Domain	Sub-domain	Definition of key security measure	Provider Answers
Availability management	Service availability	SLA provided by the service offered	Up to 95%
		Explain the Business Continuity Plan (BCP), Disaster Recovery Plan (DRP),  RPO (Recovery Point Objective) and RTO (Recovery Time Objective) available (or not ) by the service offered	Servidor secundário que pode ser ativado a partir dos backups em 10h
		Provide some figures related to your solvency	Nosso indice de solvencia é 3,65, não temos dívidas contraídas e temos em caixa e investimentos 3x o nosso faturamento mensal, trabalhamos com reservas para pagamentos de rescisões de contrato.
		Do you provide any DDoS protection?	Sim, verificamos continuamente o numero de ligacoes estabelecidas de varios IP e bloqueamos automaticamante na firewall, temos firewall blacklist.
	Service performance	Detail your service levels in terms of performance (such as response time for the software)	Manager resposetime (per page)  less than 1s on most operations
Operation	Incident management	Explain your responsibilities and customer's in the event of a security breach	A contenção da informação e restauro de backups para normalizar os serviços.
		Describe the incident management procedure that it must be followed in case of security related incidents (for both cases, contracting company or SaaS provider initiated)	Se existir algum incidente de segurança, a B2 Mídia fará a analise forense no ambito do contrato de servidores , dependendo da falha de segurança fará a análise dos LOGS para identificação, e procederá aos procedimentos de correção da falha detetada e fará o restauro dos dados a partir de backup.
		Indicate which kind of incident post-mortem analysis are you able to provide and share with contracting company	Logs de acesso, base de dados, e eventos de sistema
	Monitoring	Explain the monitoring that you perform to your service. In case some monitoring is delegated to contracting company, please explain.	A B2 Mídia monitora o estado do servidor (discos, cpu e acessos), além dos terminais client (discos, cpu e acessos).
		Describe the availability metrics that are available so contracting company can ensure that the service provided is aligned to the one offered	Dashboard com o serviço , terminais, utilização dos terminais e relatórios com as insersões de conteúdo
Traceability management	Action traceability	Describe the security logs that your main IT components - security components (Firewall proxy…), application's servers - are able to collect and the time that they are maintained in your systems.	Manager operations logs, system logs, http acess log, firewall log
		Describe which critical users actions (i.e. authentication, data modification, business critical operations) are you able to track and if the generated logs are accessible for contracting company.	Login in aplication, edit, manage and insert all type of contents (files, playlists, slides terminais) are available in XLS file.
		Explain if you use a unique and reliable external time source in all log generators	Log generation uses internal system clock
Data protection	Communication protection	Explain how do you protect the communications between contracting company and your application. Provide algorithm supported and accepted by your server and key length used.	Comunications via HTTPS SSL/TLS , API rest with unique signatures
		Explain if the communications between contracting company and the SaaS provider are authenticated.	API Rest authenticated, Manager authenticated
		Explain how do you protect the communications inside your IS (including any third parties). Please make a focus on the application that may be used by contracting company	Não entendi esta pergunta…
		Explain if data transfers between your servers are any verification control to detect any modification (i.e. checksums)	Data is transfered by blocks and each block has a checksum to check authenticity and correct transfer.
	Data and treatments security	Explain if contracting company's data is stored encrypted (if yes, please explain algorithm, length keys and key protection measures)	sensitive data is escripted passwords, other data and media files are compressed but not encripted.
		Explain how do you isolate contracting company's data from other tenant's services (detail if it will be physically or logically and the methods to do so)	Playlists and database data are stored by user_id_key tables on the same database, media files and content are stored in specific user directories on the same device.
		Explain your procedure to erase data on your IT components that could contain client's data.	Database tables are deleted , and multimedia and content directories are "shreaded"
		Explain if you provide any type of backup of contracting company's data.	Yes databse backup and media content backup every day
		Explain how do you protect any access to any support you may use to perform the backups (including externalized one)	Backup is made on a secure server and compreesed and encripted.
	Platform compromise prevention	Describe the protection that you implement to each of your server (antivirus, antimalware , etc.)	Linux file system allways uptated, inteligent firewall, sqlinjection protencion agent
		Describe your procedure to implement critical security patches or updates to all layers of your services (OS, DB, Application)	Weekly updating the system and performing upgrades. Or updating after major critical update release vis linux repository
		Describe the Development Life process that you use to maintain the SaaS	Corrective maintenance are aplied with a 24h to 5 days repair since reported, major releases are made in a semestral base
		Explain if all your employees must sign a confidentiality-security agreement and if you are (as company) able to sign a NDA as well concerning contracting company's data.	Sim, os colaboradores da B2 Mídia possuem um termo assinado junto à empresa. Sim, a B2 Mídia está disposta a assinar um termos NDA junto à contracting company.
		Explain the procedure that you use to ensure that administrator accounts and passwords are appropriately protected (MFA, strong password policy, etc…)	Passoword policy can be easily customized to fit needs. Parameterization for strong passwords includes the possibility of requiring or not: Blending of uppercase and lowercase letters, including digits, special characters, minimum length setting, saving or not the password for future passwords setups, expiration date of the credential, limitation of access attempts and blocking by inactivity after a given period.
Access control	Identity and Access Management	Is it possible to use as login the SGI ID (contracting company identifier)? if not possible, the contracting company email address ? If not which is the method?	The identification system uses email and can be the contracting company email address.
		Do you support the contracting company's SSO to authenticate contracting company's users on the cloud services ? (fyi, SAMLv2 protocol is used by contracting company's SSO)	Yes the system fully suports ADFS with SAMLv2
		Are Access rights provisioning and deprovisionning services available (i.e. Web interface, API for batch import or directory synchronization)	Yes. Web interface or AD sincy.
		Are you reviewing your employees accounts regularly?	Yes, we are.
		How do you ensure that network and administration duties are properly segregated?	Segregation and administration duties, when in an internal environment are the responsibility of network administrators (It is important to note that, in order for segmentation to be effective, it must contain a firewall, where policies can be implemented that only allow the communication of devices that must exchange data through the network. business need).
		Are your employees having access to contracting company's data? How do you ensure that inappropriate access from your employees is perform on contracting company's data?	Employees will have access to data entered on the platform for support and guidance purposes. no sensitive information is downloaded or disclosed outside the site by the internal B2 Mídia team. All employees are governed by our information security and data protection policies. The access of the B2 Media is monitored by users' logs and, this user is for the exclusive use of the internal team B2 Mídia.
	Access points control	Must any type of interconnection (telecom) with contracting company network be done? If yes, please explain	HTTPS Acess with or without proxy
		How are your administration access points protected? Are they accessible from the web?	Acessible from Web
		Which security do you implement for your SaaS? (i.e. WAS, WAF, pen-tests on their web platforms)	WAF, SQLinnjection filer, Global Blacklist firewall
	Data and application integration	Is there any integration with contracting company systems? If so, how it will work (provide a detailed explanation)?	No. There ins´t.
Contract	Reversibility	Who is the owner of the data stored on your application SaaS? How will contracting company recover all the stored data after the end of contract? Will be a usable format? Which procedure will you use to delete contracting company's data?	Possible to retrieve multimedia content and midia, not possible to retrieve playlist information. Data will be deleted from the database tables and mukltimedia content will be "shreaded" .
	Service management	Please, provide a clear definition of features and functionalities the service provides, as well as any dependencies the service may have on components expected to be supplied by the contracting company.	Service provides management and creation of midia sequences anda animations to create channels of internal tv information.
		Please explain your downtime procedure calculation. Provide a clear description of your patches and updates procedures and how is impacting this calculation. How is contracting company informed in case a planned downtime period?	Normaly patches and upgrades don't require downtime. In the expecion that servers need to be reallocated downtime is no longer than 8 hours na usually in downtime periods (night , weekends) players don't stop playing
		Explain your human resources policy? Focus  on the hiring of privileged administrators	Nosso regime de trabalho é prioritariamente CLT, e para o perfil citado é extremamente necessário que as Skills pertinentes as atividades, estejam de acordo com as especificadas pelos Gestores da área.
		Explain the conditions under which the SaaS provider and/or contracting company may change or terminate the service
		Do you implement a formal disciplinary process to ensure that your employees respect all your security obligations? Would you be able to communicate any sanctions taken to contracting company?	Sim, temos uma política de segurança da informação assinada por todos colaboradores e por fornecedores que de alguma forma tem acesso a algum sistema, além de amplamente divulgada e relembrada semestralmente pela equipe de comunicação e que inclusive abrange sanções na esfera civil e criminal em caso de descumprimento.
		Is there any penalty for breaching the SLA considered in your proposal?	No, there isn´t
	Auditing and regulation	Do you have any certification / audit performed that support your service (i.e. ISAE 3402, ISO, ISO/IEC 27018:2014  for personal data, etc.)? If yes, would it be possible to obtain the last ones before the contract? And during the contract period, the potential updates of them.	No, there isn´t
		Is it possible that contracting company will audit your services?	Yes, there is.
		Do you comply with the local and international regulations that may apply?	Yes, we do.
		Please, clarify where exactly contracting company data will be physically located ? In which cases contracting company's data may be moved to another location?	AWS São Paulo,data may be moved but only as a expecion method as a response to a secutiry threat, provider mailfuncition , disaster