Client’s Privacy Policy to obtain comprehensive information about the processing of your PD.

• The Portal users' PD are also used for other objectives of interest to ATLAS (such as, but not limited to, user profile evaluation, identification of development opportunities, and product offerings), with the application of appropriate technical, organizational and security measures to safeguard your privacy.

• The DP of users registered in Atlas AGM may be shared with the Entities to which the User is linked.

• From time to time, we may ask for your consent to share your contact with other customers who are interested in formalizing partnerships with the organization you represent, as well as for the collection of sensitive personal data.

• If your consent is required for us to carry out any other activity involving the processing of your PD, you will be previously and duly informed about the specific purpose sought, as well as about the consequences of refusal and the possibility of revoking consent.

5.2. ATLAS PD Processing Operations as Controller

1. In the PD processing operations of website users or people who register for events or interact with ATLAS in other ways, ATLAS performs the PD processing as a Controller.

2. In addition to these purposes, we may process your PD, based on your consent, when you expressly request contact of ATLAS for the presentation of the Atlas GOV, Atlas AGM, Atlas Sign and Atlas Insurance Services.

3. From time to time, we may ask your consent to share your contact with other customers who are interested in formalizing partnerships with the organization you represent.

4. The PD processing will be carried out through the Gupy platform, which is why we recommend that you carefully read Gupy's Privacy Notice (https://www.gupy.io/aviso-de-privacidadesite?utm_source=site&utm_medium=footer) so that you are aware of the procedures that will involve your PD.

5.3. Collection of Personal Data

1. When registering on the Portal, or when the Client registers on the Portal, ATLAS collects their PD.

2. In addition to the Portal, ATLAS collects the PD you provide through: sending emails, phone contacts and apps, accessing our website or social media, filling out forms, insurance quote requests, sending or receiving documents for signature, participation in webinars, meetings and other events organized or sponsored by ATLAS, as well as through recording images, voice, photos, and videos.

3. ATLAS may automatically collect data through your access to the Portal, to identify the use and performance of our products and services. The details of the ATLAS Cookie Policy can be found at the link: https://welcome.atlasgov.com/cookies/.

4. Some external providers may provide us with data to assist in the execution and improvement of our services and relationship.

5.4. Sharing with Third Parties

1. ATLAS does not sell, rent or commercialize any PD to third parties, sharing such data in strict compliance with legislation, specific purposes and legal processing hypotheses for which they were collected.

2. ATLAS may operate together with other companies (customers, associates, suppliers and service providers) to execute the activities and purposes described herein, whether in customer acquisition, relationship, product supply or software development. Therefore, we reserve the right to share your information with these companies, in an anonymized manner, preserving your privacy to the maximum extent.

3. We reserve the right to access, read, preserve, and disclose any data that we believe necessary to comply with a legal obligation (regulatory, tax, etc.) or an order of competent authority (judicial or administrative), or to protect rights, property, or safety of ATLAS, our employees, our users, or others.

5.5. International Data Transfer

1. ATLAS’ standard practice is to store PD in a cloud located in Brazil.

2. Some of our partners store information in clouds with databases located in other countries, such as the United States, which may involve international data transfer.

3. ATLAS’ partners have current privacy policies and commercial agreements regarding the control and operation of the protection of PD privacy and security rights and offer the same level of security offered by ATLAS.

5.6. Subjects Rights

1. You may always choose not to disclose your data to us, but please keep in mind that some of this data may be necessary for the use of some features and services we offer you. Regardless of this, ATLAS guarantees the exercise of your rights regarding privacy and the protection of your personal data.

2. As a PD Subject, you may request at any time:

   1. Confirmation of the existence of processing and access to your PD, including information about the collection, processing, sharing and storage of your PD.
   2. The correction and updating of your PD whenever there is any change in your registration data and/or if you identify any inconsistency. However, in order for this change to be effective, we will have to check the validity of the data you provide us with.
   3. The anonymization or exclusion of your PD if you understand that they are unnecessary and/or excessive for the purpose of the processing. In these cases, ATLAS must analyze the merits of the request and take steps to comply with it or clarify the reason for maintaining the processing.
   4. The portability of PD both for sending to ATLAS and for sending to Third Parties of your choice, as long as it does not violate the company's intellectual property or business secret.
   5. Blocking (suspension of processing) in the following scenarios:
      1. When it is necessary to review the accuracy of the data;
      2. When it is necessary to maintain the PD, even after the purpose has been fulfilled, for the defense of your rights in the process;
      3. When you object to the processing of your PD, in which case ATLAS will assess whether there are legitimate grounds to use them.
   6. The revocation of consent, at any time, when this is the legal basis applicable to the processing. This will not affect the lawfulness of any processing carried out previously. If the revocation impacts our services, we will let you know.
   7. Opposition to the processing if you suspect any mistake, irregularity or failure in any processing operation of your PD. In these cases, we will assess the response, provide clarifications and, when applicable, adopt the necessary measures for rectification.

3. When submitting your request, ATLAS must analyze its relevance and origin, addressing it as appropriate. Such analysis does not imply, however, the automatic granting of the requests, and the right to maintain the regular processing of PD is safeguarded.

4. We may request some additional and specific information to verify your identity, to ensure the security and privacy of our customers, resellers, representatives, etc., and to ensure that the PD is not disclosed to anyone who is not entitled to receive it. We may also contact you for more information regarding your request in order to expedite our response.

5. We commit to address your request within a reasonable time and always in compliance with applicable law. If your request is particularly complex or if you have submitted more than one request, we will notify you and keep you updated on the processing and completion of the review.

6. If you have any doubts about these issues or how you can exercise these rights, please feel free to contact us through the communication channel indicated in item 5.9 of this Policy.

5.7. Personal Data Storage

1. We will maintain your PD only for as long as necessary to fulfill the designated purposes, to maintain the performance of the ATLAS service, to comply with legal, contractual, accountability obligations or requests from competent authorities, and to resolve disputes.

2. To determine the appropriate retention period of PD, we consider the amount, nature, and sensitivity of PD, the potential risk of harm arising from unauthorized use or disclosure of your PD, the purpose of the processing of your personal data and whether we can achieve such purposes through other means, and the applicable legal requirements.

5.8. Personal Data Protection

1. ATLAS employs the best practices in governance, organizational and security techniques practices aimed at protecting your PD on our servers, in the cloud contracted with third parties and in physical and digital workstations.

2. It is necessary that your PD is always accurate, complete and updated by you so that the purposes for which they are processed can be achieved. Please be aware that it is your responsibility to ensure the accuracy of this data and to keep it up to date.

3. To ensure the highest possible security for your PD, we adopt practices related to user authentication, data encryption, information leakage prevention, protection against malicious software, traceability mechanisms, access controls, logging, and maintenance of data and information backups.

4. Aiming at your privacy and security, we encourage the use of strong and unique passwords to access the account on the Portal. You must prevent and avoid unauthorized third-party access to your account and PD by selecting and securing your password and/or other connection mechanism appropriately and limiting access to your computer or device and browser by logging out after you have completed access to your account.

5. You are also responsible for the security of your PD by taking steps to make smartphones, computers, and other devices secure. To do so, you can use antivirus, firewall, updated browsers, and keep your login and password confidential.

6. ATLAS strives to protect the privacy of your account and the PD we maintain on our system, but unfortunately, we cannot guarantee complete security. If you identify or become aware of something that compromises the security of your PD, you must contact us through the communication channels provided for in item 5.9 of this Policy.

5.9. Communication Channel

1. Seeking to comply with applicable laws, with the highest data protection standards in Brazil and in the world, we have appointed Ms. Amanda Thomaz Szydloski as Data Protection Officer (DPO), responsible for supervising all issues related to this Policy and privacy and data protection issues.

2. You may send questions to the DPO or requests about your rights to privacy and protection of PD through the following email address: [email protected]

3. We clarify that the channel is exclusive to address requests related to privacy and processing of PD and that other matters must be directed to our official support channels:

   • Customer Success/Support Team:
     • Email: [email protected]
     • Email: [email protected]
   • Culture and People Team:
     • Email: [email protected]

5.10. Policy Update

1. As we are always seeking to improve our services, this Policy will be reviewed at least annually and will be republished and made available on the website whenever necessary, with ATLAS being the sole owner of the right and responsibility for modifying it.

2. These Terms may be modified by ATLAS from time to time, for various reasons, guaranteeing the User, Customer or Candidate that the latest updated version will always be available on the Portal.