Information Security Policy for Suppliers

See the full policy

Principles

Establish guidelines to prevent the violation of any law, regulation, or contractual obligation and ensure that security requirements are met by service providers, partners, and suppliers.

Coverage

This document is applicable to all service providers, partners and suppliers of Inter.

Inter’s Group bases its actions on good practices and market resolutions, namely:

  • Constitution of the Federative Republic of Brazil.
  • ANBIMA Code of Regulation and Best Practices for Management of Third-Party Assets
  • Instruction No. 612/2019 of the Brazilian Securities and Exchange Commission
  • Brazilian Law No. 9.609/1998 - Software Law
  • Brazilian Law No. 12.965/2014 - Civil Rights Framework for the Internett
  • Brazilian Law No. 13.709/2018 - General Data Protection Law
  • ISO nº 27001 - Information Security Management Standard
  • ISO nº 27002 - Information Security Management Guidelines
  • ISO No. 27701 - Information Privacy Management Standard
  • ISO No. 22301 - Business Continuity Standard
  • Resolution No. 4,553/2017 of the Central Bank of Brazil
  • Resolution No. 4,893/2021 of the Central Bank of Brazil

Guidelines

  • Inter performs risk analysis before formalizing a contract with the supplier.
  • For high-risk processing activities, Inter requests additional Due Diligence from a potential service provider, partner, or supplier to ensure they are capable of providing adequate protection.
  • The Information Security Policy (or equivalent document) of the service provider, partner, or supplier can be reviewed by Information Security to verify its compliance with Inter's standards and policies.
  • The Information Security area may request reports and evidence of the provider's policy compliance, such as control matrices and reports.
  • If the Information Security area identifies any risks during the analysis that could compromise Inter's information confidentiality, integrity, and availability, the engagement of the provider may be discussed by the Directorate of Security and Data Governance. Information security and privacy risk assessment for contracts involving personal data with service providers, partners, and suppliers are conducted in accordance with Law 13.709/2018.
  • Information security and privacy risk assessments are conducted in contracts with service providers, partners, and suppliers concerning the involvement of personal data, storage, or processing of sensitive information, and cloud computing.
  • Cybersecurity controls for cloud computing service providers, partners, and suppliers are assessed in accordance with Resolution 4893 of the Central Bank of Brazil.

Compliance

If Grupo Inter identifies any non-adherent conduct or non-compliance with established guidelines, the appropriate administrative and/or legal measures will be taken.