Compliance & alignment

This page is a summary for client/vendor questions. It points to the underlying policies (“controls”) and describes how we align with common standards. LEF is not certified unless explicitly stated.

Continuity plan

Continuity and recovery expectations are defined in the Business Continuity and Disaster Recovery Plan.

Baseline controls

Information classification

Classification levels and handling rules.

Access control

How access is granted, reviewed, and revoked.

Incident response

How we respond to and learn from security incidents.

Vulnerability management

How we track, prioritize, and remediate vulnerabilities.

Backup and recovery

Backup strategy and recovery responsibilities.

Data retention and deletion

Retention rules and secure deletion expectations.

NDA defaults

Default NDA positions and negotiation guardrails.

Compliance and alignment overview

LEF follows a practical, risk-based approach to compliance. For each project, applicable standards are considered and safeguards are applied according to client requirements and legal obligations.

For internal planning (gap tracking, evidence, and documentation structure), see ISO/IEC 27001 readiness.

LGPD

Lei Geral de Proteção de Dados — Brazil

LEF aligns with LGPD through baseline practices such as:

• Processing personal data only when necessary for the project scope.
• Restricting access based on role and project assignment.
• Using encrypted transport (TLS/HTTPS) and access-controlled storage (e.g., Microsoft 365 and private cloud).
• Following incident response and retention/deletion procedures when required.

GDPR

General Data Protection Regulation — EU

When GDPR requirements apply (client requirement or applicable law), we can apply GDPR-aligned controls such as:

• Data minimization and access limitation.
• Controlled access (VPN + MFA where applicable).
• Retention/deletion expectations agreed per project.
• Ability to support data access/rectification/deletion requests when required by contract/process.

HIPAA

Health Insurance Portability and Accountability Act — US

LEF does not currently process health data or act as a provider of healthcare services.

PCI DSS

Payment Card Industry Data Security Standard

LEF does not process, store, or transmit credit card data in current projects.

ISO/IEC 27001

Information Security Management System

LEF is not certified, but follows key ISO 27001-aligned principles such as:

• Role-based access and least privilege
• Secure remote access via VPN + MFA
• Incident response and vulnerability management procedures
• Business continuity planning and regular backups
• Project-specific security controls

For a documentation-oriented readiness checklist (not a certification claim), see ISO/IEC 27001 readiness.

CMN nº 4.893

CMN Resolution nº 4.893/2021 (Brazil — Central Bank)

LEF is not currently involved in regulated financial institution projects and is therefore not subject to CMN nº 4.893.