Information Security & Data Privacy Hub
Stay informed. Stay compliant.
The SOC Blog keeps you up to date with the latest trends in Occupational Health and Safety (OHS), data protection regulations such as Brazil’s LGPD and GDPR, and key updates to our compliance management software.
Information Security & Data Privacy Hub
Stay informed. Stay compliant.
The SOC Blog keeps you up to date with the latest trends in Occupational Health and Safety (OHS), data protection regulations such as Brazil’s LGPD and GDPR, and key updates to our compliance management software.
Explore the most common topics addressed by our team below.
The Information Security and Privacy Management System (ISMS) of AGE — the company behind the SOC Platform — includes a comprehensive set of controls and effectiveness indicators for Information Security. All standards and policies are reviewed annually to ensure continued compliance and improvement.
Yes. AGE maintains all necessary documentation for systems that process data. This information is available strictly for internal use or for audit purposes — upon prior request and subject to approval by AGE Desenvolvimento de Sistemas. Access is granted only after signing the appropriate Non-Disclosure Agreement (NDA). The SOC Help Center, available directly within the platform, provides comprehensive information on system usage, architecture, information security, and data privacy.
Yes. SOC adheres to secure application and system development best practices throughout the entire development lifecycle — prior to production release.
The SOC development process follows a well-defined cycle that includes development, testing/QA, staging (pre-production), production deployment, and bug fixing. All stages are aligned with the security principles and best practices recommended by OWASP (Open Web Application Security Project).
Yes. AGE follows a rigorous set of standards to ensure the security of its systems. We are proud to be the first occupational health management platform in Brazil certified under:
NBR ISO/IEC 27001:2013 – Information Security Management System (ISMS), since 2017.
NBR ISO/IEC 27701:2019 – Privacy Information Management System (PIMS), since 2023.
These certifications are maintained through annual audits, ensuring continuous compliance with internationally recognized security and privacy standards.
AGE follows the best practices of OWASP (Open Web Application Security Project).
Annual penetration tests (PENTESTS) and monthly vulnerability scans are conducted, but the results are for AGE's internal use only, as they contain confidential information. If needed, clients may conduct their own vulnerability or penetration tests by requesting prior authorization from AGE. In such cases, access to the results will be granted upon signing a Non-Disclosure and Confidentiality Agreement.
Yes. The Disaster Recovery Plan is tested, reviewed, and updated annually.
Yes. SOC uses AWS WAF as its Web Application Firewall to monitor HTTP and HTTPS requests and protect against common web vulnerabilities that could impact availability, compromise security, or consume excessive resources. AWS WAF gives SOC granular control over incoming requests, allowing the creation and refinement of security rules to block both common and targeted attack patterns.
Yes. AWS (Amazon Web Services) provides multiple layers of protection, including:
- AWS Shield – Protection against DDoS attacks
- Security Groups and Network ACLs – Virtual firewalls for controlling inbound and outbound traffic
- AWS GuardDuty – Intelligent threat detection (IDS/IPS)
- AWS WAF – Web Application Firewall for filtering and monitoring HTTP/HTTPS requests
These services work together to enhance the security posture of the SOC platform and protect client data from unauthorized access and cyber threats.
Yes. SOC provides Web Services for file upload and download using the WS-Security standard and secure protocols TLS 1.2 and 1.3. For systems that do not support Web Services, SFTP is also available as a secure alternative.
Yes. SOC uses AWS Shield Standard to protect against Distributed Denial of Service (DDoS) attacks. This service provides always-on detection and automatic inline mitigation to safeguard the platform's availability and performance.
Yes. We use security solutions from industry-leading providers in their respective fields.
Yes. SOC implements multiple layers of protection for stored data, including encryption, logical segregation, regular backups, and cybersecurity safeguards. Access to SOC's source code is strictly limited to AGE's internal development team, ensuring controlled and secure handling of the platform's core infrastructure.
Yes. Client data is not accessed by AGE employees without the client's explicit consent, and only in exceptional cases. Additionally, all data — both at rest and in transit — is encrypted to ensure confidentiality and integrity.
Yes. SOC's Privacy Policy ensures that client data is not shared with third parties, and data access is fully managed by the client, who defines who can access what within the SOC platform — with exclusive permission and control.
In accordance with AGE's Information Security and Privacy Management System (ISMS), any nonconformity (NC) identified during an audit is addressed and resolved based on its severity, following a defined process for handling audit findings. All related evidence is for internal use only by AGE.
Yes. SOC is updated every 15 days and undergoes infrastructure improvements whenever necessary.
Clients are notified through SOC Bulletins or Scheduled Maintenance Notices sent via email.
We have a dedicated software maintenance and support team with well-defined processes to carry out all necessary repairs.
Yes. All AGE employees receive information security training upon hiring. In addition, annual workshops on information security and data privacy are conducted to reinforce internal policies and standards, ethical conduct, and anti-corruption practices.
These initiatives are complemented by lectures delivered by the Information Security team to promote ongoing awareness and compliance.
Yes. SOC provides a tool called "IP Group", which allows clients to configure and restrict source IP addresses. This feature enhances access control by limiting system usage based on predefined IP ranges, days, and time periods. SOC's infrastructure includes all necessary resources to ensure the security of transmitted data. Additional information about this tool is available in the SOC Help Center.
The SOC system provides access reports, action logs, and screen recording features to support client audits.
Yes. It uses login, password, and ID, along with access logs.
Yes, our database is encrypted. For encryption control, we use AWS Key Management Service (KMS).
Yes, we have a backup policy in place, and backups are performed daily. Additionally, periodic restoration tests are conducted to verify data integrity.
Yes. SOC includes data protection mechanisms such as encryption, logical segregation, backups, and cyber risk safeguards. Access to SOC's source code is strictly limited to AGE's internal development team.
Yes. We comply with the technical and legal requirements defined by Brazil's General Data Protection Law (LGPD), ensuring the privacy of the data entered into SOC.
Yes. You can access our policy at the following link: Política de Privacidade | SOC - Software de SST .
The system provides registration and document data — such as name, CPF, RG, among others — at the client's discretion, as well as health history and employment records. This data is used according to the purposes defined by the client, for example, to carry out medical appointments or to generate documents required by labor and social security legislation, as well as to manage services contracted for these purposes.
These data are accessed only by users responsible for executing the related services.
Data can be made available through reports, system layouts, and Web Services, according to the client's specifications.
At AGE, annual workshops on information security and data privacy are conducted.
Yes. To comply with Article 46 of Law 13.709/2018 (LGPD), several technical and administrative measures have been implemented, including ISO/IEC 27701 certification (Information Privacy Management System) and its corresponding controls.
These include:
_ Data encryption
_ Data backups
_ Disaster recovery plan
_ Environment and role segregation
_ Application and security resource monitoring
_ Cloud data protection mechanisms
_ Data loss prevention systems (DLP)
SOC also performs security and penetration tests to ensure system functionality in line with secure development best practices.
Our employees receive regular privacy training, completing the triad of processes, technology, and people for personal data protection.
Yes, our Privacy Policy is available at: Política de Privacidade | SOC - Software de SST , in accordance with Brazil's General Data Protection Law (LGPD).
SOC maintains comprehensive audit logs, including access logs that record user identity and timestamps of access attempts, as well as action logs that track user activities such as data entry, modification, and deletion across system functionalities.
Brazil's General Data Protection Law (LGPD). Data deletion is the responsibility of the client, who acts as the data controller. Our team does not intervene in this process.
In compliance with Brazil's General Data Protection Law (LGPD), Article 48 establishes that it is the controller's responsibility to notify the National Data Protection Authority (ANPD) and the data subject whenever an incident may pose a risk or significant harm to individuals.
The potential impact depends on how the client manages access to their own data. SOC acts solely as a data processor and does not control or intervene in client-defined permissions. Therefore, it is the client's responsibility to assess the risks related to the information they input into the system.
SOC, in turn, continuously monitors and mitigates technological threats within its environment to ensure data confidentiality, integrity, and availability — using secure storage, encryption, and data recovery mechanisms.
Yes. We use a Data Loss Prevention (DLP) tool that monitors and controls the flow of all information and files within the company's environment. This includes tracking critical data related to Brazil's General Data Protection Law (LGPD).
If you’re a client, please contact our Support Team through the Client Portal.
Brasil
0800 888 8888
Ou veja a nossa lista completa de números locais
Converse conosco para comprar soluções SOC ou para esclarecimento de dúvidas
Envie-nos e-mails com comentários, questões ou feedback
