Security

PUY Group SAS is a B2B financial reconciliation platform that processes sensitive financial data for pension funds, fiduciaries, and corporate banking clients in Colombia and Latin America. Security is not an afterthought — it is a fundamental requirement of our architecture and operations.

We are currently pursuing SOC 2 Type I certification via Vanta, with the audit date scheduled for June 2026. This page describes our current security practices and the controls implemented to protect our clients' data.

All PUY production infrastructure is hosted on Amazon Web Services (AWS), us-east-1 region. PUY does not operate its own data centers. Physical and environmental security for production servers is AWS's responsibility; AWS maintains SOC 2 Type II, ISO 27001, and PCI DSS certifications.

All PUY client data is protected by encryption at rest and in transit:

• In transit: TLS 1.3 on all connections between clients and the PUY platform. HTTP endpoints are automatically redirected to HTTPS. HSTS (HTTP Strict Transport Security) is enabled with a 1-year max-age.
• At rest: AES-256 on all managed databases (AWS RDS, MongoDB Atlas) and S3 objects.
• S3 files: Production buckets have public access blocked. All files are delivered via pre-signed URLs with a 15-minute TTL — no file is permanently accessible without authentication.
• Credentials and secrets: API keys, passwords, and tokens are stored in encrypted environment variables and AWS Secrets Manager. Never stored in code repositories.

PUY implements role-based access control (RBAC) with the principle of least privilege across all systems:

• Two-factor authentication (2FA): Mandatory for all platform users without exception. TOTP (Google Authenticator or compatible) is used. Accounts are locked after 5 failed attempts.
• User roles: Admin, Operator, Reviewer, and Auditor — each with permissions strictly scoped to the minimum necessary for their function.
• Sessions: JWT access tokens expire after 30 minutes of inactivity. Refresh tokens have a 7-day TTL and are single-use.
• AWS access: IAM policies follow the least-privilege principle. Developers use short-lived credentials (AWS IAM Identity Center). MFA mandatory on all human AWS accounts.
• Access reviews: Annual review of all AWS, GitHub, and Microsoft 365 access via Vanta, with documented evidence.
• Offboarding: Access to all systems is revoked within a maximum of 5 business days after an employee or contractor's termination.

PUY's perimeter security is implemented through AWS network infrastructure:

• VPC (Virtual Private Cloud): All production infrastructure operates within an AWS VPC, isolated from unauthorized external access.
• AWS WAF: Web application firewall rules deployed on the Application Load Balancer (ALB) to protect against common attack patterns (OWASP Top 10).
• HTTP security headers: HSTS, Content-Security-Policy, X-Frame-Options (DENY), X-Content-Type-Options (nosniff) and Referrer-Policy enforced on all API responses via Helmet.js.
• Input validation: All API endpoints validate request bodies using Zod schemas in strict mode — unknown fields are rejected with a 400 error.
• Error handling: Production error responses return generic messages. Stack traces are logged only to AWS CloudWatch, never exposed to the client.

PUY integrates security at every stage of the software development lifecycle:

• Code review: All code changes are submitted as GitHub pull requests. At least one peer review approval is required before merging to the main branch.
• Secure CI/CD: GitHub Actions automatically runs npm audit on every build. Builds with critical or high vulnerabilities fail and block deployment.
• Snyk (in progress): Snyk integration for software composition analysis (SCA), static analysis (SAST), and container image scanning — in implementation.
• Separated environments: Development and staging environments are logically separated from production. Real client data is not used in non-production environments.
• Secrets in code: API keys and tokens are never stored in source code. Environment variables are managed via GitHub Actions secrets and AWS Secrets Manager.
• Penetration testing: External penetration test planned with Workstreet for Q3 2026 (prior to SOC 2 Type I audit close).

PUY maintains continuous monitoring of its infrastructure and security controls:

• AWS GuardDuty: Managed intrusion detection system (IDS) that continuously monitors AWS infrastructure for threats and anomalous behavior. Active in us-east-1 with S3 protection enabled.
• AWS CloudTrail: Complete logging of all AWS API activity. Logs are retained for forensic audit. CloudTrail is enabled across all regions.
• AWS CloudWatch: Infrastructure monitoring, alerting, and centralized log management for all platform components.
• Vanta: 24/7 automated compliance monitoring — 100+ checks on AWS configurations, IAM policies, S3 access, MFA enablement, and more. Alerts escalate to Microsoft Teams.
• Dependency scanning: npm audit on every CI/CD build. Dependabot enabled on GitHub for automatic updates on known CVEs.

PUY maintains a documented Incident Response Plan and conducts periodic testing exercises:

• Documented plan: The Incident Response Plan covers detection, containment, eradication, recovery, and post-incident review for the most likely incident types at PUY.
• Tabletop exercises: PUY conducts incident response tabletop exercises at least annually. In 2026, two exercises have been completed: data sabotage (June) and ransomware attack (May).
• Incident notification: Security incidents affecting client data are notified to affected clients within 72 hours of impact confirmation, in accordance with contractual obligations and Colombia's Law 1581 of 2012.
• Incident commander: The CEO (Alejandro Álvarez) has authority to formally activate the plan. The Lead Developer (Nicolás Gutiérrez) leads the technical response.
• Internal security testing: The engineering team conducts quarterly application security tests, documenting findings and remediations.

PUY implements automatic backups of all production data:

• PostgreSQL (AWS RDS): Automated backups enabled with 30-day retention. Point-in-time recovery (PITR) available for any moment within the retention window.
• MongoDB Atlas: Continuous automated backups with 30-day retention. Additional snapshots configured in MongoDB Atlas.
• S3 storage: S3 objects are protected via object versioning on critical buckets.
• Target RPO/RTO: Recovery point objective (RPO) of less than 24 hours. Recovery time objective (RTO) of less than 12 hours for full critical service restoration.
• Backup location: All backups are stored in AWS us-east-1 with access restricted to key engineering personnel via IAM policies.

PUY reviews the security posture of its critical vendors at least annually:

PUY enters into data processing agreements (DPAs) with its vendors where applicable, and reviews their SOC 2 reports annually to confirm continuity of security controls.

PUY conducts annual risk reviews, maintains an up-to-date risk register, and uses Vanta for continuous compliance monitoring across all applicable SOC 2 controls.

Employee security is a priority at PUY from day one of employment:

• Background checks: Conducted for all employees as part of the hiring process.
• Confidentiality agreements: All employees and contractors sign an Information Security Agreement covering confidentiality, acceptable use, and data protection before their first day.
• Security training: Mandatory annual security awareness training for all employees, including phishing, social engineering, secure coding, and data privacy. Completed February 2026.
• Managed devices: Work devices managed via Microsoft Intune, with removable media control policies and mandatory disk encryption.
• Offboarding: Termination checklist including access revocation to all systems within a maximum of 5 business days.

To report a security vulnerability, request a copy of our SOC 2 report, or ask questions about our security practices, contact us: