Compliance document

Information Security Policy

This Policy describes the principles, controls and responsibilities adopted by PangeaPay to protect information, systems, infrastructure and digital assets under our management. Security is not an isolated team: it is the responsibility of everyone who touches code, data or processes in the company.

Last updated: April 2026

1. Objective

Establish guidelines to preserve the confidentiality, integrity and availability of information processed by PangeaPay, in accordance with applicable regulatory standards (Law 14,478/22, BCB Resolution 4,658/18 when applicable, LGPD) and with best international practices (ISO/IEC 27001, NIST Cybersecurity Framework).

This Policy applies to employees, service providers, suppliers, partners and anyone who accesses PangeaPay systems, data or facilities.

2. Principles

Information security at PangeaPay is based on five non-negotiable principles:

  • Defense in depth — multiple layers of control so that the failure of one does not compromise the entire system.
  • Least privilege — access only to what is necessary for the role, for the time necessary, with periodic review.
  • Segregation of duties — sensitive operations require more than one approver and no single person can move critical assets.
  • Internal transparency — incidents generate post-mortems with a root cause, without covering up what happened.
  • Privacy by default — personal data is treated under LGPD by system design, not as afterthought.

3. Governance and responsibilities

Information security is coordinated by the Security team and supervised by the Board. The main roles are:

  • Information Security Leader (CISO or equivalent): responsible for policy, security program and incident response.
  • Person in Charge of Personal Data Processing (DPO): coordinates LGPD and acts as focal point with ANPD.
  • Engineering Team: implements technical controls, reviews code and maintains infrastructure hygiene.
  • Compliance and Risk: assesses regulatory and operational exposure, maintains an updated risk matrix.
  • Area leadership: ensures teams’ adherence to policies and continuous training.
  • Every employee: complies with policies, reports incidents and participates in mandatory training.

4. Classification of information

Information is classified according to its sensitivity, and each class defines the minimum controls required:

Public
— information intended for external dissemination, without access restrictions (e.g. website, blog, marketing materials).
Internal
— use restricted to formally authorized employees and partners (e.g. internal documentation, manuals).
Confidential
— limited access to people with a legitimate need (e.g. strategic data, contracts, source code).
Restricted
— highly sensitive information, with heavily controlled and audited access (e.g.: personal customer data, cryptographic keys, KYC data, credentials).

5. Access control

Access to systems, data and environments follows the principle of least privilege and is controlled by the following mechanisms:

  • Individual and unique identity for each person; Shared access is prohibited.
  • Mandatory multi-factor authentication for sensitive systems, administrative panels and remote access.
  • Passwords stored in a corporate manager, with complexity requirements and mandatory rotation in case of suspicion.
  • Paper provisioning (RBAC), with access review every 90 days for restricted systems.
  • Immediate disconnection of access upon termination of professional employment.
  • Access to customer data recorded in an immutable log and periodically audited.

6. Encryption

We adopt encryption as a standard control to protect data at rest and in transit:

  • TLS 1.2 or higher for all communication between client and server and between exposed internal services.
  • Encryption at rest for databases, backups, and object storage containing restricted data.
  • Key management in dedicated services (KMS), with periodic rotation and separation of functions.
  • Tokenization or strong hashing for data that does not need to be retrieved in clear text (e.g. passwords, session tokens).
  • For custody of cryptoassets, combined use of cold storage, multisig and HSMs, with segregated signature procedures.

Algorithms that are discontinued or known to be unsafe are banned. Cryptographic inventory is maintained and reviewed periodically.

7. Secure development

PangeaPay adopts Secure SDLC practices to ensure that security is considered from product design:

  • Threat modeling in changes that affect critical flows (authentication, custody, financial movement).
  • Mandatory code review (peer review) and automated tests before any deployment into production.
  • Static code analysis (SAST) and dependency analysis (SCA) in the CI pipeline.
  • Dynamic analysis (DAST) and periodic penetration tests by qualified internal and external teams.
  • Bug bounty program or responsible disclosure channel for external reporting of vulnerabilities.
  • Secrets do not reside in the source code; are managed by dedicated vaults.

8. Infrastructure and operations

The operation of the systems follows hardening, observability and resilience standards:

  • Infrastructure immutability: servers are rebuilt from versioned images, not modified in production.
  • Network segmentation between environments (dev, staging, production) and between services with different levels of criticality.
  • Periodic patching and defined maximum period for fixing vulnerabilities by severity.
  • Centralized logs, retained for a period compatible with regulatory obligations and protected against tampering.
  • Continuous monitoring (metrics, traces, alerts) with 24/7 on-call for critical services.
  • Formal backup plan with periodic restoration tests and integrity checks.

9. Supplier management

Before hiring, suppliers who process restricted data undergo a security and privacy assessment. Controls include:

  • Initial due diligence on certifications, incident history and regulatory compliance.
  • Specific contractual clauses on information security, data protection and right to audit.
  • Periodic reassessment for critical suppliers.
  • Exit and portability plan to reduce dependency and lock-in risk.

10. Incident response

We maintain a formal security incident response plan, with defined roles, communication flows and deadlines. In general, the cycle is:

  • Detection: continuous monitoring, automated alerts and internal channels for employee reporting.
  • Triage: classification by severity and potential impact, activation of the response team when applicable.
  • Containment: Immediate actions to limit spread and damage (e.g., credential blocking, host isolation).
  • Eradication and recovery: removal of the root cause and safe return to normal operation.
  • Communication: notification to customers, authorities (ANPD, COAF, BACEN, as applicable) and other stakeholders within legal deadlines.
  • Post-incident: post-mortem with root cause, lessons learned and remediation plan.

In the event of an incident involving personal data that may result in significant risk or damage, we inform affected holders and the ANPD as required by the LGPD.

11. Business continuity

We maintain a continuity and disaster recovery plan for critical services, defining RTO and RPO compatible with the criticality of each component. Plans are periodically tested and revised after relevant changes to the architecture.

12. Acceptable Use

The use of equipment, accounts, corporate emails and any PangeaPay resources must be related to professional activities. Prohibited practices include:

  • Share credentials or tokens with third parties, internal or external.
  • Install unauthorized software on corporate equipment.
  • Disable security controls (antivirus, EDR, disk encryption).
  • Connect personal devices without authorization to restricted networks or environments.
  • Access, copy or export customer data without legitimate need and proper registration.

13. Training and culture

Every employee participates in information security training upon hiring and periodically. The programs cover phishing, social engineering, handling of personal data, secure use of credentials, and incident protocols.

We promote periodic exercises (simulated phishing, incident round table) to maintain an active security culture.

14. Monitoring and compliance

Adherence to this Policy is assessed through internal and external audits, security metrics and periodic reviews. Non-conformities generate an action plan with a defined deadline and person responsible. Repeated or serious non-compliance results in proportional sanctions, in accordance with the Code of Conduct.

15. How to report incidents or suspicions

Report any suspected incident, vulnerability or violation of this Policy as soon as possible by emailing compliance@pangeapay.org. It is not necessary to be sure: if in doubt, report it. Good faith reporting is protected from retaliation.

Suspected incident?

Report now.

Immediately report phishing, lost device, improper access or any event that could affect platform security.

compliance@pangeapay.org