1. Introduction
Indigo Hive is a Brazilian company specialized in developing artificial intelligence-based solutions designed to increase efficiency and autonomy in large organizations. Through its proprietary platform – Cogfy – the company integrates data, automates processes, and delivers value via intelligent agents, copilots, and conversational interfaces.
Committed to innovation, security, and the reliability of its solutions, Indigo Hive is implementing an Integrated Management System (IMS) focused on information security, data privacy, and cloud service security. The IMS is being developed in compliance with the ISO/IEC 27001, ISO/IEC 27701, and ISO/IEC 27017 standards, as well as applicable national legislation, such as the General Data Protection Law (LGPD – Law No. 13,709/2018).
The IMS promotes the continuous improvement of internal processes, focusing on data protection, information integrity, and risk mitigation. It also contributes to the company’s alignment with good practices in governance, sustainability, and social responsibility, including ESG (Environmental, Social, and Governance) aspects and cloud security.
2. Objective
To establish the guidelines of Indigo Hive’s Integrated Management System (IMS), with a focus on the implementation and continuous improvement of practices related to information security, data privacy, and cloud computing security.
The objective of the IMS is to support compliance with applicable legal, regulatory, and contractual requirements, as well as to strengthen internal controls, mitigate risks, and foster trust in the solutions developed by the company. This policy also aims to ensure coherence between organizational processes and the principles of transparency, innovation, accountability, and integrity that guide Indigo Hive’s operations.
3. Scope
This policy applies to all operations, processes, functional areas, and resources involved in Indigo Hive’s activities. It covers employees, partners, suppliers, and service providers who, directly or indirectly, participate in the development, maintenance, support, or delivery of the solutions offered by the company.
The scope of the Integrated Management System (IMS) includes aspects related to information security, personal data privacy, and security in cloud environments, as defined by the ISO/IEC 27001, ISO/IEC 27701, and ISO/IEC 27017 standards.
4. Terms and Definitions
For the purposes of this document, the following definitions apply:
AI (Artificial Intelligence): A field of technology that develops systems capable of performing tasks that would normally require human intelligence, such as language interpretation, pattern recognition, and autonomous decision-making.
Cloud Environments (Cloud Computing): IT infrastructures and services provided remotely via the internet, used by Indigo Hive to operate and deliver its artificial intelligence-based solutions.
DPO (Data Protection Officer): The person responsible for acting as a communication channel between the company, the data subjects, and the National Data Protection Authority (ANPD), ensuring compliance with the LGPD.
ESG (Environmental, Social, and Governance): A set of practices focused on environmental responsibility, social commitment, and ethical governance, which guide part of Indigo Hive’s strategic actions.
ISO (International Organization for Standardization): An international body responsible for developing technical standards, such as those that guide Indigo Hive’s IMS (ISO/IEC 27001, ISO/IEC 27701, and ISO/IEC 27017).
LGPD (General Data Protection Law): Law No. 13,709/2018, which regulates the processing of personal data in Brazil, establishing rights for data subjects and obligations for organizations.
Pentest (Penetration Test): Technical tests carried out with the aim of identifying vulnerabilities in the company’s systems, simulating attacks to evaluate their security.
Cogfy Platform: Indigo Hive’s proprietary platform, composed of intelligent agents, copilots, and interfaces that integrate corporate data and optimize processes through artificial intelligence.
IMS (Integrated Management System): A structured system for managing, in an integrated manner, the requirements related to information security (ISMS), data privacy (PIMS), and security in cloud environments, based on the ISO/IEC 27001, ISO/IEC 27701, and ISO/IEC 27017 standards.
PIMS (Privacy Information Management System): A structure focused on the protection of personal data, in compliance with the LGPD and other applicable standards, aiming to ensure the secure and ethical processing of information.
ISMS (Information Security Management System): A set of policies, processes, and controls implemented to ensure the confidentiality, integrity, and availability of the information processed by the organization.
Confidentiality and Data Protection Agreements: A document that establishes the obligations and responsibilities of employees, partners, and service providers regarding the protection of information and data processed by Indigo Hive.
5. Roles and Responsibilities
The responsibilities related to Indigo Hive’s Integrated Management System (IMS) are described in complementary documents, such as the Code of Conduct, the Confidentiality Agreements, and other internal policies and standards. In general, they are distributed as follows:
Top Management
Responsible for defining the strategic vision of the IMS, ensuring the allocation of the necessary resources, and demonstrating commitment to the principles of information security, privacy, compliance, and organizational responsibility.
IMS Committee
A multidisciplinary body responsible for monitoring the implementation and performance of the IMS, promoting periodic reviews, identifying improvement opportunities, and ensuring alignment with the ISO/IEC 27001, ISO/IEC 27701, and ISO/IEC 27017 standards, as well as with applicable legislation.
Employees
Must know and comply with the IMS guidelines, participate in mandatory training, ensure the correct execution of their activities, and report any situation that represents a risk, non-conformity, or security incident.
Partners, Contractors, and Suppliers
Must provide services in compliance with the requirements of Indigo Hive’s IMS, observing the same standards of security, confidentiality, and compliance required internally, as well as maintaining transparent and effective communication.
Other Interested Parties
Contribute to the continuous improvement of the IMS through interactions, feedback, and partnerships, and are expected to act ethically and in line with Indigo Hive’s values and principles.
6. Guidelines
The following guidelines reflect Indigo Hive’s commitment to information security, data privacy, the protection of cloud environments, and compliance with applicable legislation and standards. They guide all of the organization’s activities and processes, promoting a culture of responsibility, innovation, and continuous improvement.
Keep the client and other interested parties at the center of decisions, constantly seeking to improve services and solutions to ensure security, efficiency, and reliability;
Promote the continuous improvement of the Integrated Management System (IMS), adopting good practices in information security, data privacy, and cloud security, aligned with the ISO/IEC 27001, ISO/IEC 27701, and ISO/IEC 27017 standards;
Ensure compliance with legal, regulatory, and contractual obligations, especially with regard to the General Data Protection Law (LGPD) and other legislation related to the protection and use of personal data;
Implement and maintain effective controls to ensure the confidentiality, integrity, availability, and resilience of the information processed by the organization;
Preserve the privacy of the data of clients, employees, and partners, respecting ethical principles and the rights of data subjects, and adopting technical and administrative measures compatible with the risks identified;
Select, qualify, and monitor suppliers and service providers based on security, privacy, and compliance criteria, ensuring the continuity and integrity of operations;
Foster a culture of information security and data protection, through training, continuous awareness, and the engagement of all of the company’s employees;
Ensure the allocation of adequate human, technological, and financial resources to sustain the effectiveness and evolution of the IMS, ensuring its adherence to the organization’s strategic needs.
7. Violations and Sanctions
The principles and guidelines established in this policy have the full support of Indigo Hive’s Top Management and apply to all standards that make up the Integrated Management System (IMS), including information security, data privacy, and security in cloud environments.
All employees, service providers, partners, and suppliers must strictly observe the guidelines described here and in the complementary IMS documents, in the exercise of their functions and activities.
Lack of knowledge of the guidelines or internal standards will not be accepted as a justification for non-compliance. A formal procedure must exist to handle infractions, violations, or incidents related to the IMS, including investigation, recording, and appropriate treatment, based on the severity of the situation.
The sanctions applicable to non-compliance with the IMS guidelines include, but are not limited to:
Verbal or written warning – for minor cases or those that are easily corrected;
Additional mandatory training – when the infraction results from a lack of knowledge or a failure to understand the internal policies;
Temporary suspension of access or activities – in cases of recurrence or failures that compromise the security of information or compliance with applicable standards;
Dismissal or contract termination – for serious violations, such as the improper use of data, negligence with information assets, leakage of information, or intentional non-compliance with standards;
Legal measures and/or notification of the competent authorities – when there is evidence of unlawful practice, fraud, breach of confidentiality, or other conduct that constitutes a criminal or civil offense.
In the case of third parties or service providers, non-compliance with the established guidelines may result in the immediate termination of contracts, as well as civil, administrative, or criminal liability, in accordance with current legislation.
It is everyone’s responsibility to report, immediately and securely, any conduct that represents a violation of the IMS policies or that may compromise the security and privacy of the company’s information. Failure to report a known violation may be considered complicity and will be subject to the same sanctions applicable to the author of the infraction.
Sanctions will always be applied in a proportional, fair, and transparent manner, with the aim of ensuring the integrity of the IMS and promoting a culture of compliance and organizational responsibility.
8. Validity and Review
This policy comes into effect on the date of its publication and will remain valid until it is reviewed or replaced. The review of the policy will be carried out periodically, or whenever significant changes occur in the activities, processes, legislation, or standards applicable to the Integrated Management System (IMS).
The responsibility for reviewing and updating the policy lies with the IMS Committee, which will ensure continuous adequacy to best practices and to normative and legal requirements. Any change will be duly communicated to all interested parties.
9. Exceptions
Any exception to the guidelines established in this policy may only be granted upon careful analysis and the formal approval of Top Management and the IMS Committee. Exception requests must be duly justified and documented, ensuring that the temporary or partial waiver of certain requirements does not compromise compliance with applicable legislation, normative standards, or the fundamental principles of the Integrated Management System (IMS).
The documentation regarding the approved exceptions will be maintained and reviewed periodically to ensure that they remain valid and relevant according to the circumstances that originated them.
10. Documents/References
This policy must be applied together with the following documents and references, which provide complementary and detailed guidelines for the effective implementation and management of the Integrated Management System (IMS):
1. RI.SGI.001_Comitê_Sistema_Gestão_Integrado;
2. Policies, Standards, Procedures, Terms, the Code of Conduct and Integrity, and other documents related to the IMS;
3. Applicable legislation, including:
a. Constitution of the Federative Republic of Brazil.
b. Law No. 8,078, of September 11, 1990 — Consumer Protection Code.
c. Federal Law No. 8,159, of January 8, 1991 — National Policy on Public and Private Archives.
d. Federal Law No. 9,610, of February 19, 1998 — Copyright Law.
e. Federal Law No. 9,279, of May 14, 1996 — Trademarks and Patents.
f. Federal Law No. 3,129, of October 14, 1982 — Granting of Patents.
g. Federal Law No. 10,406, of January 10, 2002 — Civil Code.
h. Decree-Law No. 2,848, of December 7, 1940 — Criminal Code.
i. Federal Law No. 9,983, of July 14, 2000 — Amendment to the Criminal Code.
j. Law No. 12,965, of April 23, 2014 — Brazilian Internet Civil Rights Framework (MCI).
k. Federal Law No. 13,709, of August 14, 2018 — General Data Protection Law (LGPD).
l. Bill No. 2,338, of 2023 — Legal framework for artificial intelligence in Brazil. Establishes principles, rights, and duties for the responsible development and use of AI.
m. Bill No. 526, of 2025 — Provides for cybersecurity, incident handling, and data protection in digital environments and cloud services.
4. Applicable international standards:
a. ISO/IEC 27001 STANDARD: Information technology — Security techniques — Information security management systems — Requirements.
b. ISO/IEC 27002 STANDARD: Information technology — Security techniques — Code of practice for information security controls.
c. ISO/IEC 27701 STANDARD: Information technology — Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines.
d. ISO/IEC 27017 STANDARD: Information technology — Security techniques — Code of practice for information security controls based on cloud services. Provides specific guidelines for cloud service providers and customers, complementing the ISO/IEC 27002 controls with a focus on cloud computing environments.
The references must be reviewed periodically to ensure compliance with legal and normative requirements and to maintain adequacy to management best practices.
Revision 02. Date: 11/07/2025
