YAMÁ COSMÉTICOS undertakes to comply with the requirements of the data protection legislation applicable in Brazil and to use its best efforts to ensure that its service providers, business partners and other third parties in the course of their activities and employees comply with its provisions.

When receiving personal data, YAMÁ COSMÉTICOS limits the respective processing and transfer of data with the parties indicated above, within the scope of its processes. In addition, all its employees assume an obligation of confidentiality when signing their employment contracts.

The Company has an Information Security Policy and adopts technical and administrative measures to protect personal data from events that result in the unlawful or abusive processing of personal data, under the terms of the applicable legislation. In this regard, YAMÁ COSMÉTICOS has the following security measures in place:

1. Use of an advanced Next Generation firewall with a hacker detector and anomalies caused by a robot attempting to break into the network;
2. Antivirus with artificial intelligence (EDR);
3. Encryption on all company computers;
4. Advanced network segregation according to active user access;
5. Backups with periodic restoration tests with total security to guarantee business continuity;
6. Use of secure protocols for data exchange, such as HTTPS and TLS, among others, with access to sites using a digital certificate and remote access by secure means using VPNs with encryption and authenticity, which guarantee the privacy and security of connections;
7. Quality and security assessment carried out by artificial intelligence (SAST), among others, of all source code for software owned by YAMÁ COSMÉTICOS.

In addition, Pentest and vulnerability testing of security servers is carried out periodically by an independent company that complies with international penetration testing standards, including NIST 800-115, OWASP, OSSTMM and ISSAF/PTF.

All data processing and storage routines are carried out in Portugal, i.e. there is no international data transfer. Data hosting and processing is carried out by a company that guarantees the continuous operation of the infrastructure, with redundancies and monitoring, with preventive maintenance and incident response, in accordance with international security and business continuity standards, including ISO 27001.

Finally, it should be clarified that personal data is processed for the duration of contractual relations and compliance with legal or regulatory obligations, for the periods necessary to exercise rights in judicial, administrative and arbitration proceedings.