Governance, compliance and integrity guidelines
Grupo Flipper Policies establish governance guidelines that direct conduct, decisions, and controls to ensure legal compliance, integrity, operational continuity, and excellence in service delivery. They apply to all Employees, Directors, interns, third parties, partners, and suppliers when acting on behalf of the Grupo Flipper, on company premises or in its digital environments.
These Policies are complementary to the Business Principles – Code of Ethics, Conduct and Relationship with Third Parties, and are broken down into Standards (NOR), Procedures (PRO), Work Instructions (INS), Flows (FLU) and Documents/Templates (DOC). Any exception must be formally justified, recorded and approved by the responsible Directorate, with the knowledge of the Compliance Cell.
Governance Architecture (QSMS-RS+): Quality, Safety, Environment, Health and Social Responsibility, plus Ethics and Conduct, Anti-Corruption, Compliance and Information Security, aligned with the Group's governance model and best market practices (including applicable certification requirements and the AEO Program).
Review and continuous improvement: Policies should be reviewed at least annually or whenever there is a relevant regulatory change, material incident, process/system change, recurring non-compliance, or emerging risk.
Guideline: Develop innovative, creative, and customer-focused logistics and customs solutions, emphasizing predictability, traceability, agility, and continuous improvement. Evidence: GF Learning Program / Major's Library (training and learning culture) and GF Quality Program (document regularity, indicators, internal audits, and process/technology improvements).
Guideline: Ensure a safe environment for employees, visitors, customers, suppliers, and partners through occupational risk management and physical and operational controls commensurate with the criticality of the business. Evidence: GF Safe & Secure Program (PGR, LTCAT, CIPA, and other prevention actions), operational controls associated with OEA/insurance, and enhanced information security for communications and sensitive data.
Guideline: to advocate for the conscious use of natural resources, encourage environmental preservation and sustainability, and conduct operations with clients and partners, promoting practices that avoid harming the environment.
Evidence: GF Sustainability Program (awareness, reduction of printing and waste, digitization of processes, recycling, rational use of water and other internal initiatives).
Guideline: Ensure a healthy, safe, and productive environment through occupational health programs and wellness initiatives, encompassing physical, mental, and emotional health. Evidence: GF Health Program (PCMSO, legal and corporate benefits, and structured actions to promote health and well-being).
Guideline: To promote sustainable development, respect for diversity, and reduction of inequalities through non-discriminatory actions, informed consent, training, volunteering, and monitored donations. Evidence: GF People Program and GF Sustainability Fund (fundraising and monitored donations), in addition to social projects supported by the Grupo Flipper.
Guideline: To guide and ensure ethical, compliant, and integrity practices in internal relationships and with third parties, preventing, detecting, and correcting deviations, with records and traceability. Evidence: Business Principles, training, periodic communications, and supporting documentation for routines (standards, procedures, and records).
Guideline: Maintain zero tolerance for bribery, corruption, and any undue advantage, in the public or private sphere, nationally or internationally, including offering, soliciting, promising, authorizing, or receiving. Evidence: Anti-corruption clauses in contracts, commitment agreements with third parties, training, and internal investigations when applicable, with proportionate disciplinary measures.
Guideline: Maintain clear rules for access and circulation within company premises for employees and third parties, prioritizing security, asset integrity, and information protection. Evidence: biometric/password control according to areas, reception with assisted service, and continuous monitoring by CCTV (Closed Circuit Television) with image storage for a period defined in internal regulations.
Guideline: Ensure that access to data and systems is granted according to the principle of least privilege, in accordance with Prerequisite Sheets (PRS), job functions, and business needs. Minimum controls: verticalization of access by sector/subdirectory; creation and revocation of access during the hiring/termination process; logs and traceability in systems; rules for the use of corporate email; and compliance with the LGPD (Brazilian General Data Protection Law) and commitments to Security, Ethics, Compliance, and Anti-Corruption.
Guideline: Identify, assess, treat, and monitor risks (strategic, operational, financial, compliance, security, and IT) with defined risk tolerance, segregation of duties, key controls, and periodic reporting to the Board of Directors. Evidence: OEA/Risk Management Committee, risk map, critical indicators (KRIs/KPIs), internal audits, and action plan with responsible parties and deadlines.
Guideline: Ensure customer service resilience and preservation of critical operations in the face of incidents (system failures, facility unavailability, weather events, cyber incidents, reputational crises). Evidence: Business Continuity Plan/Disaster Recovery Plan (Business Continuity Plan and Disaster Recovery Plan) with RTO/POR (Recovery Time Objective and Recovery Point Objective), periodic testing, a communication chain, and a crisis roadmap with spokespeople and approvals.
Guideline: Define classification, retention periods, confidentiality, secure disposal, and traceability of physical and digital documents, including operational records and compliance evidence. Evidence: Retention matrix, naming convention, audit trail, and access controls, aligned with legal requirements and client/regulatory body requirements when applicable.
Guideline: To protect the confidentiality, integrity, and availability of information belonging to the Grupo Flipper and its clients/third parties, preventing leaks, unavailability, and misuse. Minimum scope: Identity and Access Management (IAM), passwords and MFA (Multi-Factor Authentication), information classification, devices and media, backups, logs and incident response, in addition to privacy guidelines (LGPD).
Guideline: Standardize the creation, modification, periodic review, and revocation of access; adopt least privilege; segregate critical profiles; and ensure immediate logical disconnection upon offboarding. Evidence: Quarterly/semi-annual access reviews, manager approval, and audit trail maintained by the IT Cell.
Guideline: Establish objective rules for passwords and strong authentication (MFA) in systems, email, and remote access; prohibit the sharing of credentials; and adopt blocking and limited attempts.
Evidence: technical standard defined by IT, awareness campaigns, and compliance audit.
Guideline: classify information (Public, Internal, Confidential, Restricted), define handling/sharing and rules for acceptable use of email, internet, messaging and devices (including BYOD – Bring Your Own Device – when and if authorized). Evidence: terms of responsibility, periodic training and review of access/sharing.
Guideline: Define the frequency and scope of backups, log retention, monitoring, vulnerability handling, and incident response (containment, eradication, recovery, lessons learned). Evidence: restore tests, incident and post-incident reports, and internal service level agreements (SLAs).
Guideline: contract and maintain suppliers/partners with objective criteria for quality, sustainability, safety, compliance, and continuity; prioritize Authorized Economic Operator (AEO) partners when applicable; and document approval and reassessments. Evidence: third-party approval and qualification matrix, contractual clauses (LGPD, anti-corruption, security), and periodic performance evaluations/SLAs.
Guideline: Standardize the creation, review, approval, storage, and management of contracts; define SLAs (Service Level Agreements) and responsibilities; and handle non-conformities and penalties with traceability. Evidence: Controlled contract repository, approval workflow, and registration of addenda and renewals.
Guideline: Ensure a dignified, safe, inclusive, and high-performance work environment with zero tolerance for harassment, discrimination, and retaliation; and guarantee training for critical roles (including Authorized Economic Operator, information security, and compliance). Evidence: Internal codes and standards, reporting channels, investigation processes, and mandatory training pathways with documentation.
