Security Policy

Introduction

At Vigimati, security is not just a feature—it's the foundation of everything we build. As a cloud security posture management (CSPM) platform, we understand the critical importance of protecting your data and infrastructure. This Security Policy outlines the comprehensive measures we implement to ensure the confidentiality, integrity, and availability of your information.

Our Security Commitment

We treat your data with absolute confidentiality and maintain strict security protocols in accordance with:

• General Data Protection Regulation (EU) 2016/679 (GDPR)
• Spanish Organic Law 3/2018 on Protection of Personal Data (LOPDGDD)
• ISO 27001 security standards and best practices
• Cloud Security Alliance (CSA) guidelines
• NIST Cybersecurity Framework

Data Protection Measures

1. Encryption

• Data in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3 with strong cipher suites.
• Data at Rest: All sensitive data stored in our databases is encrypted using AES-256 encryption.
• Key Management: Encryption keys are securely managed using AWS Key Management Service (KMS) with automatic key rotation.

2. Access Control

• Principle of Least Privilege: Users and systems are granted only the minimum access rights necessary to perform their functions.
• Multi-Factor Authentication (MFA): We enforce MFA for all administrative access and highly recommend it for all user accounts.
• Role-Based Access Control (RBAC): Granular permission systems ensure that users can only access resources relevant to their role.

3. Infrastructure Security

• Cloud Infrastructure: Our services are hosted on AWS, which maintains SOC 1/2/3, ISO 27001, and PCI DSS Level 1 certifications.
• Network Segmentation: Production environments are isolated from development and testing environments using VPCs and security groups.
• Firewall Protection: Web Application Firewall (WAF) protects against common web exploits and attacks.
• DDoS Protection: Distributed Denial of Service (DDoS) protection mechanisms.

Application Security

Secure Development Lifecycle

• Code Reviews: All code changes undergo peer review before deployment.
• Static Analysis: Automated tools analyze code for common vulnerabilities.
• Dependency Management: Regular scanning and updates of third-party libraries.
• Secure Coding Standards: Development team follows OWASP Top 10 guidelines.

Monitoring and Incident Response

Continuous Monitoring

• 24/7 security monitoring of all systems and infrastructure
• Automated alerting for suspicious activities or anomalies
• Comprehensive logging of all system activities for audit and forensic purposes
• Regular security audits and vulnerability assessments

Incident Response Plan

We maintain a comprehensive incident response plan that includes:

• Detection: Rapid identification of security incidents through automated monitoring
• Containment: Immediate isolation of affected systems to prevent further damage
• Investigation: Thorough analysis to determine the scope and impact of the incident
• Remediation: Swift action to resolve vulnerabilities and restore normal operations
• Notification: Timely communication with affected parties in compliance with GDPR requirements (within 72 hours of discovery)

Data Backup and Disaster Recovery

• Regular Backups: Automated daily backups of all critical data with geo-redundant storage.
• Backup Encryption: All backups are encrypted using the same standards as production data.
• Recovery Testing: Regular testing of backup restoration procedures.
• Recovery Time Objective (RTO): Target restoration time of less than 4 hours for critical systems.
• Recovery Point Objective (RPO): Maximum data loss tolerance of 1 hour.

Compliance and Certifications

Vigimati is committed to maintaining compliance with relevant security standards and regulations:

• GDPR Compliant: Full compliance with EU data protection requirements
• LOPDGDD Compliant: Adherence to Spanish data protection legislation
• SOC 2 Type II: Working towards SOC 2 certification (in progress)
• ISO 27001: Alignment with international information security management standards

Reporting Security Issues

If you discover a security vulnerability or have security concerns, please report them immediately:

• Security Email: security@vigimati.com
• Email: yves@vigimati.com

We appreciate responsible disclosure and will respond to all security reports promptly. We commit to:

• Acknowledging receipt of your report within 24 hours
• Providing an initial assessment within 72 hours
• Keeping you informed of our progress
• Recognizing your contribution (with your permission)

Contact Information

For questions about our security practices or this Security Policy:

• Owner: Yves Jiménez-Carrete Gallego
• Address: C/ Velázquez 46, Escalera C 3 Izquierda, Madrid 28001, Spain
• Tax ID: 51101999R
• Email: yves@vigimati.com
• Security Email: security@vigimati.com
• Contact Page: Contact Form