|
Cybersecurity Risk Management, Strategy, and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
ITEM 16K. CYBERSECURITY
Cybersecurity Risk Management
(i) General description of risk management process
VTEX’s global cybersecurity risk management strategy is integrated into a complete security framework, which takes into account not only technological, but also commercial and reputational impacts. Our specialized Information Security team form the front line of defense against digital threats, ensuring that we can thrive in a challenging digital environment.
The Information Security Team
The Information Security team is a strategically organized team aimed at protecting the integrity, confidentiality, and availability of information. This team is made up of specialists divided into four distinct areas, each focused on managing specific types of risk:
The Blue Team is responsible for strengthening our defenses against cyberattacks focusing on prevention, detection, and response to threats.
The Red Team adopts a unique approach, simulating the mindset of a real adversary, who aims to materialize a risk to VTEX. By carrying out ethical intrusion tests, they are responsible for identifying and assessing gaps and vulnerabilities, providing valuable insights to further strengthen our cyber defenses.
The SecOps Team is responsible for establishing policies, standards, and procedures to ensure information security through a risk-oriented approach. This includes the Incident Response Plan, the Vulnerability Management Policy, and the Information Security Policy, among other essential guidelines. We believe the these frameworks ensure a comprehensive and effective approach to security risk management. When conducting the risk assessment, the SecOps team identifies and analyzes possible security threats, assessing the potential impact on data integrity, confidentiality, and availability. Based on this assessment, the team creates security controls and develops strategies and policies aimed at mitigating identified risks.
The Awareness Team, which operates within the SecOps Team structure, plays a vital role in employee awareness and training. Recognizing that security is a shared responsibility, this team educates VTEX about safe practices, strengthening the first line of defense against threats.
When a material risk is identified, with a potential impact on the Company or its customers, the Information Security Team takes immediate actions. The first step is to register the incident, calling in specialists to carry out an in-depth analysis of the scenario. Based on this assessment, actions are taken to contain the incident to limit the impact, identify the root cause, and adopt corrective measures to prevent future similar occurrences. The escalation process takes place simultaneously with the incident containment actions carried out by the Incident Response Team.
Escalation
We believe that the involvement of leadership is essential in our cybersecurity strategy, as it acts as an advocate for information security, ensuring the proper allocation of human and financial resources and strategic alignment with the organization’s objectives.
Depending on the severity of the incident, senior management can be involved in the incident management process. This ensures that our leadership is fully aware of the situation, enabling strategic decision-making in line with organizational objectives. This proactive and structured approach, backed up by the guidelines set out in an Information Security Incident Response Plan, ensures a quick and efficient response to events that could compromise information security, guaranteeing the continued protection of VTEX’s interests and those of its customers.
In situations where there is a real likelihood of a risk materializing, the Privacy & Security Committee is activated to conduct critical discussions. As further described below, this committee plays a crucial role in assessing the materiality of the incident in question. Once materiality has been determined, our Privacy and Security Committee communicates and involves the Audit Committee in the management of the incident and risk.
The Audit Committee is responsible for informing and keeping update our Board of Directors directly of the situation. This chain of responsibility ensures that, in cases of extreme relevance, senior management is immediately informed, allowing for agile decision-making in line with the company’s strategic interests.
This staggered approach, involving committees specialized in privacy, security, and auditing, guarantees a careful assessment of the materiality of critical incidents, providing effective management in situations with a high impact on the organization. For more details on the governance involved, see item “—Cybersecurity Governance” below.
Insurance
We currently maintain cybersecurity insurance for limited customers in the US and for the EU subsidiaries and a cybersecurity insurance coverage in Brazil, designed to indemnify payments made to third parties as a result of a claim, subject to the terms and conditions of the policy, but not a global coverage, and in the event we were to seek to obtain such wider insurance coverage, it may not be available on acceptable terms or may not be available in sufficient amounts to cover one or more large claims in connection with cybersecurity liabilities. Insurers could also deny coverage as to any future claim. The successful assertion of one or more large claims against us, or changes in any insurance policies we may enter into, including premium increases or the imposition of large deductible or coinsurance requirements, could have an adverse effect on our business, financial condition and results of operations.
(ii) Certifications
VTEX as a SaaS (Software as a Service) platform has different certifications on the internal control environment for different objectives:
Service Organization Control type 1: This certification is focused on evaluating the internal control environment with a focus on financial statements;
Service Organization Control type 2: Certification focused on evaluating the internal controls and technology environment with a focus on verifying how internal controls support the availability, integrity of information processing, reliability, and privacy of stored and processed data;
PCI DSS: Specific security certification for payment methods via credit card. Its purpose is to protect card data against fraud and violations.
For all certifications described above from the perspective of the year ended 12/31/2024, no exceptions or failures in internal controls were identified.
(iii) Cybersecurity due diligence
Before any supplier is registered in our purchasing systems, they are subject to a cybersecurity due diligence process, which covers aspects of compliance, privacy, and Information Security. Any relevant finding in the supplier’s cybersecurity due diligence process that could increase our exposure or expose us to a relevant risk prevents that supplier from being registered in our systems.
Additionally, we have adopted an automated process that requires any potential partners in our ecosystem be subject to a due diligence process before any Master Partner Agreement is signed. In this due diligence process, the potential partner is analyzed by the Compliance, Security, and Privacy teams concerning their technical and organizational measures, governance, controls, and procedures concerning cybersecurity incidents. The findings of this due diligence process are recorded and communicated to the team in charge of negotiating the contracts.
(iv) Past incidents and further impacts
As of the date of this annual report, we have not identified any incidents or cyberattacks in 2024 that affected our customers or our infrastructure, impacting our operations. See “—Certain Risks Relating to Our Business and Industry—A cyberattack, security breach, or other unauthorized access or interruption to our information technology systems or those of our third-party service providers could delay or interrupt service to our customers and their customers, harm our reputation, or subject us to significant liability.”
Cybersecurity Governance
In addition to our Information Security Team, our global cybersecurity risk management strategy is also implemented by (i) the Privacy & Security Committee; (ii) Audit Committee; and (iii) Board of Directors.
Privacy & Security Committee. The Privacy & Security Committee assesses whether there is materiality in privacy and/or information security incidents flagged by the Information Security Team to determine whether they should be escalated, executing contingency plans in the event of security incidents, and periodically reviewing privacy and information security policies and manuals, as applicable. When necessary, the Privacy & Security Committee, reports relevant risks and vulnerabilities to the Audit Committee and/or any other bodies reporting to the Board of Directors.
The findings and corrective actions about cybersecurity threats are discussed on an ordinary basis at our Privacy and Security Committee’s quarterly meetings. In such meetings the permanent member of the Compliance team, who reports periodically to senior management and the Audit Committee, becomes aware of any material cybersecurity threats, significant risk exposures, governance and control issues in the realm of cybersecurity requiring the attention of, or requested by, the Audit Committee.
The Privacy & Security Committee is currently composed of permanent members from the Legal, Compliance, Data Privacy, Security, and Growth teams, including C-Level; and extraordinary members from investor relations, PR, and Financial Reporting areas.
As of the date of this Annual Report, the members of the Privacy & Security Committee were the following:
•
André Spolidoro Ferreira Gomes is our Chief Strategy Officer, a position he has held since November 2022. Mr. Spolidoro priorly served VTEX as Chief Financial Officer, a position he held from January 2016 to November 2022. Mr. Spolidoro worked from 1998 to 2015 in asset management firms as Equity Portfolio Manager where he consolidated his solid knowledge in finance, financial market, equity analysis and business. Mr. Spolidoro holds a B.S. degree in Mechanical Engineering at UFRJ and a graduate degree in finance and capital markets at PUC RJ School of Business.
•
Angela Bittencourt da Fonseca currently serves as VTEX Data Protection Officer. Ms. Bittencourt da Fonseca has more than five years of experience as internal and external counsel on privacy programs, incident response, and reporting to Data Protection Authorities around the globe. She holds first-line certifications CIPP/E, CIPM, and CDPO/BR, which cover the management of cybersecurity risks and vulnerabilities, privacy breaches, and reporting incidents to customers, and Data Protection Authorities. She has served on the IAPP (International Association of Privacy Professionals) Research Advisory Board. Ms. Fonseca is a dual-qualified attorney in Brazil and New York State. She holds a Master of Laws from Columbia University and a Law degree from the State University of Rio de Janeiro.
•
Juliana Lopes is the Head of Legal and Data Privacy at VTEX, a global leader in enterprise digital commerce, a role she has held for the past five years. With extensive experience in corporate law, she previously worked for several years in the maritime industry before transitioning to the technology sector. She holds a law degree from the Federal University of Rio de Janeiro (UFRJ) and an LLM from Fundação Getulio Vargas (FGV). Additionally, she has completed executive programs at Boston University and Harvard University, focusing on corporate matters.
•
Joice Silva Mendes is currently the Security Manager at VTEX. Ms. Silva has more than 13 years of experience in the Technology area, almost 10 of which are dedicated to Information Security. She holds a bachelor’s degree in Information Technology and Networks from Universidade Federal de São Caetano do Sul and has several specializations in Security.
•
Thiago Athayde currently serves as VTEX’s head of Audit and Compliance. He has more than 17 years in external and internal positions in governance areas, like, Risk management, Compliance, Internal Controls, and Internal and External auditor at large corporations, including PwC, Praxair (Linde Group), and Naspers group. In these roles, he had the opportunity to help several administrations in the implementation of corporate cybersecurity risk management, evaluation of technology, and cyber controls, in addition to supporting evaluation in audit committees of publicly traded companies. Mr Athayde holds a Master of Business Administration and a B.A. in Business from the Federal University of Rio de Janeiro – Coppead and he is affiliated at RIMS, SCCE, and IIA.
•
Eliane Lima Rodrigues currently serves as VTEX's Head of Cybersecurity. Ms. Rodrigues has more than 25 years of experience in technology, almost 15 of which are dedicated to information security. She holds a master of administration, a specialization in project management, and a bachelor's degree in Computer Science and Networks from Universidade Federal de São Caetano do Sul. She has several specializations in cybersecurity, including DPO and Ethical hacker.
Audit Committee. Our Audit Committee assists our Board of Directors in overseeing our accounting and financial reporting processes; processes related to cybersecurity; and the audits of our consolidated financial statements and security controls. The Audit Committee reports regularly to the Board of Directors concerning its activities and recommendations about cybersecurity, including any issues that arise for compliance with legal or regulatory requirements. The report to the Board of Directors may take the form of an oral report by the chairperson or any other member of the Committee designated by the Committee to make such report.
For more information on our Audit Committee, see “Item 6. Directors, Senior Management and Employees—C. Board Practices—Board Committees—Audit Committee.”
Board of Directors. Our Board of Directors ultimately oversees risk management within the Company and has established robust oversight mechanisms to ensure effective governance in managing risks associated with cybersecurity threats because VTEX recognizes the significance of these threats to our operational integrity and stakeholder confidence.
For more information on our Board of Directors, see “Item 6. Directors, Senior Management and Employees—A. Directors and Senior Management—Board of Directors.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|VTEX’s global cybersecurity risk management strategy is integrated into a complete security framework, which takes into account not only technological, but also commercial and reputational impacts.
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Cybersecurity Governance
In addition to our Information Security Team, our global cybersecurity risk management strategy is also implemented by (i) the Privacy & Security Committee; (ii) Audit Committee; and (iii) Board of Directors.
Privacy & Security Committee. The Privacy & Security Committee assesses whether there is materiality in privacy and/or information security incidents flagged by the Information Security Team to determine whether they should be escalated, executing contingency plans in the event of security incidents, and periodically reviewing privacy and information security policies and manuals, as applicable. When necessary, the Privacy & Security Committee, reports relevant risks and vulnerabilities to the Audit Committee and/or any other bodies reporting to the Board of Directors.
The findings and corrective actions about cybersecurity threats are discussed on an ordinary basis at our Privacy and Security Committee’s quarterly meetings. In such meetings the permanent member of the Compliance team, who reports periodically to senior management and the Audit Committee, becomes aware of any material cybersecurity threats, significant risk exposures, governance and control issues in the realm of cybersecurity requiring the attention of, or requested by, the Audit Committee.
The Privacy & Security Committee is currently composed of permanent members from the Legal, Compliance, Data Privacy, Security, and Growth teams, including C-Level; and extraordinary members from investor relations, PR, and Financial Reporting areas.
As of the date of this Annual Report, the members of the Privacy & Security Committee were the following:
•
André Spolidoro Ferreira Gomes is our Chief Strategy Officer, a position he has held since November 2022. Mr. Spolidoro priorly served VTEX as Chief Financial Officer, a position he held from January 2016 to November 2022. Mr. Spolidoro worked from 1998 to 2015 in asset management firms as Equity Portfolio Manager where he consolidated his solid knowledge in finance, financial market, equity analysis and business. Mr. Spolidoro holds a B.S. degree in Mechanical Engineering at UFRJ and a graduate degree in finance and capital markets at PUC RJ School of Business.
•
Angela Bittencourt da Fonseca currently serves as VTEX Data Protection Officer. Ms. Bittencourt da Fonseca has more than five years of experience as internal and external counsel on privacy programs, incident response, and reporting to Data Protection Authorities around the globe. She holds first-line certifications CIPP/E, CIPM, and CDPO/BR, which cover the management of cybersecurity risks and vulnerabilities, privacy breaches, and reporting incidents to customers, and Data Protection Authorities. She has served on the IAPP (International Association of Privacy Professionals) Research Advisory Board. Ms. Fonseca is a dual-qualified attorney in Brazil and New York State. She holds a Master of Laws from Columbia University and a Law degree from the State University of Rio de Janeiro.
•
Juliana Lopes is the Head of Legal and Data Privacy at VTEX, a global leader in enterprise digital commerce, a role she has held for the past five years. With extensive experience in corporate law, she previously worked for several years in the maritime industry before transitioning to the technology sector. She holds a law degree from the Federal University of Rio de Janeiro (UFRJ) and an LLM from Fundação Getulio Vargas (FGV). Additionally, she has completed executive programs at Boston University and Harvard University, focusing on corporate matters.
•
Joice Silva Mendes is currently the Security Manager at VTEX. Ms. Silva has more than 13 years of experience in the Technology area, almost 10 of which are dedicated to Information Security. She holds a bachelor’s degree in Information Technology and Networks from Universidade Federal de São Caetano do Sul and has several specializations in Security.
•
Thiago Athayde currently serves as VTEX’s head of Audit and Compliance. He has more than 17 years in external and internal positions in governance areas, like, Risk management, Compliance, Internal Controls, and Internal and External auditor at large corporations, including PwC, Praxair (Linde Group), and Naspers group. In these roles, he had the opportunity to help several administrations in the implementation of corporate cybersecurity risk management, evaluation of technology, and cyber controls, in addition to supporting evaluation in audit committees of publicly traded companies. Mr Athayde holds a Master of Business Administration and a B.A. in Business from the Federal University of Rio de Janeiro – Coppead and he is affiliated at RIMS, SCCE, and IIA.
•
Eliane Lima Rodrigues currently serves as VTEX's Head of Cybersecurity. Ms. Rodrigues has more than 25 years of experience in technology, almost 15 of which are dedicated to information security. She holds a master of administration, a specialization in project management, and a bachelor's degree in Computer Science and Networks from Universidade Federal de São Caetano do Sul. She has several specializations in cybersecurity, including DPO and Ethical hacker.
Audit Committee. Our Audit Committee assists our Board of Directors in overseeing our accounting and financial reporting processes; processes related to cybersecurity; and the audits of our consolidated financial statements and security controls. The Audit Committee reports regularly to the Board of Directors concerning its activities and recommendations about cybersecurity, including any issues that arise for compliance with legal or regulatory requirements. The report to the Board of Directors may take the form of an oral report by the chairperson or any other member of the Committee designated by the Committee to make such report.
For more information on our Audit Committee, see “Item 6. Directors, Senior Management and Employees—C. Board Practices—Board Committees—Audit Committee.”
Board of Directors. Our Board of Directors ultimately oversees risk management within the Company and has established robust oversight mechanisms to ensure effective governance in managing risks associated with cybersecurity threats because VTEX recognizes the significance of these threats to our operational integrity and stakeholder confidence.
For more information on our Board of Directors, see “Item 6. Directors, Senior Management and Employees—A. Directors and Senior Management—Board of Directors.”
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Privacy & Security Committee. The Privacy & Security Committee assesses whether there is materiality in privacy and/or information security incidents flagged by the Information Security Team to determine whether they should be escalated, executing contingency plans in the event of security incidents, and periodically reviewing privacy and information security policies and manuals, as applicable. When necessary, the Privacy & Security Committee, reports relevant risks and vulnerabilities to the Audit Committee and/or any other bodies reporting to the Board of Directors.
The findings and corrective actions about cybersecurity threats are discussed on an ordinary basis at our Privacy and Security Committee’s quarterly meetings. In such meetings the permanent member of the Compliance team, who reports periodically to senior management and the Audit Committee, becomes aware of any material cybersecurity threats, significant risk exposures, governance and control issues in the realm of cybersecurity requiring the attention of, or requested by, the Audit Committee.
The Privacy & Security Committee is currently composed of permanent members from the Legal, Compliance, Data Privacy, Security, and Growth teams, including C-Level; and extraordinary members from investor relations, PR, and Financial Reporting areas.
As of the date of this Annual Report, the members of the Privacy & Security Committee were the following:
•
André Spolidoro Ferreira Gomes is our Chief Strategy Officer, a position he has held since November 2022. Mr. Spolidoro priorly served VTEX as Chief Financial Officer, a position he held from January 2016 to November 2022. Mr. Spolidoro worked from 1998 to 2015 in asset management firms as Equity Portfolio Manager where he consolidated his solid knowledge in finance, financial market, equity analysis and business. Mr. Spolidoro holds a B.S. degree in Mechanical Engineering at UFRJ and a graduate degree in finance and capital markets at PUC RJ School of Business.
•
Angela Bittencourt da Fonseca currently serves as VTEX Data Protection Officer. Ms. Bittencourt da Fonseca has more than five years of experience as internal and external counsel on privacy programs, incident response, and reporting to Data Protection Authorities around the globe. She holds first-line certifications CIPP/E, CIPM, and CDPO/BR, which cover the management of cybersecurity risks and vulnerabilities, privacy breaches, and reporting incidents to customers, and Data Protection Authorities. She has served on the IAPP (International Association of Privacy Professionals) Research Advisory Board. Ms. Fonseca is a dual-qualified attorney in Brazil and New York State. She holds a Master of Laws from Columbia University and a Law degree from the State University of Rio de Janeiro.
•
Juliana Lopes is the Head of Legal and Data Privacy at VTEX, a global leader in enterprise digital commerce, a role she has held for the past five years. With extensive experience in corporate law, she previously worked for several years in the maritime industry before transitioning to the technology sector. She holds a law degree from the Federal University of Rio de Janeiro (UFRJ) and an LLM from Fundação Getulio Vargas (FGV). Additionally, she has completed executive programs at Boston University and Harvard University, focusing on corporate matters.
•
Joice Silva Mendes is currently the Security Manager at VTEX. Ms. Silva has more than 13 years of experience in the Technology area, almost 10 of which are dedicated to Information Security. She holds a bachelor’s degree in Information Technology and Networks from Universidade Federal de São Caetano do Sul and has several specializations in Security.
•
Thiago Athayde currently serves as VTEX’s head of Audit and Compliance. He has more than 17 years in external and internal positions in governance areas, like, Risk management, Compliance, Internal Controls, and Internal and External auditor at large corporations, including PwC, Praxair (Linde Group), and Naspers group. In these roles, he had the opportunity to help several administrations in the implementation of corporate cybersecurity risk management, evaluation of technology, and cyber controls, in addition to supporting evaluation in audit committees of publicly traded companies. Mr Athayde holds a Master of Business Administration and a B.A. in Business from the Federal University of Rio de Janeiro – Coppead and he is affiliated at RIMS, SCCE, and IIA.
•
Eliane Lima Rodrigues currently serves as VTEX's Head of Cybersecurity. Ms. Rodrigues has more than 25 years of experience in technology, almost 15 of which are dedicated to information security. She holds a master of administration, a specialization in project management, and a bachelor's degree in Computer Science and Networks from Universidade Federal de São Caetano do Sul. She has several specializations in cybersecurity, including DPO and Ethical hacker.
Audit Committee. Our Audit Committee assists our Board of Directors in overseeing our accounting and financial reporting processes; processes related to cybersecurity; and the audits of our consolidated financial statements and security controls. The Audit Committee reports regularly to the Board of Directors concerning its activities and recommendations about cybersecurity, including any issues that arise for compliance with legal or regulatory requirements. The report to the Board of Directors may take the form of an oral report by the chairperson or any other member of the Committee designated by the Committee to make such report.
For more information on our Audit Committee, see “Item 6. Directors, Senior Management and Employees—C. Board Practices—Board Committees—Audit Committee.”
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The findings and corrective actions about cybersecurity threats are discussed on an ordinary basis at our Privacy and Security Committee’s quarterly meetings. In such meetings the permanent member of the Compliance team, who reports periodically to senior management and the Audit Committee, becomes aware of any material cybersecurity threats, significant risk exposures, governance and control issues in the realm of cybersecurity requiring the attention of, or requested by, the Audit Committee.The Audit Committee reports regularly to the Board of Directors concerning its activities and recommendations about cybersecurity, including any issues that arise for compliance with legal or regulatory requirements.
|Cybersecurity Risk Role of Management [Text Block]
|
(i) General description of risk management process
VTEX’s global cybersecurity risk management strategy is integrated into a complete security framework, which takes into account not only technological, but also commercial and reputational impacts. Our specialized Information Security team form the front line of defense against digital threats, ensuring that we can thrive in a challenging digital environment.
The Information Security Team
The Information Security team is a strategically organized team aimed at protecting the integrity, confidentiality, and availability of information. This team is made up of specialists divided into four distinct areas, each focused on managing specific types of risk:
The Blue Team is responsible for strengthening our defenses against cyberattacks focusing on prevention, detection, and response to threats.
The Red Team adopts a unique approach, simulating the mindset of a real adversary, who aims to materialize a risk to VTEX. By carrying out ethical intrusion tests, they are responsible for identifying and assessing gaps and vulnerabilities, providing valuable insights to further strengthen our cyber defenses.
The SecOps Team is responsible for establishing policies, standards, and procedures to ensure information security through a risk-oriented approach. This includes the Incident Response Plan, the Vulnerability Management Policy, and the Information Security Policy, among other essential guidelines. We believe the these frameworks ensure a comprehensive and effective approach to security risk management. When conducting the risk assessment, the SecOps team identifies and analyzes possible security threats, assessing the potential impact on data integrity, confidentiality, and availability. Based on this assessment, the team creates security controls and develops strategies and policies aimed at mitigating identified risks.
The Awareness Team, which operates within the SecOps Team structure, plays a vital role in employee awareness and training. Recognizing that security is a shared responsibility, this team educates VTEX about safe practices, strengthening the first line of defense against threats.
When a material risk is identified, with a potential impact on the Company or its customers, the Information Security Team takes immediate actions. The first step is to register the incident, calling in specialists to carry out an in-depth analysis of the scenario. Based on this assessment, actions are taken to contain the incident to limit the impact, identify the root cause, and adopt corrective measures to prevent future similar occurrences. The escalation process takes place simultaneously with the incident containment actions carried out by the Incident Response Team.
Escalation
We believe that the involvement of leadership is essential in our cybersecurity strategy, as it acts as an advocate for information security, ensuring the proper allocation of human and financial resources and strategic alignment with the organization’s objectives.
Depending on the severity of the incident, senior management can be involved in the incident management process. This ensures that our leadership is fully aware of the situation, enabling strategic decision-making in line with organizational objectives. This proactive and structured approach, backed up by the guidelines set out in an Information Security Incident Response Plan, ensures a quick and efficient response to events that could compromise information security, guaranteeing the continued protection of VTEX’s interests and those of its customers.
In situations where there is a real likelihood of a risk materializing, the Privacy & Security Committee is activated to conduct critical discussions. As further described below, this committee plays a crucial role in assessing the materiality of the incident in question. Once materiality has been determined, our Privacy and Security Committee communicates and involves the Audit Committee in the management of the incident and risk.
The Audit Committee is responsible for informing and keeping update our Board of Directors directly of the situation. This chain of responsibility ensures that, in cases of extreme relevance, senior management is immediately informed, allowing for agile decision-making in line with the company’s strategic interests.
This staggered approach, involving committees specialized in privacy, security, and auditing, guarantees a careful assessment of the materiality of critical incidents, providing effective management in situations with a high impact on the organization. For more details on the governance involved, see item “—Cybersecurity Governance” below.
Insurance
We currently maintain cybersecurity insurance for limited customers in the US and for the EU subsidiaries and a cybersecurity insurance coverage in Brazil, designed to indemnify payments made to third parties as a result of a claim, subject to the terms and conditions of the policy, but not a global coverage, and in the event we were to seek to obtain such wider insurance coverage, it may not be available on acceptable terms or may not be available in sufficient amounts to cover one or more large claims in connection with cybersecurity liabilities. Insurers could also deny coverage as to any future claim. The successful assertion of one or more large claims against us, or changes in any insurance policies we may enter into, including premium increases or the imposition of large deductible or coinsurance requirements, could have an adverse effect on our business, financial condition and results of operations.
(ii) Certifications
VTEX as a SaaS (Software as a Service) platform has different certifications on the internal control environment for different objectives:
Service Organization Control type 1: This certification is focused on evaluating the internal control environment with a focus on financial statements;
Service Organization Control type 2: Certification focused on evaluating the internal controls and technology environment with a focus on verifying how internal controls support the availability, integrity of information processing, reliability, and privacy of stored and processed data;
PCI DSS: Specific security certification for payment methods via credit card. Its purpose is to protect card data against fraud and violations.
For all certifications described above from the perspective of the year ended 12/31/2024, no exceptions or failures in internal controls were identified.
(iii) Cybersecurity due diligence
Before any supplier is registered in our purchasing systems, they are subject to a cybersecurity due diligence process, which covers aspects of compliance, privacy, and Information Security. Any relevant finding in the supplier’s cybersecurity due diligence process that could increase our exposure or expose us to a relevant risk prevents that supplier from being registered in our systems.
Additionally, we have adopted an automated process that requires any potential partners in our ecosystem be subject to a due diligence process before any Master Partner Agreement is signed. In this due diligence process, the potential partner is analyzed by the Compliance, Security, and Privacy teams concerning their technical and organizational measures, governance, controls, and procedures concerning cybersecurity incidents. The findings of this due diligence process are recorded and communicated to the team in charge of negotiating the contracts.
(iv) Past incidents and further impacts
As of the date of this annual report, we have not identified any incidents or cyberattacks in 2024 that affected our customers or our infrastructure, impacting our operations. See “—Certain Risks Relating to Our Business and Industry—A cyberattack, security breach, or other unauthorized access or interruption to our information technology systems or those of our third-party service providers could delay or interrupt service to our customers and their customers, harm our reputation, or subject us to significant liability.”
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
The Information Security Team
The Information Security team is a strategically organized team aimed at protecting the integrity, confidentiality, and availability of information. This team is made up of specialists divided into four distinct areas, each focused on managing specific types of risk:
The Blue Team is responsible for strengthening our defenses against cyberattacks focusing on prevention, detection, and response to threats.
The Red Team adopts a unique approach, simulating the mindset of a real adversary, who aims to materialize a risk to VTEX. By carrying out ethical intrusion tests, they are responsible for identifying and assessing gaps and vulnerabilities, providing valuable insights to further strengthen our cyber defenses.
The SecOps Team is responsible for establishing policies, standards, and procedures to ensure information security through a risk-oriented approach. This includes the Incident Response Plan, the Vulnerability Management Policy, and the Information Security Policy, among other essential guidelines. We believe the these frameworks ensure a comprehensive and effective approach to security risk management. When conducting the risk assessment, the SecOps team identifies and analyzes possible security threats, assessing the potential impact on data integrity, confidentiality, and availability. Based on this assessment, the team creates security controls and develops strategies and policies aimed at mitigating identified risks.
The Awareness Team, which operates within the SecOps Team structure, plays a vital role in employee awareness and training. Recognizing that security is a shared responsibility, this team educates VTEX about safe practices, strengthening the first line of defense against threats.
When a material risk is identified, with a potential impact on the Company or its customers, the Information Security Team takes immediate actions. The first step is to register the incident, calling in specialists to carry out an in-depth analysis of the scenario. Based on this assessment, actions are taken to contain the incident to limit the impact, identify the root cause, and adopt corrective measures to prevent future similar occurrences. The escalation process takes place simultaneously with the incident containment actions carried out by the Incident Response Team.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
The Privacy & Security Committee is currently composed of permanent members from the Legal, Compliance, Data Privacy, Security, and Growth teams, including C-Level; and extraordinary members from investor relations, PR, and Financial Reporting areas.
As of the date of this Annual Report, the members of the Privacy & Security Committee were the following:
•
André Spolidoro Ferreira Gomes is our Chief Strategy Officer, a position he has held since November 2022. Mr. Spolidoro priorly served VTEX as Chief Financial Officer, a position he held from January 2016 to November 2022. Mr. Spolidoro worked from 1998 to 2015 in asset management firms as Equity Portfolio Manager where he consolidated his solid knowledge in finance, financial market, equity analysis and business. Mr. Spolidoro holds a B.S. degree in Mechanical Engineering at UFRJ and a graduate degree in finance and capital markets at PUC RJ School of Business.
•
Angela Bittencourt da Fonseca currently serves as VTEX Data Protection Officer. Ms. Bittencourt da Fonseca has more than five years of experience as internal and external counsel on privacy programs, incident response, and reporting to Data Protection Authorities around the globe. She holds first-line certifications CIPP/E, CIPM, and CDPO/BR, which cover the management of cybersecurity risks and vulnerabilities, privacy breaches, and reporting incidents to customers, and Data Protection Authorities. She has served on the IAPP (International Association of Privacy Professionals) Research Advisory Board. Ms. Fonseca is a dual-qualified attorney in Brazil and New York State. She holds a Master of Laws from Columbia University and a Law degree from the State University of Rio de Janeiro.
•
Juliana Lopes is the Head of Legal and Data Privacy at VTEX, a global leader in enterprise digital commerce, a role she has held for the past five years. With extensive experience in corporate law, she previously worked for several years in the maritime industry before transitioning to the technology sector. She holds a law degree from the Federal University of Rio de Janeiro (UFRJ) and an LLM from Fundação Getulio Vargas (FGV). Additionally, she has completed executive programs at Boston University and Harvard University, focusing on corporate matters.
•
Joice Silva Mendes is currently the Security Manager at VTEX. Ms. Silva has more than 13 years of experience in the Technology area, almost 10 of which are dedicated to Information Security. She holds a bachelor’s degree in Information Technology and Networks from Universidade Federal de São Caetano do Sul and has several specializations in Security.
•
Thiago Athayde currently serves as VTEX’s head of Audit and Compliance. He has more than 17 years in external and internal positions in governance areas, like, Risk management, Compliance, Internal Controls, and Internal and External auditor at large corporations, including PwC, Praxair (Linde Group), and Naspers group. In these roles, he had the opportunity to help several administrations in the implementation of corporate cybersecurity risk management, evaluation of technology, and cyber controls, in addition to supporting evaluation in audit committees of publicly traded companies. Mr Athayde holds a Master of Business Administration and a B.A. in Business from the Federal University of Rio de Janeiro – Coppead and he is affiliated at RIMS, SCCE, and IIA.
•
Eliane Lima Rodrigues currently serves as VTEX's Head of Cybersecurity. Ms. Rodrigues has more than 25 years of experience in technology, almost 15 of which are dedicated to information security. She holds a master of administration, a specialization in project management, and a bachelor's degree in Computer Science and Networks from Universidade Federal de São Caetano do Sul. She has several specializations in cybersecurity, including DPO and Ethical hacker.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The Audit Committee is responsible for informing and keeping update our Board of Directors directly of the situation. This chain of responsibility ensures that, in cases of extreme relevance, senior management is immediately informed, allowing for agile decision-making in line with the company’s strategic interests.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef