Security

Last updated: December 26, 2025

1. Our Security Commitment

At Campora Cloud, operated by Campora Tech, S.L. (Torredembarra, Spain), security is not an afterthought—it's foundational to everything we build. We implement enterprise-grade security measures to protect your data, maintain system integrity, and ensure business continuity.

2. Infrastructure Security

2.1 Cloud Infrastructure

  • Provider: Amazon Web Services (AWS) - EU regions only
  • Certifications: ISO 27001, SOC 2 Type II, PCI DSS Level 1
  • Data Centers: Tier III+ facilities with redundant power, cooling, and network connectivity
  • Geographic Redundancy: Multi-region deployment for disaster recovery

2.2 Network Security

  • Firewalls: Web Application Firewall (WAF) to block malicious traffic
  • DDoS Protection: AWS Shield Standard and Advanced protection
  • Network Segmentation: Isolated VPCs with strict security group rules
  • Intrusion Detection: Real-time monitoring and automated threat response

3. Data Security

3.1 Encryption

  • In Transit: TLS 1.3 for all data transmissions (minimum TLS 1.2)
  • At Rest: AES-256 encryption for all stored data
  • Database Encryption: Full database encryption with key rotation
  • Backup Encryption: All backups encrypted with separate keys

3.2 Data Isolation

  • Multi-Tenancy: Complete logical data isolation between customers
  • Database Separation: Schema-level isolation with row-level security
  • Access Controls: Strict authorization checks prevent cross-tenant data access

3.3 Backup and Recovery

  • Automated Backups: Daily automated backups with 30-day retention
  • Point-in-Time Recovery: Restore to any point within 7 days
  • Geographic Redundancy: Backups replicated to multiple regions
  • Recovery Time Objective (RTO): 4 hours
  • Recovery Point Objective (RPO): 1 hour

4. Application Security

4.1 Secure Development

  • Security by Design: Security requirements integrated from project inception
  • Code Reviews: Mandatory peer reviews for all code changes
  • Static Analysis: Automated security scanning in CI/CD pipeline
  • Dependency Scanning: Continuous monitoring for vulnerable dependencies

4.2 Vulnerability Management

  • Regular Scans: Weekly automated vulnerability assessments
  • Penetration Testing: Annual third-party security audits
  • Bug Bounty Program: Responsible disclosure program for security researchers
  • Patch Management: Critical vulnerabilities patched within 24-48 hours

4.3 Security Testing

  • OWASP Top 10 vulnerability testing
  • SQL injection and XSS prevention
  • CSRF protection on all state-changing operations
  • Input validation and sanitization
  • Secure session management

5. Access Control and Authentication

5.1 User Authentication

  • Strong Passwords: Minimum 12 characters with complexity requirements
  • Multi-Factor Authentication (MFA): Available for all accounts, required for admins
  • Session Management: Automatic timeout after 30 minutes of inactivity
  • OAuth 2.0: Secure third-party integration authentication

5.2 Role-Based Access Control (RBAC)

  • Principle of Least Privilege: Users have minimum necessary permissions
  • Granular Permissions: Fine-grained control over feature access
  • Audit Trails: Comprehensive logging of all access and changes
  • Regular Reviews: Quarterly access rights audits

5.3 Employee Access

  • Background Checks: All employees undergo security screening
  • Confidentiality Agreements: NDAs signed by all staff
  • Limited Access: Production data access strictly controlled
  • Monitoring: All employee access logged and monitored

6. Monitoring and Incident Response

6.1 Security Monitoring

  • 24/7 Monitoring: Continuous security monitoring and alerting
  • Log Management: Centralized logging with 1-year retention
  • Anomaly Detection: AI-powered detection of suspicious behavior
  • Real-Time Alerts: Immediate notification of security events

6.2 Incident Response

  • Incident Response Plan: Documented procedures for security incidents
  • Response Team: Dedicated security incident response team
  • Notification: Customer notification within 72 hours for data breaches
  • Post-Incident Review: Root cause analysis and remediation

7. Compliance and Certifications

7.1 Current Compliance

  • GDPR: Full compliance with EU data protection regulations
  • ePrivacy Directive: Compliance with EU electronic communications rules
  • PCI DSS: Payment card data security standards
  • Verifactu: Spanish tax compliance for invoicing

7.2 In Progress

  • ISO 27001: Information Security Management System certification
  • SOC 2 Type II: Third-party security audit

8. Business Continuity

8.1 High Availability

  • Uptime SLA: 99.9% availability guarantee
  • Load Balancing: Distributed traffic across multiple servers
  • Auto-Scaling: Automatic capacity adjustment for traffic spikes
  • Health Checks: Continuous monitoring and automatic failover

8.2 Disaster Recovery

  • Multi-Region Deployment: Active-passive setup across EU regions
  • Regular Testing: Quarterly disaster recovery drills
  • Business Continuity Plan: Documented procedures for major incidents

9. Third-Party Security

9.1 Vendor Management

  • Security Assessments: Due diligence for all vendors
  • Contracts: Security requirements in vendor agreements
  • Regular Reviews: Ongoing evaluation of vendor security posture

9.2 Integration Security

  • API Security: OAuth 2.0 and API key authentication
  • Rate Limiting: Protection against API abuse
  • Input Validation: Strict validation of all external data

10. Physical Security

Our infrastructure is hosted in AWS data centers with:

  • 24/7 security personnel
  • Biometric access controls
  • Video surveillance
  • Mantrap entry systems
  • Regular security audits

11. Security Training and Awareness

  • Onboarding Training: Security fundamentals for all new employees
  • Annual Training: Mandatory annual security awareness training
  • Phishing Tests: Regular simulated phishing campaigns
  • Security Champions: Designated security advocates in each team

12. Customer Security Responsibilities

While we provide robust security, customers are responsible for:

  • Using strong, unique passwords
  • Enabling multi-factor authentication
  • Protecting account credentials
  • Reporting suspicious activity
  • Configuring appropriate user permissions
  • Keeping integration credentials secure

13. Reporting Security Issues

If you discover a security vulnerability:

  • Email: admin@campora.cloud
  • Response Time: We acknowledge reports within 24 hours
  • Responsible Disclosure: We request 90 days to address issues before public disclosure
  • Recognition: Security researchers acknowledged on our security page

14. Security Transparency

We maintain transparency through:

  • Status Page: Real-time service status at status.campora.cloud
  • Incident Reports: Post-mortem reports for major incidents
  • Security Updates: Regular communication about security improvements
  • Audit Reports: Available upon request for enterprise customers

15. Questions and Contact

For security-related questions or concerns: