Information Security

Measures and procedures to protect the confidentiality, integrity, and availability of information at Atogu.

Atogu Security Details

At Atogu we are dedicated to collecting, processing and selling data sourced from company databases. We are fully aware of the importance of applying high-level security measures to protect the information we manage. Although our team is small, we work with standards comparable to those of much larger organizations.

This document describes our security practices and policies. If you would like to know in detail what data we collect, how we use it and how it is processed, please refer to our Privacy Policy.

General Practices

Access to our servers, source code and third-party tools is protected by two-factor authentication.
We use strong, randomly generated passwords that are never reused.
Staff and collaborators are granted the minimum level of access necessary to perform their work, which rarely includes direct access to production systems or full datasets.
We use automated vulnerability detection tools to identify potential risks in our dependencies and apply security patches as quickly as possible.
We do not copy production data to external devices (such as personal laptops).

Access Control and Organizational Security

Personnel All employees and contractors sign a non-disclosure agreement (NDA) before accessing sensitive information.

Penetration testing We conduct annual security audits and penetration tests through specialized third parties. Reports conclude whether our measures meet industry best practices. Full copies of the results can be requested in writing.

Authentication and Access Management

Each customer has personal, non-transferable credentials to access our systems.
Passwords are stored encrypted using robust algorithms (bcrypt or equivalent).
Any interaction with our APIs and admin panels requires an authentication token, which automatically expires after prolonged periods of inactivity.

Encryption and Secure Data Transmission

All data exchanges with our systems are performed over encrypted connections using TLS 1.2 or higher.
Data stored in internal repositories or databases is encrypted at rest using AES-256.
Encryption keys are randomly generated, never reused, and managed according to industry standards.

Data Retention and Deletion

Access and activity logs are kept for a maximum of 30 days, unless a longer period is required by law.
Customers may request deletion of their data in accordance with the GDPR and other applicable regulations.
We do not store data on personal devices or unauthorized media.

Software Development Practices

Every code change is reviewed by at least one other team member before deployment.
Code is tested in staging environments following a quality control protocol before being promoted to production.
Periodic vulnerability assessments are performed for both internal software and external platforms we use.

Hosting and Regulatory Compliance

Our servers are hosted with providers that comply with international certifications such as ISO 27001, SOC 1, SOC 2 and PCI DSS Level 1.
Primary data storage takes place in the European Union, ensuring GDPR compliance.

Frequently Asked Questions

Do you commercialize personal data? We do not sell personal data of natural persons without a legal basis. Our activity focuses on company data and professional contacts within the scope permitted by applicable regulations.

How can I report a vulnerability? You can email us at f.diazlaclaustra@datary.io, which will be handled with priority.

Do you perform staff background checks? Yes. All employees and contractors undergo prior checks and sign confidentiality agreements.

What insurance coverage do you have? We maintain cyber liability, professional liability and commercial/general liability policies covering potential incidents arising from our activity.

📌 Note: This document is updated periodically to reflect changes in our practices and legal requirements.