Verta

PRIVACY AND PERSONAL DATA PROTECTION POLICY

Updated on April 25, 2025.

VERTA DO BRASIL LTDA., hereinafter referred to as "Verta," "Company," or "We," has the mission of providing digital infrastructure for automating information capture via assessments to measure compliance levels in selected disciplines and generate analyses, action plans, and progress monitoring capable of bringing visibility, understanding, and intelligence to companies, economic groups, investees, suppliers, partners, customers, projects, institutions, among others. The solution combines the most advanced global frameworks with intelligent algorithms and user interactivity to simplify these capabilities and provide the best experience and ability to take action, engaging with third-party service providers and/or products related to the challenges identified.

To this end, we process various types of information, mostly company data that is kept confidential, some of which may be characterized as Personal Data.

This Privacy and Personal Data Protection Policy ("Policy") aims to describe how Verta treats Personal Data in operations involving its products and services ("Solutions").

Please read this Policy carefully, as your acceptance or use of any of our Solutions implies your acknowledgment and agreement with all of its contents.

1. DEFINITIONS

1.1. Before we begin, below are some terms used in this Policy so that, in case of doubt, you can consult their meaning:

a. "LGPD": Law No. 13,709/2018 – the General Data Protection Law.

b. "Personal Data," "Personal Information," or "Data": any and all information related to an identified or identifiable natural person. In other words, any information capable of directly or indirectly identifying an individual. E.g.: name, telephone number, email address, postal address, job title, among others.

c. "Sensitive Personal Data": Personal Data relating to racial or ethnic origin, religious beliefs, political opinions, membership of a trade union or religious, philosophical or political organization, data concerning health or sex life, genetic or biometric data, when linked to a natural person.

d. "Processing": any operation performed on Personal Data, such as those relating to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction.

e. "Data Subject": natural person to whom the personal data being processed refers.

f. "Data Protection Officer" or "DPO": person appointed by Verta to act as a communication channel between the Company, Data Subjects, and the National Data Protection Authority (ANPD) in relation to data protection.

g. "Controller": natural or legal person, under public or private law, responsible for decisions regarding the Processing of Personal Data.

h. "Processor": natural or legal person, under public or private law, who carries out the Processing of Personal Data on behalf of the Controller.

i. "Decision-Making User": natural or legal person who contracts and uses Verta's Solutions to measure and understand the level of compliance in selected disciplines and generate analyses, action plans, and progress monitoring that they decide on within companies, economic groups, investees, suppliers, partners, customers, projects, institutions, among others, and connect to third-party service providers and/or products related to the challenges identified, and who, during this process, carry out the Processing of Personal Data.

j. "Analyzed and/or Monitored User": natural or legal person who contracts and uses Verta's Solutions, originating from a "Decision-Making User" to measure and understand the level of compliance in selected disciplines and generate analyses, action plans, and progress monitoring.

k. "Personal Data Owner": The owner of the Personal Data that is subject to Processing through the use of Verta's Solutions via the Contractor(s) in which they act directly or indirectly.

l. "Contractor(s)": any natural or legal person who has contact with, receives a commercial proposal sent by Verta, or registers to use any of the Solutions made available by Verta, either directly or at the request of a "Decision Maker." In some cases, the Contractor will be the "Analyzed and/or Monitored User" (Data Owner). In other cases, the Contractor will appear as the "Decision-Making User" (Data Controller).

m. "Database": a structured set of Personal Data, established in one or more locations, in electronic or physical form.

2. DPO CONTACT

2.1 Verta has a person responsible for the role of DPO, who can be contacted at any time via the email address [email protected].

3. VERTA SOLUTIONS

3.1 Verta has a platform that automates the data collection process within frameworks whose sole purpose is to indicate the level of compliance of companies with regard to disciplines such as cybersecurity, as well as to enable decision-making that allows for evolution in compliance. The ability to measure, understand, plan, and monitor progress in compliance with disciplines within predetermined frameworks will strictly involve the owners of the personal data processed in the operation, for the indication of accesses, persons, and those responsible for responses, which may be directed to third parties, since they will share or have their data shared only when necessary ("Verta Platform").

3.2. The Verta Platform allows companies (Decision-Making Users) to request their suppliers, investees, and the like (Analyzed and/or Monitored Users) to complete assessments aimed, more specifically, by the Decision-Making User at:

3.2.1. Compliance, Trends, and Standards Analysis: Understand current compliance, trends, and standards in relation to each discipline for the company itself or among companies that are part of its economic group, supply chain, customers, among others;

3.2.2. Comparison with Best Practices: Compare the practices of each discipline with the recommendations and best practices defined by the main global frameworks; and

3.2.3. Comprehensive Reports: Publish a general report and sector reports that present the results in a comprehensive manner, without identifying any individual company, enabling companies to compare themselves.

3.3. The Personal Data of the Personal Data Owner may be collected in the following ways: (i) when the Personal Data Owner registers or assesses the Contractor on the Verta Platform and provides the necessary information, including their Personal Data; (ii) when the Decision-Making User enters the Personal Data Owner"s Data on the Verta Platform to respond to an assessment; or (iii) when the contractor enters the contact details of Personal Data Owners from other companies on the platform.

3.3.1. When the Decision-Making User enters Personal Data of the Data Subject on the Verta Platform, the Decision-Making User shall be responsible for informing the Data Subject about the Processing of their Data, including with regard to obtaining the respective consent, when applicable.

3.4. Each Decision-Making User shall also be responsible for establishing indicators that are compatible with their interests and needs ("Parameters"), which may affect the collection of personal data from the Personal Data Owner and may be changed at any time by the Decision-Making User and are their sole responsibility.

3.5. Through its Solutions, Verta will process the Personal Data of the Personal Data Subject in accordance with and strictly necessary to fulfill the purposes established by the Decision-Making User and Contractor(s).

3.6. The Processing will be carried out automatically based on the Parameters established on the Verta Platform by the Decision-Making User, with no interference, guidance, or interference by Verta in the form or duration of the Processing resulting from the analysis, planning, or monitoring of progress regarding compliance with the chosen disciplines.

4. DATA SHARING

4.1. Through its Solutions, Verta also acts as a communication channel between the Decision-Making User, Analyzed and/or Monitored User, Contractor(s), and other agents who may be involved as third parties to use the Verta platform and its analyses to provide services and/or sell products, in which case the necessary Personal Data of the Personal Data Subject is or may be shared with third parties.

4.2. As a rule, the Personal Data of the Personal Data Owner is shared in an anonymized or pseudonymized form, so that the third parties involved only have access to the contact data necessary for the evaluation of which the Personal Data Owner is a part, without additional information that allows them to be identified directly or indirectly as an individual.

4.3. If you have any questions about how your Personal Data may be shared or accessed by Verta Solutions, you may contact us at [email protected], in which case we will forward your request to the Data Controller.

5. APPLICABLE PROCESSING SCENARIOS

5.1. Data Processing resulting from the use of the Verta Platform will be based on the following legal grounds:

5.1.1. In the execution of the Solutions contracted through adherence to the Terms of Use by the Decision-Making User, the Personal Data Owner, and/or the Analyzed and/or Monitored User (Article 7, V).

5.1.2. Based on the consent of the Personal Data Owner, when applicable (Articles 7, I, and 11, I, both LGPD).

6. TYPES OF DATA AND FORM OF PROCESSING

6.1. Through the Verta Platform, only Personal Data Processing is possible, subject to the responsibilities set forth in item 10.2.1. of this Policy.

6.2. To enable its Solutions, Verta may perform various forms of Data Processing, including, but not limited to: access, collection, structuring, analysis, evaluation, classification, processing, filing, storage, sharing, making available, and communication.

7. DATA STORAGE

7.1. Personal Data processed by Verta through its Solutions will be stored on servers that may be located outside Brazil, provided that the suppliers comply with applicable data protection legislation.

8. END OF PROCESSING

8.1. The Personal Data of the Personal Data Subject will be processed as long as there is a specific and legitimate purpose for doing so. In some cases, we will need to retain Data to comply with legal obligations (Art. 7, II, LGPD) or to regularly exercise our rights (Art. 7, VI, LGPD).

8.2. If the Data is eventually processed with consent, the Personal Data Owner may, by express statement to be sent to the email address [email protected], revoke the consent provided, which will result in the interruption of the Processing within 15 days of the request.

9. WHAT ARE THE RIGHTS OF PERSONAL DATA SUBJECTS?

9.1. Through the channels made available by Verta, Data Subjects may make requests regarding:

a) confirmation of the existence of Personal Data Processing;

b) access to information regarding the Personal Data we hold;

c) correction of incomplete, inaccurate, or outdated Data;

d) anonymization, blocking, or deletion of unnecessary or excessive Data;

e) portability of Data to third parties, within legal limits and in accordance with ANPD guidelines;

f) deletion of Personal Data;

g) information about the public and private entities with which we share your Personal Data;

h) information about the possibility of not providing consent for the Processing of your Data and the consequences of this option;

i) revocation of consent, under the terms of item 8.2. above.

10. SECURITY

10.1. Verta adopts all technical and organizational measures to protect the data of companies and Personal Data processed through its Solutions. This includes:

10.1.1 Controlled and audited access by authorized persons to the platform where the data is stored, through:

10.1.1.1 Authentication without the use of passwords, ensuring non-repudiation of those who access

10.1.1.2 Definition of roles and functions for access to systems and data

10.1.1.3 All access is audited, regardless of level

10.1.2 Active and permanent use of encryption, ensuring the inviolability of all metadata entered and stored

10.1.3 Anonymization of data, in accordance with current data protection laws

10.1.4 Individualized and restricted research reports will be made available with private access for each research participant

10.1.5 Privacy and non-use of private data for any purpose other than research

11. RESPONSIBILITIES

11.1 Verta adopts the best information security tools and digital compliance practices to provide the appropriate level of privacy and security for company data and Personal Data. However, we emphasize that, despite all our efforts, we are unable to ensure the absolute and total inviolability of the Processing, so we cannot be held responsible for any damages caused by third parties due to non-compliance with this Policy and/or the contractual obligations assumed with Verta.

11.2 Verta, as a rule, acts as a Data Operator, since it only provides the means for Data Processing to be carried out through its Solutions, in accordance with the Parameters established by the Decision-Making User.

11.3 The Verta Platform allows the Processing of Personal Data, and the Decision-Making User is responsible for ensuring the purpose and appropriateness of the Processing, as well as the necessity, relevance, and quality of the Data entered into the Platform.

11.4 Depending on the type of request sent by the Personal Data Subject, Verta, as Operator, will forward it to the Decision Maker, who is responsible for decisions regarding Processing (Controller), and cannot be held liable for the absence or ineffectiveness in responding to such request.

11.5 As Operator, Verta shall not be liable in cases where the Parameters established by the Decision-Making User are or may be considered discriminatory Processing.

11.6 The Decision-Making User shall have full autonomy to define the Parameters and third parties involved in the Processing of Personal Data of the Personal Data Subject, and shall be solely and exclusively responsible for any third parties involved in the operation, as well as for any damages or losses caused to Data Subjects as a result of the action or omission of such third parties.

11.7 Verta shall not be liable for Data Processing carried out outside the context of its Solutions.

11.8 Verta shall not be liable for the improper sharing by any Users of their login or password to access any of its Solutions, regardless of whether they are the Decision-Making User or the Analyzed and/or Monitored User.

11.9 Verta shall also not be liable for the criminal acts of hackers, crackers or similar, as well as for actions or omissions that may be attributed exclusively to Users (Decision-Makers or Analyzed and/or Monitored) or third parties, except in cases of proven negligence by Verta in protecting Personal Data and company data.

12 POLICY UPDATES

12.1. This Policy may be changed or replaced at any time, at Verta's sole discretion, without prior notice, and the Company undertakes to keep the entire content of this document up to date and available for access through our Website https://app.verta.com/ terms-and-conditions.

12.2. We recommend that you review this Policy periodically, as the rules and information regarding the Processing of your Personal Data will always be linked to its most recent version.

13. GENERAL PROVISIONS

13.1 If one or more provisions contained in this Policy is considered invalid, illegal, or unenforceable in any respect, the validity, legality, or enforceability of the remaining provisions contained in this Policy shall not be affected and/or impaired in any way by this fact. In this case, Verta will replace the invalid, illegal, or unenforceable provisions with valid provisions.

14. LEGISLATION AND JURISDICTION

14.1. This Policy shall be governed by the laws of the Federative Republic of Brazil.

14.2. For the resolution of any issues or conflicts arising from this Policy, the jurisdiction of the District of São Paulo, State of São Paulo, is hereby elected, with waiver of any other, however privileged it may be.