Security & Regulatory Compliance
We prioritize the security and privacy of your data with industry best practices and full compliance with data protection laws in Colombia and Latin America.
Security First
HTTPS Encryption
All data transmitted between your browser and our servers is encrypted using TLS/SSL, ensuring your information remains private and secure.
Secure Authentication
Password hashing with bcrypt and secure session management protect your account from unauthorized access.
AES-256-GCM Encryption
Sensitive data (personal information, case notes) is encrypted with AES-256-GCM before storage. Even in case of unauthorized database access, the information remains unreadable.
File Encryption at Rest
All uploaded documents (PDF) are compressed with Gzip and encrypted with AES-256-GCM before storage. Files are transparently decrypted and decompressed on download, ensuring full protection at rest.
Data Privacy
Your data belongs to you. We follow strict data handling practices and never share your information with third parties without your express authorization.
Role-Based Access Control
Granular permissions ensure that users only access the information they need. Administrators, lawyers, staff, and clients each have appropriate access levels.
Immutable Audit Logs
Every action on personal data is recorded with timestamp, responsible user, and change details. Records are immutable and comply with forensic traceability requirements.
Habeas Data Compliance
We fully comply with data protection regulations in every country we operate: Law 1581 of 2012 (Colombia), LOPDP and Decree 904 (Ecuador). We implement all data processing principles: legality, purpose, freedom, accuracy, transparency, access, restricted circulation, security, and confidentiality.
ARCO Rights
We guarantee the rights of Access, Rectification, Cancellation, and Opposition for all data subjects. You can exercise these rights from your profile settings or by contacting our privacy team.
Data Retention Policy
We retain your data only for as long as necessary to fulfill processing purposes and legal obligations. After service termination, data is securely deleted in accordance with applicable regulations.
International Data Transfers
When we transfer data outside Colombia, we ensure equivalent levels of protection through standard contractual clauses and compliance with legislation from countries with adequate protection levels.
Security Incident Notification Protocol
In the event of a security breach affecting personal data that poses a real risk to the rights and freedoms of data subjects, Custodio Legal will notify: (1) The Superintendence of Industry and Commerce (SIC) of Colombia and/or the Personal Data Protection Superintendency (SPDP) of Ecuador within a maximum of seventy-two (72) hours of becoming aware of the incident, pursuant to Art. 25 of Ecuador's LOPDP and SIC guidance. (2) Affected data subjects without undue delay when the breach is likely to result in high risk to their rights. The notification will include: the nature of the incident, categories of data affected, likely consequences, measures taken or proposed, and contact details of the Controller or DPO.
Data Protection Officer (DPO)
Custodio Legal has appointed a Data Protection Officer (DPO) responsible for ensuring compliance with applicable data protection legislation. This satisfies the requirements of Art. 43 of Ecuador's LOPDP and best practices recommended by Colombia's SIC. The DPO can be contacted directly at: (✉) [email protected] or through the platform 'Settings > Privacy & Data'. All data rights requests will be managed by the DPO within the legally applicable deadline.
Questions about security?
Our team is ready to discuss your specific security and regulatory compliance requirements.
Contact