1. Objective
Establish the technical and administrative guidelines implemented by Incrementa to protect the confidentiality, integrity, and availability of information belonging to our users and their clients.
2. Scope
This policy applies to all services, systems, servers, developers, and personnel with access to IncrementaCRM data and resources.
3. Infrastructure and Availability
- Incrementa services operate on bare‑metal servers from IBM Cloud, managed by bluWorks Co.
- Standard security practices for operating system updates and exposed services are applied.
4. Backup and Recovery
- Automatic backups are performed daily at 01:00 AM.
- Backups are stored in two locations:
- The same server hosting the database.
- A remote server with geographic redundancy (server.entronico.com).
- Backups are currently compressed but not encrypted. Encryption at rest is planned as a future improvement.
5. Information Encryption
- All traffic between users and the platform is encrypted over HTTPS using a valid SSL certificate for incrementacrm.com and all subdomains.
- To protect sensitive tax information (such as digital certificates and SAT passwords), IncrementaCRM uses symmetric encryption based on AES‑256 in CTR mode—one of the most robust and reliable standards currently available.
- Encrypted data is stored in a non‑readable format (secure encoding), preventing exposure in plain text.
- The system also validates the correspondence between certificates and private keys to ensure uploaded tax documents are legitimate, functional, and protected.
- Original user‑uploaded files are never stored unencrypted at any point within the system.
6. Change Control and Logging
- A configuration change history is kept for each company (configuration logs).
- Access logs are maintained for each user and active session. Retention periods have not yet been defined.
- Each user may have up to two active sessions simultaneously; additional sessions are automatically revoked.
7. Incident Management
- No formal documented security incident response procedure exists at this time.
- Implementing a protocol that defines steps for:
- Unauthorized access
- Data leaks
- Unauthorized information alteration
- User notification in case of incident
is considered a priority.
8. Responsibilities
- The Incrementa technical team is responsible for applying security controls and maintaining the infrastructure.
- Users are responsible for keeping their credentials confidential.
9. Planned Improvements
- Implement multi‑factor authentication (MFA) for administrative access.
- Encrypt the entire database at rest, or at least sensitive columns.
- Formal security incident management procedures.
- More robust logging and automated access auditing.
10. Review and Updates
This policy will be reviewed and updated at least every 12 months or after any significant incident.
