Dear Support Team,

We are currently conducting a security and compliance verification process regarding the cloud infrastructure used to host our applications. In order to meet contractual and regulatory requirements, we kindly request confirmation and documentation related to the following security controls and compliance standards.

1. Security Certifications

Please confirm whether your cloud infrastructure complies with or holds certification for the following standards:

• ISO/IEC 27017 – Code of practice for information security controls based on ISO/IEC 27002 for cloud services.
• ISO/IEC 27018 – Code of practice for protection of Personally Identifiable Information (PII) in public clouds acting as PII processors.

If applicable, please provide:

• Certification documents, or
• Official links to compliance reports or certification records.

2. Security Services Implemented in the Cloud Environment

Please confirm whether the following security services are available or implemented within your cloud infrastructure:

• Antivirus protection for cloud information assets.
• Intrusion Prevention System (IPS) to detect and prevent malicious network activity.
• Web Application Firewall (WAF) aligned with OWASP Top 10 protections (versions 1, 2 and 3 or equivalent) for web application security.
• Distributed Denial of Service (DDoS) protection mechanisms.

3. Security Monitoring and Reporting

Please confirm whether the provider offers periodic security and operational reports, including but not limited to:

• Monthly reports on blocked attacks.
• Service availability and uptime metrics.
• Security incidents and mitigation actions.
• Other relevant operational or security information related to the hosted environment.

4. Data Location and Data Protection Policies

Please confirm the following:

• Data hosted in your cloud environment is not stored in countries where government authorities may access data without judicial authorization or data owner consent.
• The service agreement does not assign ownership of hosted data to the cloud provider.
• The service contract allows legal disputes to be resolved under Brazilian jurisdiction (Brazilian forum).

5. Datacenter Physical Security and Infrastructure Standards

Please confirm whether the datacenter infrastructure meets recognized industry standards regarding:

• Environmental control and climate control systems.
• Physical access control mechanisms.
• Gas-based fire suppression systems (e.g., FM-200 or equivalent).
• Structured cabling infrastructure.
• Adequate electrical protection systems and redundancy.
• Other recognized best practices for datacenter physical security and reliability.

If available, please provide documentation or certifications supporting these controls.

These details are required for internal compliance verification and contractual security requirements.

We appreciate your assistance and look forward to your response.