At Belorum, information security is a fundamental pillar of our operations. As a digital transformation consultancy, we understand that our clients entrust us with sensitive information about their processes, infrastructure, and business strategy.
This document describes the practices and controls we implement to protect the information of our clients, collaborators, and website visitors.
2. Infrastructure Security
Our technology infrastructure is designed with security as a priority:
Hosted on Amazon Web Services (AWS) with encryption in transit (TLS 1.2+) and at rest (AES-256)
Content delivery via CloudFront with security headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy)
Storage access restricted via Origin Access Control (OAC), with no direct public access
Infrastructure managed as code (Terraform) with encrypted and versioned remote state
Serverless functions with least-privilege permissions (IAM least-privilege)
3. Client Data Protection
During the delivery of consulting services, we apply the following controls to protect client information:
Access to client information restricted exclusively to the team assigned to the project
Use of encrypted communication channels for exchanging sensitive information
Secure storage of meeting recordings and project documentation with controlled access
Deletion or return of client information upon termination of the contractual relationship, as agreed
Non-disclosure agreements (NDA) when the nature of the project requires it
4. Website Security
Our website implements the following security measures:
Mandatory HTTPS connection with valid SSL/TLS certificate and automatic redirect from HTTP
Spam and bot protection on forms via Cloudflare Turnstile
Server-side data validation and sanitization before processing
HTTP security headers configured to prevent common attacks (clickjacking, MIME sniffing, XSS)
Explicit user consent before loading third-party analytics or marketing scripts
5. Access Management
We control access to our systems and client information through:
Principle of least privilege: each collaborator has access only to the resources necessary for their role
Multi-factor authentication (MFA) on infrastructure accounts and critical services
Periodic review of permissions and active access
Immediate revocation of access when a collaborator's participation in a project ends
6. Secure Development
In software development projects we execute for our clients, we apply secure development practices:
Code review as part of the development process
Secrets and credentials management outside of source code
Use of updated dependencies and monitoring of known vulnerabilities
Input validation and data sanitization across all interfaces
Security testing as part of the development cycle when the project scope requires it
7. Incident Response
In the event of a security incident affecting our clients' information:
We will notify the affected client within 72 hours of detecting the incident
We will provide a report detailing the nature of the incident, the scope of impact, and the corrective measures implemented
We will collaborate with the client in the investigation and remediation of the incident
We will document lessons learned to prevent similar incidents in the future
8. Continuous Improvement
We review and update our security practices periodically to adapt to new threats and technologies. This includes:
Periodic assessment of security risks and controls
Updating security tools and dependencies
Ongoing team training in security practices
9. Vulnerability Reporting
If you identify a security vulnerability in our website or services, we ask that you report it responsibly to [email protected]. We commit to investigating and responding to all reports in a timely manner.
We ask that you do not publicly disclose the vulnerability until we have had the opportunity to evaluate it and apply the necessary fixes.
10. Contact
If you have questions about our security practices, you can contact us through: