Data Governance

Data governance is the set of practices, policies, and controls that ensure personal data is collected, processed, stored, and shared in a transparent, secure, and accountable manner.

Effective data governance gives individuals visibility into how their information is handled and gives organizations the framework to manage data responsibly across their operations.

Traqen implements technical, organizational, and procedural measures designed to support data governance:

• Privacy by design: security and data protection are incorporated from the initial design phase of every feature.
• Governance program: internal policies, periodic training, and continuous improvement of data handling practices.
• Impact assessments: data protection impact assessments are conducted when applicable or requested by a supervisory authority.
• Clear processing basis: every data processing operation is linked to a specific, documented legal basis.
• Transparent automated decisions: general criteria for risk scoring are documented, with a channel for review requests.
• Data minimization: only the minimum data necessary to deliver the service is collected and retained.

Traqen processes data on the following bases:

• Contract performance: account creation, authentication, and execution of contracted scans.
• Legal obligation: retention of access logs as required by applicable law.
• Exercise of legal rights: defense in judicial, administrative, or arbitration proceedings.
• Legitimate interest: platform security, fraud prevention, and service improvements.

Consent is not the primary basis for essential service operations.

Traqen's risk score (0 to 100 and A–F classification) is generated by automated processing based on technical signals collected during scans.

You may request a review of any decision made solely on the basis of automated processing that materially affects your interests.

Upon request, Traqen will provide information about the general criteria and procedures used in scoring, subject to trade secret and proprietary protections.

After account closure, Traqen may retain personal data in the following circumstances:

• Compliance with legal or regulatory obligations.
• Research purposes, with anonymization applied where possible.
• Transfer to a successor entity, subject to applicable data protection requirements.
• Internal use in anonymized form, where no third-party access is permitted.

Data may also be retained for the exercise of legal rights in judicial, administrative, or arbitration proceedings, within the limits of applicable law.

Depending on your jurisdiction, you may have the following data rights:

1. Confirmation of processing

You may request confirmation of whether Traqen processes your personal data.

2. Data access

You may request access to the personal data held about you.

3. Data correction

You may request correction of incomplete, inaccurate, or outdated data.

4. Anonymization, blocking, or deletion

You may request anonymization, blocking, or deletion of unnecessary data or data processed without proper basis.

5. Data portability

You may request transfer of your data to another service provider.

6. Deletion of consent-based data

You may request deletion of data processed on the basis of your consent.

7. Information about sharing

You may request information about entities with whom your data has been shared.

8. Information about consent

You may request information about the option to withhold consent and its consequences.

9. Withdrawal of consent

You may withdraw your consent at any time, through a simple and free request.

To exercise any of the rights above, contact our Data Protection Officer:

• Email: [DPO_EMAIL]
• Suggested subject: "Data Request"

When contacting us, please provide:

• Your full name and the email registered on the Platform.
• The right you wish to exercise.
• Any additional details that may help identify your request.

No charge: exercising your data rights is free of charge.

Response timeline: up to 15 business days.

If you believe your request has not been adequately addressed, we recommend the following steps:

1. Contact Traqen's DPO at [DPO_EMAIL], providing details of your request and the response received.
2. Allow up to 15 business days for a conclusive response.
3. If still unresolved, you may file a complaint with the relevant data protection authority in your jurisdiction.

When filing a complaint, gather your identification documents, case reference number, and copies of prior communications.

Traqen's Data Protection Officer (DPO) is responsible for:

• Receiving and addressing data requests from users.
• Receiving communications from data protection authorities.
• Advising team members on data protection practices.

DPO Contact: [DPO_EMAIL]

Address: [ENDERECO]