Information Security Policy

This English version is a convenience translation. In case of any discrepancy, the Portuguese version prevails.

March 2026 — Version 1.0

Document Control

Document TitleInformation Security Policy
OwnerChief Compliance & Technology Officer
ClassificationPublic
Version1.0
Effective DateMarch 2026
Review CycleAnnual (or upon material change)

1. Purpose

This Information Security Policy ("Policy") establishes the security controls, standards, and procedures governing all information assets, systems, and infrastructure of DECADE WEALTH MANAGEMENT LTDA. Its purpose is to protect the confidentiality, integrity, and availability of data processed by the company's entities, in compliance with applicable Brazilian and international regulatory requirements.

2. Identity and Access Management

2.1 Authentication Framework

All user authentication to the systems of DECADE WEALTH MANAGEMENT LTDA is centralized through Okta as the single identity provider (IdP). Multi-factor authentication (MFA) is mandatory for all user accounts without exception.

  • Single Sign-On (SSO) via Okta is enforced for all corporate and production systems, eliminating local credentials and reducing the attack surface associated with password reuse.
  • OpenID Connect (OIDC) federation between Okta and all cloud infrastructure providers (AWS), ensuring that no long-lived static credentials are stored or exchanged for infrastructure access.
  • FAPI 2.0 (Financial-grade API Security Profile) compliance across all client-facing authentication flows, incorporating Pushed Authorization Requests (PAR), proof of possession, and sender-constrained tokens.
  • Demonstration of Proof-of-Possession (DPoP) as an additional binding layer on all Client access tokens, preventing replay and token interception attacks.

2.2 Infrastructure Access Control

Access to cloud infrastructure resources is governed exclusively through AWS IAM Roles, with no static access keys permitted in any environment. All role assumptions are brokered through OIDC federation with Okta, ensuring that every access event is authenticated, time-limited, and auditable. Database access is restricted to IAM-authenticated roles, with no shared or service-account passwords.

2.3 Privileged Access and the Principle of Least Privilege

DECADE WEALTH MANAGEMENT LTDA applies the principle of least privilege across all systems. Access grants are reviewed quarterly and require managerial approval. Privileged actions on production systems require explicit justification and are logged for audit purposes.

3. Network Security

3.1 Cloud Network Architecture

All production workloads operate within private subnets on AWS, with no direct internet exposure. Network segmentation is enforced through AWS Security Groups, which act as stateful firewalls controlling inbound and outbound traffic at the instance level. Security Group rules follow a default-deny posture: only explicitly authorized traffic is permitted.

3.2 Secure Remote Access

Connectivity between the corporate office network and cloud services is established through an encrypted site-to-site VPN, authenticated with digital certificates. Remote employees access internal resources exclusively through this VPN tunnel, ensuring that no production service is exposed to the public internet.

3.3 Physical Office Network

The corporate network infrastructure is managed by UniFi equipment with the following controls:

  • RADIUS authentication is enforced directly on the UniFi routers, ensuring that only authorized devices and users can connect to the corporate network.
  • VLAN segmentation separates network traffic by function (e.g., corporate workstations, guest network, IoT devices, management plane), preventing lateral movement between segments.
  • UniFi firewall rules enforce inter-VLAN access control, restricting traffic to the minimum necessary for each segment's operational requirements.
  • All wireless access points require enterprise-grade authentication (WPA3-Enterprise with RADIUS support).

4. Data Protection and Encryption

4.1 Encryption at Rest

All data at rest is encrypted across the infrastructure of DECADE WEALTH MANAGEMENT LTDA:

  • Endpoint devices: All company-provided laptops and workstations enforce full-disk encryption (e.g., BitLocker on Windows, FileVault on macOS), ensuring that data remains protected in the event of device loss or theft.
  • Databases: All production databases enforce encryption at rest using AES-256 (or equivalent), managed through the cloud provider's native encryption services with customer-managed keys.
  • Object storage and backups: All data stored in AWS S3, including backup files, is encrypted at rest using server-side encryption with customer-managed keys (SSE-KMS).

4.2 Encryption in Transit

All communications between services, both internal and external, are encrypted in transit:

  • Mutual TLS (mTLS) is enforced for all service-to-service communication within the infrastructure of DECADE WEALTH MANAGEMENT LTDA. Both client and server mutually authenticate via X.509 certificates, preventing man-in-the-middle attacks and unauthorized service impersonation.
  • Short-lived access tokens are used for authorization between services, minimizing the blast radius of any potential token compromise. Tokens are issued with a minimal lifetime and are not cached beyond their validity period.
  • All externally facing endpoints enforce TLS 1.2 or higher, with strong cipher suites and certificate pinning where applicable.

5. Secrets and Key Management

All cryptographic keys, TLS certificates, API tokens, database credentials, and other secrets are managed centrally through Infisical as the designated secrets management platform. The following controls apply:

  • No secret is stored in source code repositories, configuration files, on-disk environment variables, or any other unencrypted medium.
  • Access to secrets is governed by role-based access control (RBAC), with permissions limited to the minimum necessary for each service or individual.
  • Secrets are rotated on a regular schedule defined by classification, and rotation is automated wherever technically feasible.
  • All access to secrets is logged and auditable, with alerts configured for anomalous access patterns.
  • Certificate lifecycle management (issuance, renewal, revocation) is coordinated through Infisical to prevent service disruptions due to expired certificates.

6. Backup and Disaster Recovery

6.1 Backup Strategy

DECADE WEALTH MANAGEMENT LTDA maintains a comprehensive backup regime designed for resilience against data loss, ransomware, and regional infrastructure failures:

  • Daily automated backups of all production databases and critical data stores are performed.
  • Backups are stored in AWS S3 in a separate AWS account from the production environment, ensuring that a compromise of the production account does not grant access to backup data.
  • The backup account resides in a different AWS region (jurisdiction) from the production account, providing geographic redundancy and protection against regional outages.
  • Backup integrity is verified through automated checksums, and periodic restore tests are performed to validate recoverability.

6.2 Recovery Objectives

Recovery Point Objective (RPO) and Recovery Time Objective (RTO) targets are defined by data classification level and reviewed annually. Disaster recovery procedures are documented, tested at least once a year, and updated after each test cycle.

7. Secure Software Development Lifecycle

7.1 Code Integrity and Change Management

DECADE WEALTH MANAGEMENT LTDA enforces rigorous controls over all changes to production codebases:

  • GPG-signed commits: Every code modification must be cryptographically signed with a verified GPG key associated with the author. Unsigned or unverified commits are rejected at the repository level.
  • Dual-approval requirement: All changes to production services require review and explicit approval from at least two authorized reviewers before merging. No individual may unilaterally deploy code to production.
  • Branch protection rules are enforced at the repository level, preventing force pushes, direct commits to protected branches, and merges without approval in CI/CD checks.

7.2 CI/CD Pipeline Security

Automated pipelines apply static analysis, dependency vulnerability scanning, and integration testing before deployment. Deployment credentials are injected at runtime from Infisical and are never stored in pipeline configuration files.

8. Endpoint Security

All company-provided endpoints (laptops, workstations) are subject to the following requirements:

  • Full-disk encryption enabled and verified at the time of enrollment.
  • Operating system and software patches applied within defined SLA timeframes.
  • Endpoint detection and response (EDR) agents installed and reporting to a central console.
  • Local administrator privileges restricted to authorized IT personnel only.
  • Automatic screen lock after a defined period of inactivity.
  • Remote wipe capability for lost or stolen devices.

9. Logging, Monitoring, and Incident Response

9.1 Logging and Audit Trail

All authentication events, access control decisions, privileged actions, and changes to security configurations are logged to a centralized, tamper-resistant logging platform. Logs are retained for a minimum period consistent with applicable regulatory requirements (BCB Resolution 4893 mandates a minimum of 5 years for cybersecurity-related records).

9.2 Monitoring and Alerting

Automated monitoring is configured to detect anomalous activity, including but not limited to: unusual authentication patterns, unauthorized access attempts, privilege escalation, and data exfiltration indicators. Alerts are routed to the security operations team for triage and response.

9.3 Incident Response

DECADE WEALTH MANAGEMENT LTDA maintains a documented Incident Response Plan, reviewed annually, covering identification, containment, eradication, recovery, and post-incident review. Material security incidents are reported to the competent regulatory authorities (CVM, BCB, ANPD) within the timeframes prescribed by applicable regulation.

10. Third-Party and Vendor Security

All third-party service providers with access to the data or systems of DECADE WEALTH MANAGEMENT LTDA undergo security due diligence prior to engagement. Vendor contracts include data protection obligations, breach notification requirements, and the right to audit. Ongoing vendor compliance is reviewed at least annually.

11. Regulatory Alignment

This Policy has been designed to meet the requirements of, among others:

  • BCB Resolution 4893/2021 — Cybersecurity policy requirements for institutions authorized by the Central Bank of Brazil.
  • CVM Resolution 175 — Operational and compliance requirements for regulated securities entities.
  • LGPD (Law 13.709/2018) — Data protection and privacy obligations, including technical and organizational security measures.
  • ANBIMA Self-Regulation Code — Best practices for asset management and distribution, including information security controls.
  • ISO/IEC 27001 — Referenced as a guiding framework for information security management, although formal certification has not yet been pursued.

12. Policy Governance

12.1 Roles and Responsibilities

The Chief Compliance & Technology Officer is the designated owner of this Policy and is responsible for its maintenance, enforcement, and periodic review. All employees are responsible for complying with this Policy and promptly reporting suspected security incidents.

12.2 Review and Amendment

This Policy is reviewed at least annually, or whenever a material change occurs in the threat landscape, the regulatory environment, or the company's technology infrastructure. Amendments require approval from the Board of Directors.

12.3 Exceptions

Any exception to this Policy must be formally documented, assessed for risk, approved by the Policy owner, and subject to compensating controls. Exceptions are reviewed quarterly and expire after a maximum of 12 months, unless renewed.

13. Sanctions

Violations of this Policy may result in disciplinary action, including termination of employment or service contracts, and referral to the competent legal authorities where required by law.

Annex A — Summary of Security Controls

DomainControlImplementation
Identity & AccessCentralized SSO with MFAOkta (OIDC federation)
Identity & AccessInfrastructure accessAWS IAM Roles via OIDC (no static keys)
Identity & AccessClient-facing authenticationFAPI 2.0 + DPoP
NetworkCloud firewallAWS Security Groups (default-deny)
NetworkSecure connectivitySite-to-site VPN with certificate authentication
NetworkOffice networkUniFi with RADIUS, VLAN segmentation, firewall rules
Data ProtectionEncryption at rest (endpoints)Full-disk encryption (BitLocker/FileVault)
Data ProtectionEncryption at rest (databases)AES-256 via cloud-native KMS
Data ProtectionEncryption in transitmTLS + short-lived tokens between services
Secrets ManagementKeys, certificates, credentialsInfisical (centralized, RBAC, audited)
Backup & DRDaily backupsAWS S3 in a separate account and jurisdiction
SDLCCode integrityGPG-signed commits
SDLCChange managementDual-approval requirement for merging
EndpointDevice securityFull-disk encryption, EDR, patch SLA

Privacy Policy · Terms & Conditions · Information Security · Suitability · PLD/FTP · Código de Ética · Investimentos Pessoais · Formulário de Referência