Security

Security & Regulatory Compliance

We prioritize the security and privacy of your data with industry best practices and full compliance with data protection laws in Colombia and Latin America.

Security First

HTTPS Encryption

All data transmitted between your browser and our servers is encrypted using TLS/SSL, ensuring your information remains private and secure.

Secure Authentication

Password hashing with bcrypt and secure session management protect your account from unauthorized access.

AES-256-GCM Encryption

Sensitive data (personal information, case notes) is encrypted with AES-256-GCM before storage. Even in case of unauthorized database access, the information remains unreadable.

File Encryption at Rest

All uploaded documents (PDF) are compressed with Gzip and encrypted with AES-256-GCM before storage. Files are transparently decrypted and decompressed on download, ensuring full protection at rest.

Data Privacy

Your data belongs to you. We follow strict data handling practices and never share your information with third parties without your express authorization.

Role-Based Access Control

Granular permissions ensure that users only access the information they need. Administrators, lawyers, staff, and clients each have appropriate access levels.

Immutable Audit Logs

Every action on personal data is recorded with timestamp, responsible user, and change details. Records are immutable and comply with forensic traceability requirements.

Habeas Data

Habeas Data Compliance

We fully comply with data protection regulations in every country we operate: Law 1581 of 2012 (Colombia), LOPDP and Decree 904 (Ecuador). We implement all data processing principles: legality, purpose, freedom, accuracy, transparency, access, restricted circulation, security, and confidentiality.

ARCO Rights

We guarantee the rights of Access, Rectification, Cancellation, and Opposition for all data subjects. You can exercise these rights from your profile settings or by contacting our privacy team.

Data Retention Policy

We retain your data only for as long as necessary to fulfill processing purposes and legal obligations. After service termination, data is securely deleted in accordance with applicable regulations.

International Data Transfers

When we transfer data outside Colombia, we ensure equivalent levels of protection through standard contractual clauses and compliance with legislation from countries with adequate protection levels.

Security Incident Notification Protocol

In the event of a security breach affecting personal data that poses a real risk to the rights and freedoms of data subjects, Custodio Legal will notify: (1) The Superintendence of Industry and Commerce (SIC) of Colombia and/or the Personal Data Protection Superintendency (SPDP) of Ecuador within a maximum of seventy-two (72) hours of becoming aware of the incident, pursuant to Art. 25 of Ecuador's LOPDP and SIC guidance. (2) Affected data subjects without undue delay when the breach is likely to result in high risk to their rights. The notification will include: the nature of the incident, categories of data affected, likely consequences, measures taken or proposed, and contact details of the Controller or DPO.

Data Protection Officer (DPO)

Custodio Legal has appointed a Data Protection Officer (DPO) responsible for ensuring compliance with applicable data protection legislation. This satisfies the requirements of Art. 43 of Ecuador's LOPDP and best practices recommended by Colombia's SIC. The DPO can be contacted directly at: (✉) [email protected] or through the platform 'Settings > Privacy & Data'. All data rights requests will be managed by the DPO within the legally applicable deadline.

Questions about security?

Our team is ready to discuss your specific security and regulatory compliance requirements.

Contact