General Data Protection Law (LGPD)

LGPD – What is it?

The General Data Protection Law (LGPD), Law No. 13.709, of August 14, 2018, was established with the objective of regulating the collection and processing of personal data of data subjects in national territory.

According to the Law, "data processing" is considered any activity that uses personal data in the execution of its operation, such as: collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction.

The Law affects all business segments, including public entities. Therefore, it is applicable to any individual or legal entity, under public or private law, that performs any data processing activity, whether this data is in digital or physical media. For this reason, it is essential that companies, as well as the public sector, seek mechanisms to protect the personal data of data subjects.

The law presents the main definitions of terms and concepts that govern the area, differentiates personal data from sensitive personal data, presents the legal bases that justify the processing of personal data, provides for the rights of data subjects, among others.

The LGPD also creates a supervisory structure and possible fines and sanctions provided for in the text of the law that may be applied by the National Data Protection Authority (ANPD).

Security Mechanisms

ALAS Technology maintains a strong concern and commitment to good practices and information security of data subjects' data, although it does not make decisions regarding the processing of data subjects' data, whose role belongs to the Controller, as established by the LGPD.

The role of CPF.CNPJ is to safely intermediate the collection of non-sensitive personal data and public access, using our unique technologies that structure and automate information for productivity gains and make them available to our customers who, under the terms of the LGPD, are the Data Controllers. For this reason, we do not store or have a database of the queries performed, nor do we perform manipulations, changes, insertions or deletions of data subjects' data.

In the flow of information between authorized suppliers and our customers, end-to-end encryption (E2EE) is used to prevent interceptions. Mandatory SSL security protocol and Cloud Flare CDN protection against attacks are also part of our ecosystem. These are important and indispensable tools in the web segment.

Thus, always in accordance with the provisions of the General Personal Data Protection Law (LGPD), CPF.CNPJ follows all steps and rigorous parameters in the services provided for the security of data subjects with an action plan in case of violation.

The ALAS Technology team has the concept of good practices in dealing with people and personal data and also constantly improves itself in specialization courses on the subject.

Prevention Techniques

Directly and indirectly, all customers and data subjects consulted on our platform are protected by our Terms of Use and Data Protection Policy, which are accessible on all our pages and emails. Through them, natural and legal persons can protect themselves based on current laws.

Queries made on our platform are recorded so that they can be tracked or monitored in case of violation of the LGPD or Terms of Use of the service.

Data such as: date and time, IP, CPF/CNPJ consulted, package and location of the query, are associated with the contracting company of our services as a source of registration.

Action Plan

In case of violation of the rights of our customers and also the data subjects consulted on our platform, we will provide the competent entities, in an agile manner and when requested, all the necessary reports so that the entire investigation and mitigation process of any damages occurs in the best way, as provided in our Terms of Use and Data Protection Policy.

Guarantee of Customer and Data Subject Rights

The exercise of rights provided for in national legislation, and in particular the General Personal Data Protection Law, are guaranteed through our service channels, so that the data subject may, for example, request the blocking of their data consultation and/or the report of who consulted them on our platform, as established in the Terms of Use, as well as providing customers with the guarantee of access and rectification of their data.

Terms of Use and Privacy Policy

In the registration form, email body and footers of all website pages, our Privacy Policies and Terms of Use are present, which provide information about the platform, mode of operation and guarantees for customers/data subjects.

Data Protection Officer

Appointed as Data Protection Officer (DPO), under the terms of the LGPD, Dr. Sérgio Mourão has extensive legal knowledge, focusing on the LGPD, and aims to act as a communication link between customers, data subjects and the National Data Protection Authority (ANPD).

Contact email: [email protected]

International Certifications and Compliance

ALAS Technology demonstrates its commitment to information security, privacy, and compliance through internationally recognized ISO/IEC certifications, ensuring our operations meet the highest global standards.

ISO/IEC 27001:2022 - Information Security Management
Certificate: Q7LUQTCU20251113BRAIS1Z1

This certification ensures that CPF.CNPJ maintains a robust Information Security Management System (ISMS) that:

• Implements systematic risk assessment and treatment processes
• Maintains comprehensive security controls across all operations
• Ensures confidentiality, integrity, and availability of personal data
• Conducts regular internal and external audits
• Maintains incident response and business continuity plans
• Applies continuous improvement processes to security measures

ISO/IEC 27701:2025 - Privacy Information Management
Certificate: Q7LUQTCU20251113BRAPI15R

This certification extends our ISO 27001 framework specifically for privacy management, demonstrating full alignment with LGPD and GDPR requirements:

• Implements Privacy Information Management System (PIMS)
• Ensures compliance with data protection principles (purpose limitation, data minimization, accuracy)
• Maintains documented procedures for data subject rights (access, rectification, deletion, portability)
• Conducts Privacy Impact Assessments (PIAs) for new processing activities
• Implements privacy by design and by default in all systems
• Ensures appropriate technical and organizational measures for data protection
• Maintains records of processing activities as required by LGPD

ISO/IEC 37301:2021 - Compliance Management System
Certificate: Q7LUQTCC20251113BRACM1X7

This certification demonstrates our structured approach to compliance management:

• Establishes and maintains a compliance culture across the organization
• Implements governance framework with clear roles and responsibilities
• Maintains compliance obligations register including LGPD, GDPR, and sector-specific regulations
• Conducts regular compliance risk assessments
• Provides ongoing training and awareness programs for all team members
• Monitors and measures compliance performance through KPIs
• Conducts regular compliance audits and reviews
• Maintains whistleblowing and complaint mechanisms

Annual Audits and Continuous Improvement
All our certifications undergo rigorous annual surveillance audits by accredited independent certification bodies. This ensures:

• Continuous compliance with evolving standards and regulations
• Regular updates to security and privacy controls
• Verification of effectiveness of implemented measures
• Identification and remediation of any non-conformities
• Demonstration of ongoing commitment to best practices

These certifications work together to provide a comprehensive framework that not only meets LGPD requirements but exceeds them, providing our customers and data subjects with the highest level of protection and transparency.

Data Protection Policy

Annex that integrates the terms of use and contracts.

FAQ

Also in agreement with GDPR, we provide the frequently asked questions table for knowledge of our procedures and means.