Cybersecurity Policy

Firebit

1. OBJECTIVE

This Cybersecurity Policy ("Policy") aims to establish guidelines, responsibilities, and minimum cybersecurity controls applicable to Employees for the protection of information and Assets, considering the critical nature of its operations, as well as the limits of Employee actions regarding Information Security, reinforcing the internal culture and prioritizing necessary actions based on mapped and managed risks.

2. DEFINITIONS

For purposes of this document, certain terms, when presented as described below, whether in their singular or plural form, shall be understood as follows:

  • Cactus: means CACTUS FINANCIAL SERVICES LTDA, a private legal entity, registered under CNPJ No. 62.578.460/0001-59, headquartered at Rodovia Januario Carneiro, 8620, Suite 1101, Vale do Sereno, Nova Lima/MG, ZIP: 34006-000, which also includes the companies FIREBIT DIGITAL ASSETS – DIGITAL ASSET SERVICE PROVIDER COMPANY LTDA, registered under CNPJ No. 62.873.133/0001-20, and GLOBAL CRIPTO ASSETS LTDA, registered under CNPJ No. 62.949.192/0001-34.
  • ANPD: is the National Data Protection Authority, a special-nature federal agency with responsibilities related to the protection of Personal Data and privacy, including enforcement of the LGPD throughout the national territory.
  • Asset: refers to any property, tangible or otherwise, that has value for Cactus.
  • Virtual Asset: is the digital representation of value that can be traded or transferred by electronic means and used for making payments or for investment purposes, not including national currency and foreign currencies; electronic currency under the terms of Law No. 12,865/2013; instruments that provide their holder access to specified products or services or to benefits arising from such products or services, such as loyalty program points and rewards; and representations of assets whose issuance, bookkeeping, trading or settlement is provided for by law or regulation, such as securities and financial assets.
  • Employee: means all employees, interns, third parties and service providers who perform functions on behalf of Cactus.
  • Information Security Committee: refers to the committee established to adopt the necessary measures to deal with matters involving Information Security, including possible Information Security Incidents.
  • Security Controls: are the administrative, physical and/or technical mechanisms adopted by Cactus for the protection of the confidentiality, integrity and availability of information.
  • Access Credentials: refer to the methods used to verify the identity of an Employee in logical environments, generally consisting of their username (login) and password or other identification and authentication mechanisms, such as magnetic badge, digital certificate, token and biometrics, among others.
  • Personal Data: is all Information that allows the identification of a natural person directly or that may render such person identifiable.
  • Human Resources Department: is the department responsible for human resources management at Cactus.
  • Technology Department:is the department responsible for the management of Cactus's information technology Assets.
  • Legal Department: is the department responsible for handling legal matters at Cactus.
  • Directors: are those responsible for the conduct, guidance, oversight and coordination of operations, technological, commercial and market development, technological and commercial administration, and the direction, supervision and coordination of the operations and financial activities of Cactus and its subsidiaries and affiliates.
  • Board of Directors:is the body, composed of the Directors, responsible for the administration and strategic management of Cactus, ensuring the execution of the company's guidelines and objectives.
  • Data Protection Officer: is the data protection officer, being the person designated by Cactus to act as the communication channel between the organization, Personal Data Holders and the ANPD, and to ensure that the organization is in compliance with personal data protection laws and regulations.
  • Managers: are those responsible for the coordination and execution of operational activities of a given department, sector or subject matter at Cactus.
  • Information Security Incident: refers to an occurrence that compromises, actually or potentially, the confidentiality, integrity or availability of an information system or the information that such system processes, stores or transmits, or that constitutes a violation or an imminent threat of violation of security policies, security procedures or Cactus's internal policies.
  • LGPD:means the General Data Protection Law, Federal Law No. 13,709/2018, as amended, which regulates the processing of Personal Data, including in digital media, by natural persons or legal entities of public or private law, with the purpose of protecting the fundamental rights of freedom and privacy and the free development of the natural person's personality.
  • Information Security Incident Response Plan: is Cactus's document responsible for establishing the rules, restrictions and procedures related to the management of Information Security Incidents in order to mitigate risks to Cactus's business and Assets.
  • Information Security Program: means the set of standards, procedures and actions related to Information Security at Cactus, whose foundation is found in this Policy and in the procedures described herein.
  • ICT Resources:mean Cactus's ICT (information and communication technology) resources, including, but not limited to, any hardware, software, connection and communication services or physical infrastructure necessary for the creation, recording, storage, handling, transport, sharing and disposal of information.
  • Information Security: the protection of information or information systems against unauthorized access, use, disclosure, interruption, modification or destruction in order to ensure confidentiality, integrity and availability of information.

3. SCOPE

The Policy applies to all Employees to the extent of their duties and competencies, which are described in this Policy, and it may, as the case may be, require compliance by third parties who, in any way, act and/or interact with Cactus.

The Policy applies to all Assets, including, but not limited to, ICT Resources, information, physical infrastructure, as well as any software and/or hardware used and/or owned by Cactus.

In the context of operations involving Virtual Assets, this Policy also applies, as applicable, to activities performed by companies within Cactus's economic group, as well as to partners, service providers and third parties operating in integrated operations, including, but not limited to, intermediation services, on-ramp and off-ramp, transaction processing, custody, technological infrastructure or system integrations, subject to the contractual responsibilities and limits of action of each party.

4. PRINCIPLES

Cactus is committed to ensuring Information Security and the adequate processing of its information. To this end, it must base its activities on the following principles:

  • Confidentiality: assurance that only authorized persons will have access to information and only when there is a need or relevance;
  • Integrity: assurance that information will remain accurate, complete and intact;
  • Availability: assurance that information will be available only to authorized persons whenever necessary or relevant.
  • Risk Proportionality:adoption of security controls consistent with the criticality of the information, the Asset and the potential impact on Cactus's operations.

Monitoring Capability.Cactus may and has the right to carry out continuous and/or point-in-time monitoring of its physical and digital environments in order to ensure the security of Cactus's Assets, ICT Resources and/or information, Employees and operations in general, such that every Employee is aware that all their interactions with Assets, ICT Resources, Information and facilities are monitored, with no expectation of privacy regarding such interactions or Information stored on any Cactus Assets, especially ICT Resources owned and/or used by Cactus.

Should the Employee use personal devices, systems or networks to carry out their professional activities, without prejudice to the prohibitions or penalties provided for in this Policy, such personal devices, systems and networks shall equally be subject to monitoring by Cactus, and the Employee must hand them over for inspection whenever requested by the Technology Department, with no expectation of privacy regarding such devices, systems and networks that contain any Cactus information.

5. GENERAL GUIDELINES

When using or in any way interacting with Assets, especially ICT Resources, the Employee shall, to the extent of their duties and/or competencies:

  • Preserve and protect information, throughout its entire lifecycle, contained in any medium or format, against vulnerabilities, unauthorized access, modifications, destructions, unauthorized disclosures and threats, including adopting prevention, detection, analysis and eradication mechanisms against threats and/or vulnerabilities for Asset protection;
  • Fully comply with this Policy and other policies, guidelines, standards and/or Information Security rules adopted by Cactus;
  • Adopt the Security Controls determined by Cactus, refraining from using or, in any way, employing mechanisms capable of circumventing the Security Controls;
  • Prevent and reduce the impacts generated by Information Security Incidents, ensuring confidentiality, integrity, availability, authenticity and legality in the incident scenarios described;
  • Ensure the security and adequate processing of information, ensuring compliance with the principles of confidentiality, integrity and availability of information;
  • Ensure that all information is handled ethically and confidentially and that measures capable of preventing unauthorized access, modifications, destructions, unauthorized disclosures or threats are adopted; and
  • Ensure that all Employees have personal, non-transferable and restricted access to perform their duties at Cactus.

6. GOVERNANCE STRUCTURE

Parties Responsible for the Information Security Program. The following are responsible for the execution, coordination, supervision and management of the Information Security Program, according to specific duties defined in this Policy: (i) the Board of Directors, (ii) the Information Security Committee, (iii) the Technology Department, (iv) the Data Protection Officer, (v) the Legal Department, (vi) the Human Resources Department, (vii) the Directors, (viii) the Managers and (ix) the Employees.

Information Security Committee. For the supervision and coordination of ordinary and extraordinary activities in the context of the Information Security Program, the Information Security Committee is hereby established, whose operation shall consider, in defining priorities and controls, the impact of decisions on critical operational environments, guided by the following rules:

  • Composition. The Information Security Committee shall be composed of 3 (three) members, namely: (i) the Director/Manager of the Legal Department, (ii) the Data Protection Officer and (iii) the Director/Manager of the Technology Department.
  • Chairmanship. The chairmanship of the Information Security Committee shall be exercised by one of its three members, by decision of the Board of Directors, who shall act as the representative of the Information Security Committee before the other bodies of Cactus and the Board of Directors itself.
  • Decisions. All decisions of the Information Security Committee shall be made by simple majority.
  • Tie-breaking. Tie-breaking shall be performed by the vote of the representative holding the position of chairman of the Information Security Committee at the time of the decision.
  • Replacement. In the event of departure, promotion, termination or impediment of any nature for the exercise of the activities of a member of the Information Security Committee, the Information Security Committee shall notify the Board of Directors for the replacement of the member and reconstitution of the Information Security Committee, and such appointment shall be made within 30 (thirty) calendar days.

6.1. Responsibilities

This section designates the duties and responsibilities of the main parties responsible for the implementation and management of the Information Security Program, as described below.

6.2. Duties of the Board of Directors

The Board of Directors is responsible for, in the context of the Information Security Program:

  • Analyzing, approving and formally declaring its commitment to this Policy;
  • Deliberating and approving the adoption of strategies and measures necessary to ensure Information Security at Cactus, including, but not limited to, (i) approval of annual budget and strategic planning, (ii) adoption, updating and maintenance of necessary Security Controls, which shall be applied by the Technology Department, especially those suggested by the Information Security Committee and/or external consultants hired for this purpose;
  • Analyzing, deliberating and approving measures, strategies and actions necessary for the management of and response to Information Security Incidents in compliance with the provisions of the Information Security Incident Response Plan;
  • Assuming responsibility for decisions previously submitted to the Information Security Committee whenever the Board of Directors considers that there is a high risk to Cactus's Information Security;
  • Approving corporate policies and standards developed for, among others, ensuring Information Security, Personal Data protection and cybersecurity.

The Board of Directors may exercise any of the competencies indicated above through the individual signature of any Director or, in the case of acts that involve the assumption of obligations by Cactus, as defined in the company's bylaws.

6.3. Duties of the Information Security Committee

The Information Security Committee is responsible for, in the context of the Information Security Program:

  • Promoting and managing Cactus's Information Security Program, seeking the implementation of Security Controls, models, frameworks and resources necessary to protect Cactus's Assets;
  • Providing technical and operational support to the Board of Directors on matters related to Information Security, including, but not limited to, adoption of Security Controls, management of Information Security Incidents, as well as assessment and management of risks to Cactus's Assets, aiming to ensure the principles of confidentiality, integrity and availability of information;
  • Presenting and proposing to the Board of Directors the budget and investments necessary for Information Security at Cactus, including relevant strategic considerations regarding feasibility and impact on business processes;
  • Recommending preventive actions for the protection of Cactus's Assets, information and/or ICT Resources;
  • Requesting support from the Technology Department for the adequate understanding of risks associated with the implementation or non-implementation of Security Controls in the protection of Assets, ICT Resources and/or Information of Cactus, as well as for the selection, analysis and proposal of Security Controls to be implemented;
  • Guiding Employees so that the activities performed by the departments described in this Policy are appropriate to Cactus's business and market best practices.

6.4. Duties of the Technology Department

The Technology Department is responsible for, in the context of the Information Security Program:

  • Ensuring the application of this Policy within its scope of responsibilities and of any other applicable complementary documents;
  • Providing the necessary support in projects aimed at evaluating and implementing improvements in Cactus's Security Controls, especially regarding issues raised by external consultants hired for this purpose (assessment);
  • Implementing the necessary Security Controls, especially technical Security Controls, whose adoption may be requested by the Board of Directors, the Information Security Committee or external consultants hired for this purpose;
  • Managing, maintaining and administering ICT Resources belonging to Cactus or under Cactus's responsibility;
  • Providing and managing Access Credentials;
  • Creating and maintaining an inventory of Cactus's hardware, software and Assets;
  • Analyzing or assisting in the analysis of Information Security Incidents that occurred at Cactus, in accordance with the provisions of the Information Security Incident Response Plan;
  • Assisting in recovery in contingency situations involving systems and processes that depend on Cactus's ICT Resources;
  • Maintaining backup procedures for the recovery of Cactus's applications;
  • Performing maintenance, updates and technical fault corrections on Cactus's Assets and ICT Resources;
  • Collaborating with the Information Security Committee whenever requested or as appropriate;
  • Assisting, whenever necessary and requested, in the management of third-party contracting to verify, among other issues, the maturity level of third parties to be contracted and the potential Information Security risks in establishing commercial relationships with third parties.

6.5. Duties of the Data Protection Officer

The Data Protection Officer is responsible for, in the context of the Information Security Program:

  • Recommending to the Information Security Committee, the Board of Directors or any other relevant body the implementation of Security Controls necessary to ensure the confidentiality, availability and/or integrity of information and/or Assets;
  • Ensuring that Cactus's Information Security Program is in compliance with the parameters required for Personal Data protection, especially those established in the LGPD and/or in the recommendations and guidelines of the ANPD;
  • Assisting the Information Security Committee, the Board of Directors or any other body in the assessment of a threat, suspicion or Information Security Incident that may involve Personal Data and, if so, adopting the measures required by the Information Security Incident Response Plan.

6.6. Duties of the Legal Department

The Legal Department is responsible for, in the context of the Information Security Program:

  • Advising the Board of Directors, the Information Security Committee and the Data Protection Officer, within the scope of their duties and responsibilities;
  • Reviewing, analyzing and validating draft contracts and/or other legal instruments that, in any way, address rules and standards related to Information Security, especially when third parties provide services to Cactus;
  • Drafting Confidentiality Agreements (Non-Disclosure Agreements – NDAs) and/or other necessary documents involving adherence to this Policy and the Information Security Incident Response Plan;
  • Assisting in the assessment, whenever requested, of the legal risks arising from an Information Security Incident, in accordance with the responsibilities described in the Information Security Incident Response Plan;
  • Handling, whenever necessary, judicial and/or extrajudicial proceedings involving Information Security Incidents and/or violations of this Policy.

6.7. Duties of the Human Resources Department

The Human Resources Department is responsible for, in the context of the Information Security Program:

  • Coordinating internal training, especially upon the Employee's entry at Cactus, on Information Security aimed at guiding Employees on relevant aspects of the Information Security Program and applicable standards, especially this Policy, including the generation of evidence of such training.

6.8. Duties of Managers

Managers are responsible for, in the context of the Information Security Program:

  • Managing compliance with this Policy by Employees under their supervision, ensuring adherence to applicable internal standards;
  • Receiving communications from their Employees about the occurrence or suspected occurrence of an Information Security Incident and promptly forwarding them to the Technology Department or other applicable body;
  • Verifying that Employees under their supervision use ICT Resources in compliance with this Policy;
  • Cooperating with the Information Security Committee in the investigation of any Information Security Incident, providing all requested information about the occurrence;
  • Cooperating with the Information Security Committee in the implementation of measures to mitigate or remedy the effects of Information Security Incidents caused by Employees under their supervision.

6.9. Duties of Employees

Employees are responsible for, in the context of the Information Security Program:

  • Being aware of, keeping up to date with and fully complying with this Policy and any complementary documents, signing the acknowledgment and responsibility declaration regarding this Policy and participating in all applicable training;
  • Assisting in the processes necessary to implement Security Controls or any other measures necessary to protect Cactus's Assets, ICT Resources and/or Information;
  • Using Assets belonging to or under the responsibility of Cactus in accordance with the guidelines of manufacturers and developers, as well as Cactus's instructions, with due care and in compliance with internal regulations;
  • Using Assets and information exclusively for professional purposes, ethically and legally, respecting the permitted scope of use and in compliance with internal regulations;
  • Preserving the integrity, availability, confidentiality and authenticity of information, refraining from using, sending, transmitting or sharing it inappropriately, in any location or medium, including the internet;
  • Notifying the Technology Department in case of failures in Assets or ICT Resources so that the Technology Department can perform maintenance, updates or technical fault corrections;
  • Refraining from performing or requesting any maintenance, update or technical correction on Assets or ICT Resources by third parties not authorized by the Technology Department;
  • Ensuring the security of their Access Credentials, especially login and password, refraining from sharing, disclosing or transferring them to third parties;
  • Maintaining vigilance over all activities performed on Cactus's ICT Resources through the use of their own Access Credentials;
  • Formally reporting to the responsible Director or Manager, the Data Protection Officer and/or the Technology Department any events related to a violation or possible violation of the security of their Access Credentials or any suspicious activities they become aware of;
  • Promptly notifying the responsible Director or Manager, the Data Protection Officer or the Technology Department about the occurrence or suspected occurrence of an Information Security Incident.

7. SPECIFIC GUIDELINES

Cactus shall implement an Information Security risk management process. Cactus must implement an Information Security risk management process to enable the identification, management, mitigation and resolution of Information Security risks in accordance with Cactus's business objectives and to protect its Assets.

  • Information Classification.Cactus's information shall be classified according to its degree of sensitivity and business impact, being, at a minimum, categorized as: (i) public; (ii) internal; (iii) confidential; and (iv) critical. Information classified as critical shall be subject to enhanced security controls, defined in specific standards and procedures, including additional access restrictions, continuous monitoring and technical and organizational protection measures consistent with the risk involved.
  • Adequate password management mechanisms shall be implemented. Each Employee shall receive an individual access credential, especially a personal password, for access to the company's systems, which may not be shared with third parties. Cactus shall adopt mechanisms that ensure complexity, periodic rotation, password history retention and prevent the use of default passwords.
  • Additional security measures shall be adopted for access to systems, databases or mobile devices. To prevent unauthorized access to Cactus's systems or databases, multi-factor authentication mechanisms shall be used in systems, databases or mobile devices containing information, including Personal Data, such as mobile phones and laptops, when available.
  • Assets shall be inventoried and protected. Cactus's Assets, especially ICT Resources, shall be properly inventoried and protected from unauthorized access or threats that may compromise Cactus's business. Accordingly, Cactus shall ensure the protection of Assets throughout their entire lifecycle in order to guarantee that the principles of confidentiality, integrity and availability are fully met. Cactus shall inventory and encrypt data from external devices and store them in secure locations.
  • Physical media containing Personal Data shall be formatted and overwritten. Cactus shall format and overwrite physical media containing Personal Data before disposing of them or, when not possible, shall destroy the physical media.
  • Only authorized individuals may have access to Cactus's Information and technical environments. Cactus shall adopt mechanisms to ensure that only authorized individuals will have access to Cactus's Information and technological environments and, to this end, shall take into consideration the principle of least privilege and segregation of duties.
  • Access to Cactus's digital environment shall be monitored and controlled. Cactus shall adopt access control rules throughout its structure, Assets and information in order to prevent access by unauthorized individuals.
  • Access to physical environments shall be controlled and monitored. Cactus shall implement an access control system for physical Assets through, among others, the use of Access Credentials in order to prevent access by unauthorized individuals. Equipment and critical information processing facilities shall be maintained in secure areas, with appropriate access control levels, including protection against physical and environmental threats.
  • Information shall be backed up. Cactus shall adopt a data backup and restoration routine to ensure the availability of relevant information for the full operation of the company's activities.
  • Measures shall be implemented for protection against viruses, malicious files and software. Cactus shall adopt mechanisms to prevent viruses and other types of malicious software and conduct, such as phishing, malware, spam, worms, ransomware, among others, from spreading across computers, laptops, internal systems and servers and exposing Cactus to vulnerabilities. To this end, security software such as antivirus, firewalls, intrusion prevention systems or intrusion detection systems shall be installed and updated throughout Cactus's internal network and computers, according to applicable internal rules.
  • Cactus's Information and Assets may only be used in the performance of each Employee's professional activities within Cactus. The Employee shall refrain from using Cactus's Information and Assets for personal or commercial purposes, or for any purpose that is not expressly related to their activities at Cactus.
  • ICT Resources shall be used only for professional purposes. ICT Resources shall be used only for professional purposes, in a lawful, ethical and moral manner and in accordance with Cactus's internal rules and standards.
  • The confidentiality of Cactus's Information shall be respected. It is prohibited to disclose Cactus information that is classified as confidential, secret or restricted access without the prior and formal authorization of the responsible Director or Manager and/or the Data Protection Officer, except for information classified as public.
  • Confidentiality agreements shall be executed for sharing Cactus's Information. In contracts involving the sharing of Cactus information or the granting of access to its environments or Assets, the signing of confidentiality agreements and/or contractual clauses related to Information Security shall be required, as applicable.
  • Awareness and training. Cactus is committed to Information Security and, to this end, shall promote awareness measures among its Employees on the subject through training and campaigns. Additionally, Cactus shall make this Policy available in full, facilitating consultation by all Employees.
  • Critical Environments. Technological environments that support operations, sensitive integrations, APIs, financial processing or services related to Virtual Assets shall have enhanced Security Controls, including environment segregation, strict access control, continuous monitoring and event logging. Technological environments that support the aforementioned operations shall be segregated, whenever technically feasible, from administrative, testing and development environments, adopting differentiated access controls, the principle of least privilege and segregation of duties.
  • Logging mechanisms. Cactus shall adopt mechanisms for logging, retention and monitoring of security events in critical environments, including internal systems, financial integrations, APIs and services related to virtual assets, in order to enable incident detection, investigation of suspicious events and compliance with legal and regulatory obligations.

8. THIRD-PARTY MANAGEMENT

Cactus shall verify the degree of commitment of its service providers, suppliers, providers and partners who process and store Cactus data regarding Information Security, especially regarding the Security Controls adopted and compliance with the Information Security standards required by the LGPD. To this end, Cactus shall, prior to contracting third parties:

  • Include specific clauses on Information Security and Personal Data protection in contracts entered into with third parties;
  • Depending on the level of involvement with Cactus's Assets and/or Information, require documents and other supporting evidence demonstrating a sufficient level of maturity in Information Security and Personal Data protection.

9. COMMUNICATION CHANNELS REGARDING NON-COMPLIANCE WITH THIS POLICY

Any violation or non-compliance, actual or suspected, with this Policy must be immediately reported to the Technology Department through the Technology Department's internal form.

Furthermore, in case of any suspected Security Incident involving Personal Data, the Data Protection Officer, in addition to the Technology Department, shall be contacted via the following email: [Information Security Incident communication email].

10. SANCTIONS

Violations of the provisions established in this Policy or in any of Cactus's complementary documents may subject the Employee to the following penalties:

  • mandatory participation in training or education programs;
  • verbal or written warning;
  • suspension;
  • total or partial loss of variable compensation (if any);
  • dismissal, termination, exclusion from the company and/or termination of the service agreement (as applicable); and
  • other measures provided for in internal regulations, or of a civil and criminal nature, as applicable to the infraction in question.