Secure systems · Continuously verified

Your financial data is safe

The financial data from your projects is the most sensitive thing you entrust to us. Here we explain exactly how we protect it — without unnecessary jargon, with full transparency.

View technical measures Report a vulnerability →

Systems protected

Updated now

Encryption

AES-256

In transit

TLS 1.3

Uptime (90d)

99.96%

Last backup

3h ago

✓

Data encrypted at rest

✓

2FA authentication available

✓

Verified daily backups

✓

Logical separation per company

✓

Complete audit logs

🔒

0 data breaches

In Costrol's entire history

🔐

TLS 1.3

Transit encryption

🛡️

AES-256

Encryption at rest

🔑

bcrypt

Password hashing

☁️

AWS SOC 2

Certified infrastructure

💳

PCI-DSS

Payments (via Transbank)

⚖️

Ley 19.628

Chilean legal framework

Pillars

Security at every layer

It's not just one lock. It's multiple protection layers working together so your project data is never exposed.

🔐

End-to-end encryption

All data is encrypted with AES-256 at rest and TLS 1.3 in transit. Even we can't read your bank statements without authentication.

🏗️

Secure multi-tenant architecture

Each company's data is logically isolated. It is impossible for a user to access data from another account.

👤

Minimum access control

Principle of least privilege: every Costrol team member only has access to the systems their role strictly requires.

💾

Verified backups

Full backups every 6 hours and incremental every hour. Each backup is automatically verified for integrity before being confirmed.

👁️

Continuous 24/7 monitoring

Anomaly detection systems, automatic alerts for suspicious behavior and audit logs retained for 12 months.

🔄

Disaster recovery

Automatic failover to backup zone on hardware failure. RTO under 15 minutes for all plans.

Encryption

Your statements travel and rest always encrypted

From the moment you upload a file to the moment you see it on screen, data passes through multiple encryption layers.

📡

TLS 1.3 in transit

All communication between your browser and our servers uses TLS 1.3, the most modern encryption protocol. Strict HSTS enforced on all domains.

TLS_AES_256_GCM_SHA384

🗄️

AES-256 at rest

Every file and database row is stored encrypted with AES-256-GCM. Encryption keys are protected in an independent HSM.

AES-256-GCM

🔑

bcrypt for passwords

Passwords are never stored in plain text. We use bcrypt with cost factor 12, making brute-force attacks infeasible even with modern hardware.

bcrypt (cost: 12)

🔄

Key rotation

Cryptographic keys are automatically rotated every 90 days. Session tokens have a maximum life of 24 hours.

Key rotation: 90 days

📁 Bank statement you upload

› BCI - 15/03/2025 - Proveedor Fierros SA - $4.200.000 CLP

🔒 What gets stored (encrypted)

› aes256gcm$d8f3a2b1c9e4f7a0b2c5d8e1f4a7b0c3d6e9f2a5b8c1d4e7f0a3b6c9d2e5f8a1b4c7d0e3f6a9b2c5d8e1f4a7b0c3d6e9f2a5b8$iv:7f3a9c2e$tag:b4d8f2a6

🌐 What travels over the network (TLS)

› TLSv1.3 Record Layer: Application Data Protocol: [encrypted bytes: 0x17 0x03 0x03 0x01 0xbe ...]

AES-256-GCM TLS 1.3 HSTS HSM Keys

Infrastructure

Architecture designed to never go down

High availability, geographic redundancy and automatic failover in under 60 seconds.

☁️

AWS Cloud

Infrastructure in AWS us-east-1 with automatic failover to us-east-2.

AWS holds ISO 27001, SOC 2 Type II certification and meets GDPR-equivalent standards.

Network isolation with private VPC. Database servers have no public IP.

Automatic load balancing with detection of unhealthy instances in <30 seconds.

💾

Backups & Recovery

Full backup every 6 hours, incremental every hour.

Backup retention: 90 days with granular restore point to 1 hour.

Backups stored in encrypted S3 bucket in a separate region.

Automatic integrity verification after each backup. Alert on failure.

🗄️

Database

PostgreSQL in primary-replica configuration with synchronous replication.

Automatic failover to replica in less than 60 seconds on primary failure.

Replication lag monitored in real time. Alert if it exceeds 100ms.

Database access only from internal private IPs, never exposed to the internet.

🌍

CDN & Delivery

Global CDN with node in Santiago for minimum latency in Chile (<10ms assets).

Automatic DDoS protection with mitigation at network and application layers.

Rate limiting per IP and per API key to prevent abuse and scraping.

Security headers: CSP, HSTS, X-Frame-Options, X-Content-Type strictly configured.

Simplified security architecture

Your browserTLS 1.3

→

CDN / WAFDDoS + Rate limit

→

Load BalancerSSL termination

↓

App ServersVPC privada

→

DB PrimaryAES-256 + replica

→

S3 BackupSeparate region

Access control

Who can see what and when

Minimum access, always justified, always logged.

Principle of least privilege

Every Costrol team member only has access to the systems their role strictly requires. A frontend engineer cannot access the production database.

Internal multi-factor authentication

All production system access requires mandatory MFA. SSH keys are rotated every 90 days.

Complete audit logs

Every access to sensitive data is recorded in immutable audit logs retained for 12 months.

Tenant isolation

Your company's data is logically separated from any other account via Row-Level Security (RLS) in PostgreSQL.

2FA for users

All users can enable two-factor authentication (TOTP). For Enterprise accounts, 2FA is mandatory.

Confidentiality agreements

All staff and contractors with any level of system access sign confidentiality agreements before receiving credentials.

💡

Costrol never accesses your financial data without your knowledge. If we ever need to review data to resolve a support issue, we notify you first and it will be recorded in your account's audit log.

Incident response

When something fails, here's what we do

Having a clear and tested plan is the difference between a minor incident and a crisis. This is ours.

🚨

0 – 15 minutes

Detection and classification

Our monitoring system automatically detects anomalies. An on-call engineer assesses severity (P1–P4) within the first 15 minutes.

🔍

15 – 60 minutes

Containment and analysis

The response team is activated. First action: contain the impact (isolate, redirect traffic). Simultaneously, the root cause is investigated.

📢

Within 2 hours

Initial communication

If the incident affects users, we publish an update at costrol.cl/estado and notify affected users by email. No hiding anything.

🔧

Resolution

Fix and restoration

The fix is deployed, we verify the system is operational, and we monitor closely for the following 24 hours.

📋

Within 72 hours

Public post-mortem

For P1/P2 incidents, we publish a post-mortem with root cause, timeline, and preventive actions. Transparency is part of our culture.

⚡

Guaranteed response times

P1 (Service down): Alert in <5 min · Response in <15 min

P2 (Major degradation): Alert in <15 min · Response in <1 hour

P3 (Minor degradation): Alert in <1 hour · Response in <4 hours

P4 (No user impact): Response in <24 business hours

🔔

Data breach notification

If we detect a personal data breach, we notify affected users within 72 hours maximum.

The notification email will include: what data was affected, exposure period, and immediate measures taken.

We will maintain an open communication channel until the incident is fully resolved.

Responsible disclosure

Found a vulnerability? Tell us

If you discover a security vulnerability in Costrol, please report it to us responsibly before public disclosure. We commit to responding within 5 business days.

Report: seguridad@costrol.cl

🤝

We promise not to take legal action against good-faith researchers who follow these guidelines. If the report is valid and significant, we acknowledge it publicly on our status page.

✅ In scope

Authentication: login bypass, brute force, session fixation

Authorization: access to another tenant's data, privilege escalation

Data: exfiltration, SQL injection, XSS with data impact

API: unauthenticated endpoints, rate limit bypass

Infrastructure: exposed ports, insecure configurations

✗ Out of scope

Denial of service attacks (DoS/DDoS)

Social engineering of Costrol employees

Vulnerabilities in third-party systems (AWS, Transbank)

Spam or clickjacking reports without real impact

FAQ

Frequently asked questions about security

Technically possible for authorized personnel with production access, but it always requires multi-factor authentication and is recorded in audit logs. We do not access your data without a justified and logged operational reason.

If a confirmed breach affecting personal data occurs, we'll notify you by email within 72 hours detailing which data was affected. Financial data is encrypted with AES-256, so even if someone accesses the storage, they only get unreadable data.

Go to Settings → Security → Two-factor authentication. Scan the QR code with your authenticator app (Google Authenticator, Authy or any TOTP app), enter the generated code and confirm.

We run monthly internal vulnerability scans and hire external penetration testers at least once a year.

Yes. At any time you can export all your data from Settings → Export data in CSV and JSON format. After cancelling you have an additional 90 days to export before permanent deletion.

No. Card data is processed directly by Transbank (PCI-DSS Level 1 certified) and never passes through Costrol's servers.

Primary servers are on AWS us-east-1 (Virginia, USA) with failover to us-east-2 (Ohio). Backups are stored in a separate additional region.

Do you have specific security questions?

Our technical team answers security questions in detail. No generic responses.

seguridad@costrol.cl View system status →