Last updated: May 17, 2026 1. Purpose This Information Security Policy establishes the general principles under which information handled by the platform, its tenants, organizations, users, and related services is protected. 2. Principles Service operation is guided by the principles of: - confidentiality; - integrity; - availability; - traceability; - least privilege; - need-to-access; - shared responsibility. 3. Access control System access is granted according to role, tenant, organization, and current permissions. Each user must: - use individual credentials; - protect passwords and authentication factors; - avoid sharing sessions, tokens, or access links; - sign out from shared or risky environments. Administrators should periodically review users, permissions, active sessions, role changes, and exceptional access. 4. Identity and authentication management The platform may support local authentication, corporate directory authentication, magic links, or other approved mechanisms. The operator and administrators may apply controls such as: - attempt limits; - concurrent session controls; - two-factor verification; - secure access recovery; - authentication event traceability. 5. Information protection Information stored, transmitted, or processed must be protected through reasonable controls according to its criticality, including where applicable: - encryption in transit; - logical segregation by context; - audit logging; - role-based access controls; - protection of documents and attachments; - secure settings for email, webhooks, and integrations. 6. Tenant and organization responsibilities Tenants and organizations that manage their own environment must: - review their security and authentication settings; - limit access to authorized personnel; - validate domains, outbound email, corporate directory, and integrations; - review policies, notifications, and operational controls; - promptly report incidents, misuse, or suspicious activity. 7. Security incidents Any user, administrator, tenant, or organization that detects an incident, anomaly, or suspected compromise must report it through the defined support or security channels. Depending on the case, the operator may: - isolate affected components or accounts; - revoke sessions or credentials; - disable functions or access; - preserve technical evidence; - require additional validation before re-enabling access. 8. Acceptable use of integrations Email, webhook, authentication, storage, and corporate directory integrations must be configured with valid credentials, minimum necessary privileges, and legitimate purposes. The platform may not be used for: - unauthorized intrusive testing; - improper mass extraction; - abusive message delivery; - malicious automation; - evasion of service controls. 9. Logging and monitoring The platform may generate technical, audit, access, administrative activity, and security event records to support: - operations; - support; - incident investigation; - compliance; - usage analysis; - business continuity. These records may be consulted by authorized profiles within the scope allowed by their roles and policies. 10. Continuity and maintenance The service may require preventive, corrective, or evolutionary maintenance. During these activities, the operator may apply temporary restrictions, scheduled tasks, or protective mechanisms to preserve stability and security. 11. Review and improvement Service security is an ongoing process. Controls, procedures, and settings may be reviewed and updated in response to changes in risk, operations, regulations, or product capabilities. 12. Shared responsibility Security does not depend solely on the operator. It also requires users, tenants, and organizations to maintain responsible configuration, proper access management, and timely response to incidents or deviations.