Reverba
Começar grátis

Legal document

Information Security Policy

Technical and organizational controls adopted by Oneck Creative LTDA to protect the confidentiality, integrity, and availability of data processed by Reverba. Structured following ISO 27001/27002, meeting LGPD Article 46 and GDPR Article 32 requirements.

Last updated
Effective from
Version
v1.0

Ler em português (Brasil)

1. Objective

Establish mandatory guidelines for all employees, contractors, and sub-processors who handle data on behalf of Reverba. This policy defines minimum controls to protect information assets against unauthorized access, loss, improper alteration, or unavailability.

2. Scope

Applies to:

  • All systems, databases, and files under Reverba's management.
  • Every employee, contractor, or partner with access to personal or sensitive data processed by Reverba.
  • All environments (production, staging, development) and devices (servers, workstations, corporate mobile devices) used to deliver the service.

3. Governance and responsibilities

  • Oneck Creative LTDA executive board: approves this policy, allocates resources, and is accountable for serious deviations.
  • Data Protection Officer (DPO): privacidade@reverba.com.br. Receives communications from data subjects and the Brazilian Data Protection Authority (ANPD); advises on practices; oversees LGPD/GDPR compliance.
  • Tech Lead: responsible for technical code controls (hardening, encryption, code review, vulnerabilities) and CI/CD pipeline maintenance.
  • Operations: executes backup, monitoring, and incident response procedures per the Incident Response Plan.

4. Data classification

Data processed by Reverba is classified at three levels:

LevelExamplesMinimum controls
ConfidentialPasswords (hash), marketplace OAuth tokens, encryption keys, payment data (handled by Mercado Pago)Encryption at rest and in transit; role-based restricted access; mandatory auditing
RestrictedOperator and Contact PII (name, email, phone, purchase history), message contentEncryption in transit; multi-tenant isolation; need-to-know access; read logs for sensitive actions
InternalAggregated operational logs, usage metrics, telemetry with anonymized IPAuthorized employees only; limited retention

5. Access control

  • Least privilege: every employee receives only the permissions strictly necessary for their role.
  • Authentication: passwords stored with bcrypt (cost 10), JWT tokens with 15-minute access TTL and 30-day rotating refresh. Credential sharing is prohibited.
  • Product roles: OWNER (account administrator), ADMIN (operational manager), SELLER (operator). Every API endpoint validates the minimum required role.
  • Administrative access: the production dashboard is accessible only to the technical team via dedicated VPN; production database access requires Tech Lead authorization and is logged.
  • Revocation: upon any employee separation, all accesses are revoked within 24 hours (target: 1 hour for incidents involving staff).
  • MFA: mandatory implementation for OWNER and ADMIN roles is on the roadmap (Q3 2026); meanwhile, long unique passwords + suspicious login monitoring cover the gap.

6. Cryptography

  • In transit: TLS 1.2+ mandatory on all public endpoints. HSTS active. Security headers via helmet (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy).
  • At rest:
    • Passwords: bcrypt cost 10 (>100ms cost for brute-force).
    • TikTok Shop, Mercado Livre, Shopee, and Meta OAuth tokens: AES-256-GCM with 256-bit keys generated via openssl rand -hex 32, persisted in .env.
    • Postgres: full disk encryption provided by VPS provider.
  • Key management: encryption keys are kept outside version control; stored only in production server .env and offline vault. Scheduled rotation every 12 months or upon incident.
  • Webhooks: HMAC-SHA256 mandatory on every inbound webhook (TikTok Shop, Shopee, Mercado Livre, Meta). Invalid signatures yield 401 and an alert log entry.

7. Network security

  • Segregation: production environment isolated via VPS firewall, with restricted ingress rules (only 443/HTTPS public, 22/SSH only from team IPs). Database has no port exposed to the internet — listens only on localhost of the application server.
  • Anti-DDoS / anti-bot: global throttler on sensitive endpoints; Cloudflare in front of the public website and the API gateway.
  • CORS: restricted allowlist of origins (no wildcards) — defined in .env.
  • Webhook IP allowlist: optional per integration (applicable when the source platform publishes a stable IP range).

8. Corporate endpoints

  • Team workstations run macOS with FileVault enabled, automatic OS updates, and local passwords with minimum complexity.
  • Endpoint Detection and Response software (native macOS XProtect + additional monitoring) installed on every workstation with access to production data.
  • Private code repositories; password-protected SSH keys; GPG signed commits when feasible.

9. Secure development

  • SDLC: feature branching; PRs reviewed by at least 1 other engineer before merge to main.
  • Dependencies: recurring npm audit; critical vulnerabilities addressed within 7 business days.
  • Input validation: global Nest pipeline with class-validator enforcing whitelisting + Zod on critical payloads. Rejects undeclared fields.
  • Injection prevention: Prisma ORM with prepared statements; no manual SQL concatenation.
  • Tests: minimum 70% backend coverage; e2e suite validates multi-tenant isolation on every deploy.
  • Secret scanning: pre-commit hook prevents committing tokens, AWS keys, or plaintext passwords.

10. Vendor management

Each sub-processor listed in Privacy § 5 undergoes prior assessment, considering:

  • Reputation and history of public incidents.
  • Existence of a Data Processing Agreement (DPA) and international transfer clauses where applicable.
  • Available certifications (SOC 2, ISO 27001, PCI-DSS for payments).
  • Data location and legal bases for transfer.

Material changes (provider switch, new regions) are communicated 14 days in advance to account-owning Operators.

11. Vulnerability management

  • Monitoring: npm audit on every CI run; automatic GitHub Dependabot alerts.
  • Classification: vulnerabilities classified as CRITICAL / HIGH / MEDIUM / LOW per CVSS.
  • Remediation SLAs:
    • CRITICAL: within 7 business days.
    • HIGH: within 30 days.
    • MEDIUM: within 90 days.
    • LOW: next maintenance cycle.
  • Responsible disclosure: researchers who identify vulnerabilities can report via privacidade@reverba.com.br. We do not retaliate against good-faith research.
  • Pentest: external pentest is on the 2026 roadmap (after platform stabilization).

12. Business continuity and backup

  • Postgres backups: daily full snapshots + continuous WAL streaming. Retention: rolling 30 days.
  • Location: backups stored in the same region (Brazil) on a separate volume from the primary server.
  • Restore drill: quarterly restore test in an isolated environment; documentation kept current.
  • RTO (Recovery Time Objective): 4 hours for a catastrophic incident.
  • RPO (Recovery Point Objective): 1 hour.

13. Auditing and logs

  • Application logs: every request recorded via Pino (structured JSON) with request-id; 90-day retention.
  • Domain audit log: destructive and permission-changing actions recorded in a dedicated table (AuditLog) with actor, timestamp, IP, sanitized payload; 2-year retention.
  • Webhook logs: every inbound webhook has an idempotent event ID in MarketplacePushInbox — enables replay and dedupe.

14. Improvement roadmap

We acknowledge limits and stay transparent about them. Items in development or evaluation:

  • Mandatory MFA for OWNER and ADMIN Operators — Q3 2026.
  • External pentest with a recognized vendor — evaluation in 2026.
  • SOC 2 Type 2 certification — under evaluation for 2027 based on enterprise customer volume.
  • Managed HSM for encryption keys (instead of .env) — under evaluation.

Material updates to this policy are communicated as per § 13 of the Privacy Policy.