Information security

1. Introduction

At Mister Pato, including the development and operation of the Patometer platform, we are committed to protecting the confidentiality, integrity, and availability of the information processed within our systems.

This policy outlines the technical and organizational measures implemented to ensure the security of data, particularly in the context of integrations with third-party services and platforms.

2. Scope

This policy applies to:

Systems developed and maintained by Mister Pato
Web applications, APIs, and integrations (including TikTok Shop, Holded, and other third-party services)
Cloud infrastructure used to deploy services
Data processed on behalf of clients

3. Access Control

Access to systems and data is restricted following the principle of least privilege:

Access is limited to authorized personnel only
Individual credentials are required
Secure password management practices are enforced
Multi-factor authentication (MFA) is used where applicable
Access is revoked when no longer necessary

4. Credential and Secret Management

API keys, tokens, and credentials are stored securely
Sensitive credentials are never exposed in source code or public environments
Environment variables or secure configuration systems are used
Credentials are rotated when necessary

5. Encryption and Communications

All communications are secured using HTTPS (TLS)
Transmission of sensitive data in plain text is avoided
Data in transit is protected using secure protocols
Industry best practices for SSL/TLS configuration are applied

6. Infrastructure and Hosting

Services are hosted on trusted cloud providers:

Scaleway
DigitalOcean

These providers offer:

Secure data centers
Network protection
Resource isolation
Physical and logical security controls

Additionally:

Security updates are applied regularly
Firewalls and restrictive network configurations are implemented
Systems are monitored for availability and security

7. Application Security

Applications are developed following secure coding best practices:

Input validation is enforced
Protection against common vulnerabilities (OWASP Top 10)
Secure session management
Authentication and authorization controls
Use of established frameworks (such as Django)

8. Backup and Recovery

Regular backups of data are performed
Backups are stored securely
Recovery procedures are in place
Restoration processes are periodically tested

9. Monitoring and Detection

Relevant system events are logged
Access and anomalous activity are monitored
Preventive measures are applied to detect unauthorized access
Logs are reviewed in case of incidents

10. Security Incident Management

In the event of a security incident:

The incident is analyzed to determine scope and origin
Containment and mitigation measures are applied
Affected systems are restored if necessary
Affected clients are notified when appropriate
Legal obligations (including GDPR) are fulfilled

11. Data Protection and Privacy

Only necessary data is accessed and processed
Measures are in place to prevent unauthorized access
Clients may request deletion of their data
Applicable data protection regulations are respected

For more information, please refer to our Privacy Policy

12. Third-Party Integrations

When integrating with external platforms:

Secure authentication mechanisms are used (OAuth, API keys)
Data is processed solely for functional service purposes
Data is not shared with unauthorized third parties
Platform-specific policies and requirements are respected

13. Data Retention

Data is retained only for as long as necessary
Data is deleted when no longer required or upon client request
Measures are in place to prevent unnecessary retention

14. Review and Continuous Improvement

This policy is periodically reviewed to:

Adapt to emerging threats
Improve existing controls
Ensure compliance with platform and regulatory requirements

15. Contact

For any questions related to information security:

soy@misterpato.es