UWOD

Information security policy

Public summary of how AppByte Tecnología e Informática SpA protects the UWOD Service and Customer data. Complements the Privacy policy, the DPA and the SLA.

1. Principles

Confidentiality, integrity, availability and reasonable resilience, proportionate to risk and the state of the art. AppByte does not guarantee absolute security: the measures stated reflect the configuration in force and may evolve.

2. Technical measures

  • Transport: encryption in transit per the configuration in force at Cloudflare and the other providers listed in Sub-processors.
  • At rest: encryption at rest per the capabilities of the database (MongoDB Atlas) and file storage (Cloudinary) providers.
  • Multi-tenant segregation: logical isolation of data per Customer.
  • Separated environments: production, test and development, each with independent databases.
  • Access control: least privilege, strong authentication, multi-factor when available, privileged account control.
  • Logs and audit: record of relevant actions and retention per the Privacy policy.
  • Backups: regular backup routines and periodic verification.
  • Vulnerabilities: monitoring, patching and periodic dependency review.
  • Observability: error monitoring (Sentry) and internal metrics (Grafana, Uptime Kuma).

3. Organizational measures

  • Confidentiality agreements with authorized personnel.
  • Periodic team training on security and privacy good practices.
  • Role-based access control and timely revocation upon departures or role changes.
  • Documented incident response procedure.
  • Periodic review and update of this policy.

4. Incident management

In the event of a security incident that may affect Customer Data, AppByte will notify the Customer without undue delay and, where feasible, within 72 hours from internal confirmation, with the content and scope described in the DPA.

5. Shared responsibility

Security is a shared responsibility. The Customer must properly manage its Users and staff, keep credentials secure and revoked on time, enable multi-factor when available, protect its devices, and periodically review permissions and configurations, per the Terms of service and the Acceptable use policy.

6. Responsible vulnerability disclosure

We welcome responsible vulnerability disclosures at security@uwod.app. For the report to be received as responsible disclosure, we request:

  • do not publicly disclose the vulnerability before its reasonable resolution;
  • do not perform destructive attacks, denial of service or access third-party data;
  • do not use the vulnerability for illegal or profit-driven purposes;
  • provide clear steps to reproduce the finding;
  • respect applicable laws and the Service's conditions.

AppByte will respond reasonably to received reports and will publicly acknowledge cooperation where the reporter authorizes it.

Version 1.0. Last updated: 2026-06-26.