Security Policy

All data exchanged with our public website, APIs, dashboards and conversational endpoints is encrypted in transit using TLS 1.2 or higher (TLS 1.3 preferred). HSTS is enforced. Insecure ciphers and protocols (SSLv3, TLS 1.0/1.1) are disabled.

Production data is encrypted at rest using AES-256 (or stronger equivalents) on managed cloud storage and databases. Keys are managed by our cloud providers' Key Management Services with periodic rotation.

Impulso Digital operates on hyperscale cloud providers (e.g. AWS, Google Cloud, Cloudflare) selected for their compliance posture (SOC 2, ISO 27001). Workloads run in segmented virtual private networks, with infrastructure-as-code configurations under version control and peer review.

We follow the principle of least privilege for service-to-service communication, and isolate environments (development, staging, production) so that no production data ever flows downstream.

Access to privileged systems requires multi-factor authentication (MFA). Role-based access control (RBAC) ensures team members only access the data needed to perform their role. Joiner/mover/leaver procedures are enforced, and access reviews are conducted periodically.

Public endpoints are protected by managed Web Application Firewalls (WAF), DDoS mitigation and rate limiting. Internal services are not exposed to the public internet. Bastion / just-in-time access is required for administrative operations.

Authentication events, configuration changes and abnormal activity are logged and monitored. Alerts trigger on suspicious behaviour. Logs are retained securely for forensic and compliance purposes.

Production data is backed up automatically on a recurring schedule with encryption and integrity checks. Restore procedures are tested. Our target recovery point and recovery time objectives are defined in client engagements.

Every sub-processor that handles client or personal data is evaluated for security, privacy and operational maturity, and is bound by a written Data Processing Agreement (DPA).

Code is developed under version control with mandatory peer review. Dependencies are scanned for known vulnerabilities. Secrets are kept out of source code and managed via vault services. AI models and prompts are reviewed for prompt-injection and data-leakage risks.

We maintain a documented incident-response plan. In the event of a confirmed security incident affecting your data, we will notify you without undue delay and in any case within the timeframes required by applicable law. To report a suspected incident or vulnerability, contact security@impuldigital.pro.

We welcome reports from security researchers. Please contact us before publicly disclosing any vulnerability so we have a reasonable window to remediate. We commit to acknowledging valid reports and crediting researchers who follow responsible disclosure.

Security team: security@impuldigital.pro

S.R. IMPULSO DIGITAL S.A.S. · NIT 1121923719

Cll 35b # 15a-45 Este, Manzana A Casa 14, Prados de Siberia, Villavicencio, Meta, Colombia