Enterprise-grade security and privacy
Multi-layer protection for your business and customer data. Military-grade encryption, Mexican legal compliance and built-in fault tolerance from day one.
Encryption & Protection
Every sensitive piece of data is encrypted, masked and verified before being stored or processed.
AES-256-GCM Encryption
- AES-256-GCM for all credential columns at rest
- Meta and Facturapi tokens encrypted
- Per-tenant data isolation on every query
PII / PCI Masking
- Credit cards (Luhn validation) → ****-****-****-1234
- CURP (national ID) → [CURP PROTECTED]
- RFC (tax ID) → [RFC PROTECTED]
- CLABE (bank account) → [CLABE PROTECTED]
- 14 prompt injection patterns removed
Webhook Verification
- Meta: HMAC-SHA256 with timing-safe comparison
Access Control
Robust authentication, rate limits and automatic failure recovery.
JWT Authentication
- Tokens with 24-hour expiration
- Per-tenant data isolation (every query filtered by tenantId)
- Role-based control: owner vs. agent
Rate Limits
- 100 requests per minute (global limit)
- 5 login attempts per 15 minutes per IP
- Automatic brute force attack protection
4 Circuit Breakers
Automatic opening on sustained failures, gradual recovery with backoff and health check every 5 minutes.
ARCO / LFPDPPP Compliance
Full compliance with Mexico's Federal Law on Protection of Personal Data Held by Private Parties. All 4 ARCO rights natively integrated.
Access
Give me all my data — automatic export as a signed URL.
Rectification
Correct my data — field-by-field correction.
Cancellation
Delete my data — anonymization of personal information.
Opposition
Stop processing my data — processing halt.
Additional Compliance
- REPEP (national advertising exclusion registry) synced weekly
- Spanish opt-in / opt-out keyword tracking
- Legal campaign hours: 9 AM – 9 PM Mexico City
- 20 business day SLA for ARCO requests