GUÉP
LGPD · Privacy & Data Protection

The educational phase of data-protection law is over. Does your compliance know it?

Kavuka LGPD turns privacy into an operable program: a living ROPA, data subjects served on time with verified identity, a rehearsed incident plan and monitored processors — the evidence Brazil’s data authority, now a regulator with active enforcement, has come to require.

Run your program diagnostic See how it works
Living ROPA
continuously updated
On time
data subjects with verified identity
Rehearsed
incident response plan
Monitored
processors handling your data

A privacy program built by people who operate data at scale every day — both a data processor and a verification provider, with the governance that demands and a full evidence trail for the regulator.

Your company complied with data-protection law. In what year? And what has changed since — in your operation and at the regulator?

The incident with no plan, and the clock ticking

The data authority became a regulator with active incident enforcement. With no rehearsed response plan, notification is late, evidence is missing and the company becomes a headline.

The ROPA that aged out

The processing inventory goes stale the month after the project; data-subject requests arrive through every channel — even Instagram — with no flow, deadline or verified identity.

The 2% fine — and the R$ 7 million average cost

A fine of up to 2% of revenue (capped at R$ 50 million per violation) plus daily fines, and the enterprise client’s privacy questionnaire stalling the B2B contract.

Cost Beyond the sanction ceiling — 2% of revenue, up to R$ 50 million per violation, plus daily fines — the average cost of a data breach in Brazil reached R$ 7.19 million, rising to R$ 11.43 million in healthcare and R$ 8.92 million in finance. The absence of a DPO has already been treated as a standalone violation, and the high court has established presumed moral damages for improper sharing, with strict liability for the database controller.

How it works

From the compliance project to a living program, in one pipeline.

  1. 01

    Map

    A living ROPA: the inventory of processing operations with data, purposes, documented legal bases, sharing and retention — continuously updated, not a PDF that ages out.

  2. 02

    Respond

    Data-subject rights in a single channel: access, correction, deletion and portability with deadlines, identity verified by Kavuka’s engines and a full trail of every request.

  3. 03

    React

    A rehearsed incident response plan: detection, risk assessment to the data subject, notification to the authority within the regulatory deadline and evidence ready to go.

  4. 04

    Govern

    Processors assessed and monitored through the KYS pipeline, contracts (DPA), policies, training, DPIA for high risk and the trail that proves the program to the regulator.

Coverage

The program that proves your compliance

Each front of data-protection law becomes an operable module, wired to the in-house verification engines and the third-party pipeline — with evidence recorded at every step.

Mapping (ROPA)

A living processing inventory

Data-subject rights

Flow with deadlines and verified identity

Incident response

Assessment, authority notification, evidence

Legal bases by purpose

Documented and auditable

Third parties and processors

Assessment and monitoring via KYS

DPA and contracts

Standard data processing agreement

DPIA / high risk

Data protection impact assessment

Governance and evidence

Policies, training and audit trail

Segments

Who runs privacy with Kavuka LGPD

In the crosshairs

Telecom, Healthcare & Finance

Sectors prioritized in the authority’s enforcement, with sensitive data and high volume — where a breach costs the most.

B2B enabler

Companies under enterprise demand

Corporate clients require a DPA and evidence before signing. A ready privacy dossier becomes a commercial enabler, not a roadblock.

Sensitive data

E-commerce & Marketplaces

High volume of data subjects, sharing with partners and a request queue — they require DPIA, reinforced governance and on-time service.

Data use

Decisions on third-party data

Credit, risk and HR that decide on third-party data must govern that use — the natural link to the entire Kavuka platform.

Legal shield

The protection of those who operate data at scale

Kavuka LGPD is born from practice: Kavuka lives on both sides of the law — a data processor at scale, with the governance that demands, and a provider of verification solutions. It is the privacy of those who truly operate data, not the consultancy of those who never processed a single data subject.

  • Legal bases documented by purpose in the ROPA, with continuous review at every new operation or supplier.
  • Data-subject service with identity verification — closing the leak via fake-data-subject, an underestimated risk.
  • Standard Data Processing Agreement for enterprise clients and for the processors handling data on your behalf.
  • A full evidence trail of the program: every decision, request and incident response with rationale, source and date.
  • Certified security with encryption in transit and at rest; public or legally permitted sources.
Already operating this way
We left the PDF phase behind. The ROPA is alive now: when the operation changes, the record changes — and the evidence is ready for the regulator.
DPO · healthcare group
We had an incident. For the first time it was not panic: assessment, notification on time and evidence. The rehearsed plan made the difference.
Legal Director · telecom carrier
The enterprise client’s privacy questionnaire was our sales bottleneck. Now we answer with a ready dossier — it became a formality.
Head of Compliance · fintech

Which year was your compliance built for?

In 15 minutes you run a diagnostic of your program against the data authority’s new enforcement landscape.

  • For businesses only. No purchase commitment.
  • Data used solely for commercial contact.
  • Enterprise leads answered within 1 business day.

In 15 minutes you see the platform in action and get a proposal for your volume.

What operable LGPD is and why a one-off compliance project is no longer enough

LGPD (Brazil’s General Data Protection Law, Law 13,709/2018) sets out how organizations may collect, use, share and store personal data, requiring a legal basis for each purpose, transparency toward the data subject, information security and accountability. For years, many companies treated compliance as a one-off project: they hired a consultancy, produced policies, an inventory and a report — and filed the PDF away. The trouble is that operations change every month: new suppliers come in, new purposes arise, systems are swapped. The compliance project ages out, and what remains is the appearance of compliance, not the program that sustains it.

The regulatory landscape changed phase and changed the product. The data authority became a regulator with broad powers of enforcement, rulemaking and sanction. Its guidance posture gave way to enforcement: the 2026–2027 Priority Topics Map makes clear that security incidents will be subject to stricter enforcement and sanction, and daily fines for non-compliance are already foreseen. Sanctions range from a warning and a fine of up to 2% of revenue (capped at R$ 50 million per violation) to publicizing the violation, blocking and erasing data, and even suspending the processing activity. In parallel, the courts advance: the high court has established that improper disclosure of personal data gives rise to presumed moral damages, with strict liability for the database controller.

Operable privacy is the answer to this landscape: turning the law into a living program. That means a continuously maintained ROPA — the inventory of processing operations with data, purposes, legal bases, sharing and retention. It means a data-subject service flow with deadlines, verified identity and a trail, instead of improvised requests arriving through every channel. It means a rehearsed incident response plan — detection, risk assessment to the data subject, notification to the authority on time and evidence — because the incident is the moment of truth. And it means governing third parties: every processor handling data on your behalf is your responsibility, assessed, contracted by DPA and monitored.

What sets Kavuka LGPD apart is being born from those who operate data at scale every day. Kavuka lives on both sides of the law — a data processor, with the governance that demands, and a provider of verification solutions. That is why the privacy program verifies data subjects’ identities with the in-house engines and assesses processors through the KYS pipeline, the link between privacy and third-party management that point tools lack. The result: enforcement stops being a fear, the enterprise client’s questionnaire becomes a formality and privacy becomes what it should be — a competitive advantage and a commercial enabler. LGPD left the educational phase; leave the PDF phase behind.

FAQ
We already completed our compliance project. Why do we need this?

Because a one-off project ages out: operations change, suppliers come in, new purposes arise — and the data authority changed phase, with active enforcement and sanctions. A living program keeps the ROPA, flows and evidence continuously up to date.

What changed at the data authority?

It became a regulator, with broad powers of enforcement, rulemaking and sanction — and signaled that security incidents will be subject to active enforcement. The guidance era is over; daily fines for non-compliance are already foreseen.

What sanctions are possible?

A warning, a fine of up to 2% of revenue (capped at R$ 50 million per violation), daily fines, publicizing the violation, blocking and erasing data, even suspending the processing activity. And the courts run in parallel — the high court has established presumed moral damages for improper sharing.

How does data-subject service work?

A single channel with identity verification (preventing the leak via a fake data subject — an underestimated risk), a flow with deadlines, legally standardized responses and a full trail of every request.

What about the suppliers who process data for us?

They are your processors — and your responsibility. The pipeline assesses, contracts (DPA) and monitors each one, with the KYS engine behind it: the link between privacy and third-party management that point tools lack.

Does Kavuka LGPD replace the DPO?

No — it equips the DPO. The data protection officer keeps the role; the platform provides the living ROPA, the data-subject flows, the incident plan and the evidence trail so they govern the program instead of rebuilding it at every audit. For those without a DPO, the pipeline is the foundation of the service.

How does LGPD connect to the rest of the Kavuka platform?

Through data. Data-subject identity verification uses the in-house engines; processor assessment runs on the KYS pipeline; and obligations appear on the GRC map. Those who decide on third-party data (credit, risk, HR) govern that use in the same place.

Related solutions

CMP

Compliance

Norms, processes and controls to ensure legal and ethical conformity.
GRC

Governance, Risk & Compliance

Integrated model of governance, risk management and compliance.

Let's talk

Your next high-impact decision starts with the right data.

Talk to a GUÉP specialist and find where applied intelligence creates the most value in your operation.

Talk to an expert