Security, privacy, and governance controls adopted by Sinky.
Annex III of the Privacy Policy — Updated June 2026.
Last updated: June 2026
1. Purpose
This Annex describes the main security, privacy, governance and operational continuity controls adopted by Sinky to protect information processed by its platform.
This document complements:
Privacy Policy
Terms of Use
Responsible AI Policy
Other Sinky governance documents
2. Overview
Sinky is a global AI-native decision infrastructure platform that helps organizations create, operate and evolve critical decisions related to credit, fraud, compliance, onboarding, risk and other corporate processes.
Information security is treated as a fundamental element of the platform's architecture, operation and continuous evolution.
3. Certifications & Compliance
SOC 2 Type II
Sinky maintains SOC 2 Type II certification based on:
Security
Availability
Confidentiality criteria
The audit is performed by an independent auditor and evaluates the operational effectiveness of controls implemented by the organization during a continuous observation period.
Privacy
Sinky operates considering principles present in:
LGPD (Brazil)
GDPR (European Union)
International data protection best practices
4. Infrastructure
Cloud Infrastructure
The platform runs on Microsoft Azure-based infrastructure. The architecture was designed to offer:
High availability
Scalability
Logical environment segregation
Continuous monitoring
Operational resilience
Environments
Sinky maintains segregated environments for:
Development
Staging
Production
Specific controls limit access and movement between environments.
5. Encryption
Data in Transit
All communication with the platform uses TLS encryption. Insecure or obsolete protocols are discontinued as market standards evolve.
Data at Rest
Data stored by the platform is protected by encryption mechanisms compatible with widely adopted industry standards. When applicable, we use AES-256 based encryption or equivalent controls provided by infrastructure providers.
6. Access Control
Least Privilege Principle
Access to systems and information is granted only when necessary for executing each employee's responsibilities.
Role-Based Access Control (RBAC)
The platform supports role-based access control (RBAC). Permissions can be configured according to:
Role
Area
Responsibilities
Operational need
Access Reviews
Permissions are periodically reviewed and removed when no longer necessary.
7. Authentication
Multi-Factor Authentication (MFA)
Sinky requires multi-factor authentication for access to critical corporate systems. MFA significantly reduces risks associated with credential compromise.
Credential Management
Credentials are managed by appropriate security mechanisms and should not be shared between users.
8. Logs & Auditing
The platform records relevant security and operational events. Records may include:
Authentication
Configuration changes
Workflow execution
Integrations
Administrative actions
Relevant operational events
Decision Auditing
Whenever technically applicable, the platform records:
Data used
Rules executed
Recommendations generated
Human interventions
Final result
These records enable traceability and auditing of critical decisions.
9. Monitoring & Observability
Sinky maintains monitoring mechanisms designed to identify:
Unavailability
Performance degradation
Anomalous events
Potential security incidents
Observability processes support diagnosis and operational response.
10. Vulnerability Management
The organization adopts continuous practices for identifying, evaluating and addressing vulnerabilities. These activities may include:
Security updates
Software patches
Dependency monitoring
Technical reviews
Security testing
11. Incident Response
Sinky maintains internal procedures for security incident management. Processes include:
Identification
Classification
Containment
Investigation
Mitigation
Recovery
Documentation
When applicable, impacted clients may be notified as required by legal, regulatory or contractual requirements.
12. Business Continuity
The platform's architecture was designed to reduce operational interruption risks. Sinky maintains processes for:
Service recovery
Critical component redundancy
Data protection
Business continuity
13. Backup & Retention
Backup
Backup procedures are executed to support operational recovery when applicable.
Retention
Data and records may be maintained for the period necessary for:
Service delivery
Legal obligation compliance
Regulatory requirements
Auditing
Dispute resolution
After applicable periods expire, data may be removed or anonymized according to internal policies.
14. AI Security
AI features provided by Sinky are subject to the same security controls applicable to the rest of the platform. These controls include: