Privacy Policy

Transparency

All data transmitted between our servers and the end customer is private and will not be resold. Data is protected in accordance with applicable regulations.

Registrations

The CPF (Brazilian Individual Taxpayer Registry), date of birth, and full name are requested for security reasons and to ensure that the registration is genuinely yours. Only the CPF, full name, date of birth, and company data (if provided) will be saved in our database for control panel login and attachment to the service terms of use. The data is retained for the period the registration is active, protected by the DPO ([email protected]).

If the registration is not accepted due to discrepancy in name, CPF, or date of birth, it will be necessary to contact us so we can correctly verify the information provided with those available at the Federal Revenue.

CPF.CNPJ has internal criteria for registration approval and may accept or reject certain registrations in case of violation of the terms of use.

Contracting

Will be accepted upon proof of ownership with the submission of corresponding document. Click here and read more.

Cookies

Cookies are small text files that are stored on your device (computer, smartphone, etc.) when you visit our website. They help us recognize you and personalize your experience, making it easier to visit the site again and allowing for more efficient browsing.

Marketing

This site uses cookies for sending marketing emails about our services. By continuing to browse, the user accepts the mentioned terms.

Security and Privacy Certifications

CPF.CNPJ maintains internationally recognized certifications that validate our commitment to the highest standards of information security, privacy management, and regulatory compliance.

ISO/IEC 27001:2022 - Information Security Management System
Certificate: Q7LUQTCU20251113BRAIS1Z1

Our ISO 27001 certification demonstrates that we maintain a comprehensive Information Security Management System covering:

• Access Control: Multi-factor authentication, role-based access control (RBAC), and principle of least privilege across all systems
• Cryptography: End-to-end encryption (E2EE) for data in transit, AES-256 encryption for data at rest, and secure key management
• Physical Security: Certified data centers with 24/7 monitoring, biometric access controls, and environmental controls
• Operations Security: Change management procedures, capacity planning, malware protection, and regular security patching
• Communications Security: Network segmentation, intrusion detection/prevention systems (IDS/IPS), and secure protocols (TLS 1.3+)
• System Acquisition and Development: Security requirements in development lifecycle, secure coding practices, and security testing
• Supplier Relationships: Vendor security assessments, contractual security requirements, and ongoing monitoring
• Incident Management: 24/7 security operations center (SOC), incident response plan, and breach notification procedures
• Business Continuity: Disaster recovery plan, regular backups, and tested continuity procedures
• Compliance: Regular internal and external audits, compliance monitoring, and continuous improvement

ISO/IEC 27701:2025 - Privacy Information Management System
Certificate: Q7LUQTCU20251113BRAPI15R

This certification extends our ISO 27001 framework with specific privacy controls aligned with LGPD and GDPR:

• Privacy Principles: Lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, and accountability
• Data Subject Rights: Documented procedures for handling requests for access, rectification, erasure, restriction, portability, and objection
• Consent Management: Clear consent mechanisms, granular opt-in/opt-out options, and consent withdrawal procedures
• Privacy by Design: Privacy considerations integrated into all new systems, services, and processes from inception
• Privacy by Default: Most privacy-protective settings applied automatically, with minimal data collection
• Data Protection Impact Assessments (DPIAs): Systematic assessment of privacy risks for new processing activities
• Records of Processing Activities: Comprehensive documentation of all data processing operations as required by LGPD Article 37
• International Transfers: Appropriate safeguards for cross-border data transfers, including adequacy decisions and standard contractual clauses
• Data Breach Response: Procedures for detection, notification to authorities within 72 hours, and communication to affected individuals
• Privacy Training: Regular privacy awareness training for all employees and specialized training for data handlers

ISO/IEC 37301:2021 - Compliance Management System
Certificate: Q7LUQTCC20251113BRACM1X7

Our compliance management system ensures structured adherence to all applicable regulations:

• Compliance Culture: Top management commitment, ethical values, and compliance awareness across the organization
• Governance Structure: Appointed Data Protection Officer (DPO), compliance committee, and clear escalation procedures
• Obligations Management: Register of all applicable legal obligations including LGPD, GDPR, sector-specific regulations, and contractual commitments
• Risk Management: Identification, assessment, and treatment of compliance risks using structured methodologies
• Compliance Objectives: Measurable compliance objectives aligned with organizational strategy and stakeholder expectations
• Training and Communication: Mandatory compliance training for all employees, specialized training for high-risk roles, and ongoing awareness campaigns
• Operational Controls: Documented procedures, process controls, and automated compliance checks
• Performance Monitoring: Key performance indicators (KPIs), regular compliance assessments, and management reviews
• Nonconformity Management: Root cause analysis, corrective actions, and preventive measures for compliance issues
• Internal Audit: Independent compliance audits, findings tracking, and continuous improvement initiatives
• Whistleblowing: Confidential reporting channels for compliance concerns with anti-retaliation protection

Verification and Continuous Improvement

All certifications are maintained through:

• Annual surveillance audits by independent, accredited certification bodies
• Management reviews of security, privacy, and compliance performance
• Regular updates to controls based on evolving threats, regulations, and best practices
• Employee competency assessments and ongoing training
• Customer and stakeholder feedback integration
• Continuous monitoring and measurement of effectiveness

These certifications provide assurance that CPF.CNPJ not only complies with LGPD requirements but implements industry-leading practices that exceed regulatory minimums, providing superior protection for personal data.

Data Protection Policy

Annex that integrates the terms of use and contracts.

Last updated: 01/12/2023