§ 01 · POSTURA DE SEGURIDAD
ACCESS
- JWT httpOnly + refresh rotation
- 2FA TOTP available
- 7 roles with strict hierarchy
- Magic-links scoped per show
ISOLATION
- PostgreSQL Row-Level Security
- Multi-tenant at the database level
- No cross-data between production companies
- Independent workspaces
ENCRYPTION
- TLS 1.3 in transit
- AES-256 at rest
- Segregated encryption keys (financial, TOTP)
- HMAC for sensitive data integrity
DEFENSE
- CSRF httpOnly + SameSite=Strict
- SSRF protection on webhooks
- Rate limiting on public endpoints
- Immutable audit log
These legal documents are translations for convenience. The Spanish version governs.
§ 02 · Infrastructure
What we use, no black box.
No marketing-speak. This is what runs Producit today.
| Component | Technology | Notes |
|---|---|---|
| Database | PostgreSQL 16 (with pgvector) | RLS enabled on ~86 of 142 tables |
| Cache | Redis 7 | Sessions, rate limit |
| Storage | AWS S3 | Documents, attachments, riders |
| Hosting | [DECISIÓN PENDIENTE: AWS región] | |
| Transactional email | AWS SES | |
| Observability | Sentry · OpenTelemetry · PostHog | With PII redaction policies |
| Payments | PayCore | |
| AV scanning | Local heuristic (cloud AV on roadmap) |
§ 03 · Honest gaps
We won’t fake it.
There are things we haven’t completed yet. We declare them openly because we prefer honesty over misleading marketing.
[◉ IN DEVELOPMENT] Cloud AV scanning
Today we scan uploaded files with local heuristics. We will integrate cloud AV (likely ClamAV or similar) during [DECISIÓN PENDIENTE: trimestre estimado].
[◉ EVALUATING] SOC 2 Type II
[DECISIÓN PENDIENTE: estado real. Opciones: "no iniciado", "en evaluación de auditor", "en progreso con auditor X", "Type I esperado para Q[N] 2026"]. We don’t promise dates we can’t meet.
[◉ PENDING] External penetration test
No formal external pen test yet. We are planning it for [DECISIÓN PENDIENTE: trimestre]. In the meantime, we maintain regular self-auditing of the code.
[◉ ON ROADMAP] Bug bounty program
No formal program yet. When we reach [DECISIÓN PENDIENTE: hito de tamaño], we will open it on [HackerOne / Intigriti / our own].
§ 04 · Responsible disclosure
If you found something, we want to know.
We take any vulnerability report seriously. If you discovered something that compromises the security of the Service, write to us at security@producit.cl.
Our commitment:
- Acknowledgement of receipt within a maximum of 24 business hours.
- Initial triage within a maximum of 5 business days.
- Constant communication until resolution.
- Public recognition (if you want it) once the fix is published.
We ask:
- Do not exploit the vulnerability beyond what is necessary to demonstrate it.
- Do not access other users’ data.
- Do not publish the report until we have a fix deployed.
[REVISAR ABOGADO: redacción exacta de safe harbor para investigadores de seguridad de buena fe.]
§ 05 · Enterprise readiness
Need a security questionnaire?
If your IT or procurement team needs to fill out a formal security questionnaire before approving Producit, contact us. We have prepared answers for the most common frameworks (CAIQ, SIG Lite, custom).
Request security questionnaire →
Contact
Vulnerabilities: security@producit.cl
Compliance / Audits: security@producit.cl
Initial response SLA: 24 business hours