Privacy Policy

The controller of the personal data processed in relation to the website and your account is SAFONT REIS ASSESSORIA LTDA, registered under CNPJ no. 49.204.046/0001-11, headquartered at Al. Purus, 105, Und. 161 — Barueri/SP — CEP 06454-030 ("Dash4Sec", "we"). For privacy matters and to contact the Data Protection Officer (DPO): privacidade@dash4sec.com.

With respect to the Customer Content entered into the platform, the customer is the controller and Dash4Sec acts as the processor, under the terms of the DPA.

Account and registration data (name, email, company, role, language, protected credentials, MFA settings and recovery email).

Usage and technical data (pages accessed, audit events, IP address, session identifiers), used for security and improvement of the Service.

Browsing data collected by analytics and marketing cookies (for example, Google Analytics, Google Ads and LinkedIn Insight Tag), processed in aggregate form and only with consent. See the Cookie Policy.

Billing data processed by Stripe (we do not store full card numbers).

Customer Content (environments, evidence, suppliers, contacts and questionnaire responses), processed as a processor.

We process data to: perform the contract and provide the Service (art. 7, V); comply with legal and regulatory obligations (art. 7, II); pursue the legitimate interest in security, fraud prevention and product improvement (art. 7, IX); and with consent, where applicable (art. 7, I), for example for non-essential cookies.

We share data only with processors that support the provision of the Service, under contract and with appropriate safeguards, including: hosting/infrastructure provider, Stripe (payments), Resend (email sending), Cloudflare Turnstile (anti-bot protection for registration), Google (Google Analytics and Google Ads) and LinkedIn (Insight Tag) — these last two for audience measurement and advertising, only with consent — and Anthropic (AI assessment, when enabled).

Integrated rating providers are accessed with the customer's own credentials, at its initiative. We do not sell personal data.

Some sub-processors may process data outside Brazil. In such cases, we adopt the safeguards provided for in the LGPD (art. 33), such as standard contractual clauses, ensuring an adequate level of protection. See the Standard Contractual Clauses (SCC) and the DPA.

We keep data for as long as necessary for the purposes and legal obligations. After the account is closed, the Customer Content is deleted or anonymized within a reasonable period, except for retention required by law.

We adopt technical and organizational security measures, described in the Trust Center, including encryption of secrets, isolation between organizations, role-based access control (RBAC) and MFA.

You may request confirmation of processing, access, correction, anonymization, portability, deletion, information about sharing and revocation of consent. We will fulfill requests within the periods set by the LGPD. Use the form below or write to our Data Protection Officer.

This Policy may be updated. We will communicate material changes through the usual channels and indicate the date of the last update.