Version updated on December 14, 2021
Hotmart Cybersecurity Policy encompasses guidelines, objectives and controls concerning Information Security in the Company IT environment, in order to safeguard its operations, users and third parties. All employees and providers shall be aware of its directives and act in strict accordance with them.
Cybersecurity responsibilities are distributed between the following organizational levels:
The Company adopts a set of actions, guidelines and procedures in order to reduce cybersecurity vulnerabilities and risk exposures, in convergence with the pillars that sustain all the Company data processing:
Security information guidelines and rules adopted by the Company address the following objectives:
Hotmart information security program consists of a broad process that, according to the established principles and goals, guides the implementation of the following controls and techniques:
In order to protect and adequately process information, it shall be classified in accordance with its confidentiality level. The classification shall be carried out on the basis of information value, sensitivity, criticity and regulatory standards, and the Company shall label the information accordingly.
Hotmart has dedicated teams to which the creation of security features and optimization of application security are assigned, in accordance with personal data protection standards and the industry best practices.
The Company shall respect all aspects of intellectual property within its operations and claims that anyone to whom may come to knowledge any of Hotmart’s internal or proprietary information shall not use it for illegitimate particular purposes.
Information assets are any resource employed in the organization 's data lifecycle. At Hotmart, these assets are protected against unauthorized access, and all employees shall use them carefully for daily activities, acting with integrity and good judgment, in accordance also with specific rules concerning mobile devices connected to the network.
The Company establishes formal procedures to access management within its whole IT environment, including processes of access granting, revoking, transfering, review and authentication.
Hotmart establishes a variety of change controls over the Company’s systems, including procedures for code review, integrity check, data tracking, version control, continuous integration cycle and testing management.
By means of network management, Hotmart safeguard the data flow between its systems components, maintaining safe network segmentation, security baselines and strong cryptography.
Hotmart performs recurring scans and tests in its IT environment, by a team specialized in security tests, to measure flaws and vulnerabilities in its systems, which are handled by its cyber security and secure development teams.
Protection mechanisms are implemented against malicious code at entry and exit points of Hotmart systems. These points include firewalls, remote access servers, workstations, email servers, web servers, proxy servers and mobile devices.
Based on received information and internal checks, Hotmart assesses the risks involved in contracting each supplier, to ensure compliance with the Company's cyber security rules, in accordance with the provided services nature.
Automated audit trails are implemented for Hotmart's system components, enabling the tracking of security events, authentication, and users actions.
Hotmart applies technical controls over the transmission of information in its IT environment, through automated solutions which detect, restrict and alert the improper sharing of data. Controls are associated with the classification of this information.
Hotmart maintains a plan for the safe recovery of data processed by the company and of the functionalities of its systems, in case of unavailability of critical technology services that support its operation. The company maintains data backup in more than one datacenter.
With the aim of disseminating cyber security culture and continuous improvement, the Company promotes training and regular awareness initiatives related to Cyber Security for all its employees.
Hotmart's incident management process is designed to prevent, detect, respond and recover from an unexpected event that generates any sort of instability, violation of internal policy, or which may do any harm to the Company.
All incidents reported in Hotmart's technology environment are subject to identification, analysis, classification and communication procedures, in accordance with their impact and urgency, and taking into account the interest of the parties eventually involved and possibly affected.
In case of identification, by the external public, of any inconsistency or failure in the Hotmart environment, the Company provides a channel for receiving the respective communication, by the e-mail security@hotmart.com.
Any action that does not comply with the Information Security Program guidelines, defined in this Policy, constitutes a serious offense and entails the application of sanctions in accordance with current legislation.
The employee or service provider who deliberately fails to report violations of this policy will also be subject to the aforementioned sanctions.