Procurement Policy

Click here to access the PDF.

 

Review History

Version: Date of Review: History: 
1 06/03/2013 Document creation
2 06/26/2015 Including the Items Scope (II), Additional Documents (III), Concepts and Acronyms (IV), Responsibilities (V), Management of Consequences (VII) and General Provisions (VIII).
Adjusting the Purpose (I) regarding the concept of sustainability.
Including the quote from the Policy PLT_001 Anti-Corruption in Items 5 and 8.
Including the provisions on the Supplier’s Code of Ethical Conduct in Item 8.
Updating Items 2, 7, 9, 10, 11 and 12.
3 08/01/2017 Including Sub-item 8.15 of VI. Guidelines;
Updating Items II. Scope and Subitems 2, 8, 8.1, 8.5, 8.6, 8.11, 8.12, 8.13, 9 and 11 of VI. Guidelines.
4 10/29/2019 Updating Items II. Scope, III. Guidelines, Sub-items 2 and 8.15, V. Responsibilities, VI. Additional Documents, VII. Concepts and Acronyms and VIII. General Provisions.
Including Item III. Guidelines Subitem 13.
5 11/25/2021 Changes to items: II. Scope, IV. Approval Authority, V. Consequence Management, VI. Responsibilities, VII. Supplementary Documentation and update of sub-items 1, 5, 8, 11 and 13 of III. Guidelines.
6 10/25/2023 Update of items: II. Scope, III. Guideline sub-items: 1, 3, 5, 6, 7, 8, 8.1 to 8.10, 11, 12, 12.1, 13, 13.1, V. Consequence Management, VI. Responsibilities, VII. Supplementary Documentation, VIII. Concepts and Acronyms and IX. General Provisions.

 

I. Purpose

Ensure that during the process of purchasing goods and services and managing the supply chain, an ethical and transparent relationship is built, seeking competitiveness, quality, speed and sustainability. This relationship must ensure the perpetuity and legality of the operations, in addition to stimulating social and environmental responsibility and innovation in a continuous and evolving manner.

II. Scope

All members of the Board of Directors and the Executive Board (“Directors”), members of the Advisory Committees and the Fiscal Council and Employees, including outsourced workers, interns and young apprentices (“Employees”) of the companies Cielo S. A. – Instituição Pagamento (“Cielo”), Servinet Serviços Ltda. A. – Instituição de Pagamento (“Cielo”), Servinet Serviços Ltda. (“Servinet”), Stelo S.A. (“Stelo”) and Aliança Pagamentos e Participações Ltda. (“Aliança”), hereinafter jointly referred to as the “Company”.

All of Cielo’s Subsidiaries must define their directions based on the guidelines set forth in this Policy, considering the specific needs and the legal and regulatory aspects to which they are subject.

With respect to the Affiliated Companies, the Company’s representatives who act in managing them must make every effort to ensure that their directions are defined based on the guidelines set forth in this Policy, considering the specific needs and the legal and regulatory aspects to which they are subject.

III. Guidelines

  1. Purchases and contracts involving amounts of more than five thousand reais (BRL 5,000.00) are carried out centrally by the Efficiency and Purchasing Superintendency, in order to ensure a consistent relationship between the company and its suppliers.
  2. Potential suppliers must undergo the registration and financial, fiscal/tax, labor, and social and environmental evaluation processes, among others, according to internal procedures, in addition to being technically qualified by means of an evaluation by the areas requesting the acquisition.
  3. The registration of companies in public registers will be taken into account in the Vendor Onboarding process.
  4. The segregation of duties and traceability in the various operational and decision-making steps of the procurement process guarantee its transparency.
  5. The rights and duties of both the company and its suppliers with regard to purchases and contracts are formalized through instruments based on current legislation and guided by the company’s Code of Ethics and Anti-Corruption Policy.
  6. Suppliers selected to bid for the supply of products and services specified and defined by the technical area are submitted to a transparent selection process, in which all participants must have equal conditions.
  7. The Company requires: (a) free and fair competition among its suppliers and (b) the adoption of strictly ethical practices in its business relations with its suppliers.
  1. The precepts established in the Code of Ethics apply to contracts, which must be observed by suppliers or potential suppliers:
    • Comply with and monitor their value chains in order to prevent and combat: forced or compulsory labor, child labor, pedophilia, intimidation or harassment due to gender, gender identity, disability, origin, religion, race, ethnicity, sexual orientation, marital status, age, health or social condition or any other forms of prejudice in economic, political or organizational spheres that contradict the Company’s principles;
    • Have policies or programs for social inclusion, Code of Ethics, corporate responsibility, environmental policy for managing or minimizing environmental impacts related to its business, and actions that promote the appreciation of diversity, equity, and training for the employment of people with disabilities and young apprentices, as well as free association;
    • Have policies or a code of ethics that determine guidelines and procedures to prevent and combat corruption, money laundering, and the financing of terrorism;
    • Comply with all current legislation and regulations and adopt measures to prevent the use of their business in practices related to corruption, money laundering, the financing of terrorism, tax evasion or any other illicit acts, as well as monitor their value chains;
    • Submit documents and information to the Central Bank of Brazil regarding the object of the agreement with the Company, within the agreed deadlines, if requested;
    • Follow the rules described in the Company’s Code of Ethics regarding the acceptance and offer of hospitality, such as freebies, gifts and tickets to events;
    • Manage their supply chain, identify critical suppliers from a sustainability standpoint, and set goals to improve the economic, social, and environmental indicators of this group of suppliers;
    • Manage the economic, social, labor, tax, and environmental risks in their supply chain, aiming at business continuity;
    • Encourage internally and to their supply chain the hiring of small and medium local suppliers for economic development;
    • Comply and recommend to their suppliers the punctual and correct payment of their obligations with their Employees, practices that aim to guarantee salaries that meet the minimum standards of the category in the region and are sufficient to meet the basic needs and guarantee health and safety conditions provided by law to their Employees and outsourced workers, as well as the punctual and correct payment of their tax, labor, and social security obligations
  1. The Company aims to deepen its relationship with current suppliers and create new opportunities by diversifying sources of supply, fromthat the competitiveness of the contracted products and services is guaranteed, without restrictions by size or location, and that they comply with the established needs and technical specifications and are suitable for supply from a financial point of view

10. The supplier’s practices regarding economic, environmental and social aspects will be observed and monitored, as well as issues related to human rights, climate change, diversity and inclusion, and compliance with applicable legislation will be required.

11. The supplier base is monitored from the point of view of compliance with the relevant principles contained in the Code of Ethics, and suppliers classified as Tier 1 have a recurring assessment in the Vendor Performance program. In addition, critical suppliers have specific analysis criteria, dealt with under the Vendor Risk program, in accordance with internal regulations.

12. The Ethics Channel is the channel made available by the Company to its Employees, suppliers, service providers, partners or other interested parties to report or provide information on any deviations practiced by its Employees, Managers and other Stakeholders with regard to the guidelines set out in the Code of Ethics, in the Company’s normative instruments, in the legislation in force, including the Anti-Corruption Law, as well as acts of private corruption.

    1. 2.1 When reporting, the person can choose whether or not to identify themselves. The reports made can be followed up on the Ethics Channel website, ensuring visibility to the progress of the entire process.

13. During the process of contracting a demand, if it is identified that the services provided involve the processing and storage of Company data in the supplier’s infrastructure and/or in cloud infrastructure, performs processing and storage of card data (PCI-DSS scope) and sensitive data or that may affect the continuity of the Company’s operations, it will be automatically directed by the Purchasing tool for specific analysis by the following responsible areas: Information Security Department, Business Continuity Management and Crisis Management. Once the scope has been confirmed, the demand becomes relevant to the Company and, as a result, the supplier to be agreed will be a Relevant Supplier, which must follow all the procedures set out in BCB Resolution 85/21.

Regulatory Legal Management will be informed that there is an ongoing demand and that it will need, within the deadlines established by the resolution and after the Agreement or addendum has been signed, to inform the BCB of the existence of a new supplier classified as relevant to the Company. The validity, amendments and/or termination of the contracts of the relevant suppliers will be monitored by the Purchasing area. Any contractual changes to Relevant Suppliers must be informed to the Regulatory Legal Department in a timely manner, which in turn will evaluate the need for communication to the Central Bank of Brazil (“BCB”).

13.1. It is incumbent upon the Legal, Regulatory and Government Relations Superintendency to assess adherence to the rules and requirements of BCB Resolution 85/21 the Efficiency and Purchasing Superintendence and the Legal, Regulatory and Government Relations Superintendence responsible for ensuring compliance with the governance required by the Company’s rules and by the BCB.

IV. Approval Authority

Purchases and contracting are made in compliance with the provisions of the Bylaws, Internal Regulations of the Board of Directors, Internal Regulations of the Executive Board, Purchasing Standard, and Approval Authority Standard, as applicable.

V. Consequence Management

Employees, suppliers or other Stakeholders who observe any deviations from the guidelines of this Policy may report the fact to the Ethics Channel through the channels below, with the option of anonymity:

Internally, non-compliance with the guidelines of this Policy gives rise to the application of accountability measures to the agents that fail to comply with it, according to the respective severity of the non-compliance and as per internal regulations, and is applicable to all persons described in the item “Scope” of this Policy, including the leadership and members of the Executive Board.

VI. Responsibilities

    • Administrators, Managers and Employees:
      • Observe and ensure compliance with this Policy, as well as with the provisions of the Code of Ethics and, when necessary, contact the Efficiency and Purchasing Superintendence for advice on situations involving conflicts with this Policy or when situations described in it occur.
      • Report to the Ethics Channel any deviations from the guidelines of the Code of Ethics, the Company’s normative instruments, current legislation, including the Anti-Corruption Law, as well as acts of private corruption involving the Company’s Employees or Officers, if they become aware of them.
      • Properly answer questions related to the Company’s Information and Cyber Security Policy and Privacy and Data Protection Policy when opening the request in the purchasing tool.
  • Efficiency and Purchasing Superintendency:
    • Complying with and monitoring compliance with the guidelines established in this Policy, reviewing it, keeping it up to date in order to ensure that any changes are incorporated into it and clarifying doubts regarding its content and application.
    • Send the prior assessment and registration data of suppliers to the Legal and Government Relations Executive Vice-President in a timely manner, in the event that the Company identifies the contracting of relevant processing, data storage and cloud computing services.
    • Perform the Know Your Supplier process at the time of prospecting, selection, hiring and monitoring with quality and suitability criteria, according to internal standards and procedures.
    • Notify the Executive Vice-Presidency of Risks, Compliance, Prevention and Security of any evidence of corruption by vendors and service providers, when identified.
    • Keep the registration updated, approve the vendors, as established in the internal processes, and request formal acceptance acknowledgement from relevant vendors for the guidelines established in the Code of Ethics, Anti-Corruption Policy and other applicable Normative Instruments.
  • Executive Vice Presidency of Legal and Government Relations:
    • Advise the Company on the applicability, interpretation and updating of laws or regulations related to the topics of this Policy.
    • Draw up agreements with suppliers that include anti-corruption clauses.
    • Once the Efficiency and Purchasing Superintendency has been activated, the Legal, Regulatory and Government Relations Superintendence must notify the BCB of the contracting of relevant processing, data storage and cloud computing services, observing the deadlines and information requested, under the terms of the regulations in force.
  • Information Security Management (Executive Vice-President for Risks, Compliance, Prevention and Security):
    • Evaluate new demands for contracts and potential suppliers from the point of view of information and cyber security, in accordance with good market practices and the Supplier Cyber Risk Assessment standard.
  • Business Continuity and Crisis Management Department (Risk, Compliance, Prevention, and Security Board):
  • Evaluate the new demands for hiring and potential suppliers from the point of view of business continuity, according to good market practices and internal regulations. The Business Continuity area must also draw up and keep up to date the procedure for assessing cyber risks in the Life Cycle of Critical Suppliers, including the criteria for deciding whether to outsource services.

VII. Supplementary Documentation

VIII. Concepts and Acronyms

  • LGPD: The General Personal Data Protection Law, Law No. 13,709/2018, is the Brazilian law that governs personal data processing activities and also amends articles 7 and 16 of the Brazilian Civil Rights Framework for the Internet.
  • PCI-DSS (Payment Card Industry – Data Security Standard): Payment Card Industry Data Security Standard, developed to encourage and enhance card data security and facilitate the widespread adoption of consistent data security measures worldwide.
  • Affiliates: Affiliates are companies in which the investor has significant influence, under the terms of article 243, paragraph 1 of the Corporations Law.
  • Subsidiaries: Companies in which the Company, directly or indirectly, holds partner or shareholder rights that assure it, on a permanent basis, preponderance in the corporate decisions and the power to elect the majority of the managers, under the terms of article 243, paragraph 2 of the Brazilian Corporation Law.
  • Stakeholders: All relevant target audiences with interests pertinent to the Company, as well as individuals or entities that assume some type of direct or indirect risk with respect to the Company. They include, among others: investors, employees, society, customers, suppliers, partners and creditors, governments, regulatory agencies, competitors, press, associations and class entities, users of electronic means of payment, and non-governmental organizations.

IX. General Provisions

Cielo’s Board of Directors is responsible for altering this Policy whenever necessary.

This Policy takes effect on the date of its approval by the Board of Directors and revokes any documents to the contrary.