Skip to content
Server room with blue LED lighting and secure infrastructure
Enterprise trust

Security &
compliance.

We protect our clients' data and systems with the same standards we demand for our own. Real certifications, verifiable practices, measurable response.

Certifications

Certifications & standards

ISO 27001

Information Security

ISO 9001

Quality Management

SOC 2

Service Organization Controls

ENS

Spanish National Security Framework

View all certifications

Data practices

Data handling

How we protect the information our clients entrust to us.

Encryption

AES-256 at rest, TLS 1.3 in transit. All client data encrypted by default. No exceptions. Encryption keys are rotated automatically.

Data residency

EU data residency. Primary infrastructure in European regions (Cloudflare EU, Railway EU). No data leaves the EEA without explicit consent.

Access control

Role-based access control (RBAC). Multi-factor authentication required for all production systems. Principle of least privilege enforced organization-wide.

Regulatory compliance

GDPR & LOPDGDD

Full compliance with European and Spanish data protection regulations.

Lawful basis documented for all processing activities

Data subject rights handled within 30 days

DPO contact:

Registered with AEPD (Spanish Data Protection Agency)

LOPDGDD (Organic Law 3/2018) compliant

Privacy Impact Assessments for high-risk processing

Data Processing Agreements with all subprocessors

Cookie consent via explicit opt-in

See our full privacy policy

Infrastructure

Infrastructure security

Secure cloud architecture with tier-1 providers.

Cloud providers

Multi-cloud (AWS, GCP, Cloudflare). SOC 2 Type II certified providers. Geographic redundancy.

Network security

WAF (Cloudflare), DDoS protection, traffic encryption, network segmentation. Zero-trust networking.

Monitoring

24/7 infrastructure monitoring. Automated alerting. Log retention 90+ days. Event correlation.

Vulnerability management

Regular penetration testing. Dependency scanning in CI/CD. Active responsible disclosure program.

Incident response

Incident response

Structured protocol for detection, containment, communication and improvement.

1

Detection

< 1 hour

Automated monitoring detects anomaly. On-call engineer paged immediately.

2

Containment

< 4 hours

Threat isolated. Affected systems quarantined. Initial impact assessment completed.

3

Notification

< 72 hours (GDPR)

Client notified. AEPD notified if personal data involved. Detailed impact report shared.

4

Post-mortem

< 7 days

Root cause analysis. Remediation plan implemented. Lessons learned documented and shared.

FAQ

Security FAQ

Answers to the most common enterprise security questionnaire questions.

Where is data stored?

EU data centers. Primary providers: Cloudflare (EU), Railway (EU). No data stored outside the EEA without explicit agreement.

What happens in case of a security breach?

GDPR-compliant notification within 72 hours. Full incident response protocol with detection (< 1h), containment (< 4h), notification (< 72h) and post-mortem (< 7 days).

Do you have a DPO?

Yes. Contact: . The DPO oversees all processing activities and ensures ongoing GDPR and LOPDGDD compliance.

Can I request data deletion?

Yes. Data subject rights exercised via . Guaranteed response within 30 days per regulation.

What subprocessors do you use?

Core list: Cloudflare (CDN/WAF), Railway (hosting), Brevo (transactional email), Google Calendar (booking). Full list available on request.

Enterprise trust

Need more details?

Our security team can schedule a dedicated briefing to answer your security questionnaire.

Request security briefing