Search products, articles and pages
Measures and protocols to guarantee the security of information and operations.
The Company operates in a digital e-commerce environment and artificial intelligence-based customer service, processing Users' personal data through its web Platform and WhatsApp communication channels. The objective of this Information Security Policy is to establish the framework for protecting the confidentiality, integrity, and availability of information and the Company's technological assets, as well as the personal data of Users processed through the Platform. This policy applies to all employees, contractors, suppliers, and systems that interact with the Company's technological infrastructure, including the web platform, communication systems (WhatsApp), databases (Redis), artificial intelligence services, and any other component of the information system.
The Company is committed to implementing, maintaining, and continuously improving an Information Security Management System (ISMS) in accordance with ISO/IEC 27001, in order to protect its information assets against internal and external threats, ensuring business continuity and minimizing security risks. Relevant interested parties for the ISMS have been identified, including Users, employees, technology service providers, and regulatory bodies.
Company senior management demonstrates its leadership and commitment to the ISMS through: (a) establishing the information security policy and security objectives; (b) integrating ISMS requirements into business processes; (c) ensuring that resources necessary for the ISMS are available; (d) communicating the importance of effective information security management; (e) direction and support to persons contributing to ISMS effectiveness; and (f) promoting continuous improvement of the ISMS. Roles and responsibilities for information security have been defined, with senior management holding ultimate responsibility.
The Company establishes the following Information Security Policy, approved by senior management, communicated throughout the organization, and available to interested parties: The Company is committed to protecting the confidentiality, integrity, and availability of information and technological assets through the implementation of security controls based on risk assessment, complying with applicable legal and contractual requirements, and promoting continuous improvement of the ISMS. This policy provides the framework for establishing and reviewing security objectives and is periodically reviewed to ensure its suitability and adequacy to the Company's context.
The Company conducts periodic information security risk assessments to identify, analyze, and evaluate risks associated with the confidentiality, integrity, and availability of information. The risk assessment process considers: (a) identification of information assets and their owners; (b) identification of threats and vulnerabilities; (c) identification of existing controls; (d) determination of consequences and likelihood of risk materialization; and (e) determination of risk level. Based on the results of the assessment, a risk treatment plan is defined that selects appropriate controls from Annex A of ISO/IEC 27001 to mitigate identified risks to an acceptable level.
The Company provides the resources necessary for the establishment, implementation, maintenance, and continuous improvement of the ISMS, including competent human resources, adequate technological infrastructure, and financial resources. The Company determines the competence necessary for personnel affecting ISMS performance and provides periodic information security training and awareness. All employees, contractors, and temporary staff sign confidentiality agreements and receive initial and ongoing training on their security responsibilities.
The Company plans, implements, and controls the processes necessary to meet ISMS requirements and the controls of Annex A of ISO/IEC 27001, including: logical and physical access control (A.9), human resource security (A.7), operations security (A.12), communications security (A.13), system acquisition and development security (A.14), incident management (A.17), business continuity (A.18), and compliance (A.18). The details of each control domain are described in the following sections.
The Company performs monitoring, measurement, analysis, and evaluation of ISMS performance and effectiveness through: (a) monitoring security indicators, including detected incidents, response times, and percentage of training completed; (b) evaluation of compliance with applicable legal and regulatory requirements; (c) conducting internal ISMS audits at planned intervals; and (d) management review of the ISMS at planned intervals to ensure its suitability, adequacy, effectiveness, and alignment with the Company's strategic direction.
The Company identifies improvement opportunities and implements the necessary actions to achieve the intended results of its ISMS. When a nonconformity or security incident occurs, the Company: (a) reacts to the nonconformity to control and correct it; (b) evaluates the need for actions to eliminate root causes and prevent recurrence; (c) implements necessary corrective actions; and (d) reviews the effectiveness of such actions. The Company continually improves the suitability, adequacy, and effectiveness of the ISMS.
Access to the Company's information systems is restricted according to the principle of least privilege and need-to-know. The following measures are implemented: (a) identity management through unique identification for each user; (b) multi-factor authentication for critical access, including access to cloud infrastructure and databases; (c) periodic review of access rights; (d) timely revocation of access rights when no longer necessary; (e) robust password policies; (f) physical access control to facilities where equipment is hosted; and (g) logging and monitoring of authorized and unauthorized access attempts.
The Company ensures that all employees, contractors, and temporary staff involved in the provision of Services understand their information security responsibilities and are suitable for the roles for which they are considered. The following measures are implemented: (a) background verification before hiring, in accordance with applicable laws; (b) signing of confidentiality agreements; (c) periodic information security training and awareness; (d) disciplinary procedures for security policy violations; and (e) termination or role change procedures that ensure the return of assets and revocation of access rights.
The Company implements controls to ensure security in daily operations, including: (a) protection against malware through updated antivirus and antimalware solutions; (b) periodic backups of critical data, with tested restoration procedures; (c) logging and monitoring of security events through access logs, system activity records, and automated alerts; (d) change management in systems and applications through formal change control procedures; (e) segregation of development, testing, and production environments; and (f) protection against denial of service threats and brute force attacks through rate limiting mechanisms configured at 30 seconds per IP and per recipient.
The Company secures data communications through: (a) encryption in transit using HTTPS/TLS protocol for all communications between the User's browser and the Platform's servers; (b) encryption at rest of stored sensitive data; (c) network segmentation to separate production, development, and testing environments; and (d) protection of communication channels with external providers (YCloud API, OpenAI API, Redis connections to Upstash) through API keys and mutual authentication.
The Company integrates security into the software development lifecycle, including: (a) security requirements analysis in the design phase; (b) code reviews and vulnerability analysis; (c) security testing before going into production; (d) change management through formal procedures; (e) security evaluation of third-party components used (libraries, frameworks, external services); and (f) maintenance of an updated software assets inventory.
The Company has established a security incident management procedure that includes: (a) early detection through continuous monitoring of logs and alerts; (b) classification and prioritization of incidents based on impact and urgency; (c) incident containment to limit damage; (d) eradication of root cause; (e) recovery of affected systems; (f) detailed incident logging, including actions taken and lessons learned; and (g) notification to affected parties, including Users and competent authorities, as required by applicable data protection legislation.
The Company maintains a Business Continuity Plan (BCP) that ensures the ability to continue operating and recovering critical services in the event of a serious incident or disaster. The BCP includes: (a) identification of critical services and target recovery times (RTO); (b) backup and redundancy strategies for critical infrastructure components; (c) disaster recovery procedures (DRP); and (d) periodic testing of the continuity plan.
The Company is committed to complying with all applicable laws, regulations, and contractual requirements in matters of information security, including personal data protection legislation, intellectual property, and digital security. Periodic legal compliance review is conducted, and a register of applicable legal requirements is maintained. This policy is reviewed at least annually or when significant changes occur in the organization, technology, or legal environment.