Security & Compliance

Enterprise-grade security architecture designed for logistics and supply chain operations handling sensitive cargo data.

Architecture Controls

Encryption

AES-256 at Rest: All data encrypted using AES-256-GCM with envelope encryption via AWS KMS
TLS 1.3 in Transit: All API endpoints and web interfaces require TLS 1.3 with perfect forward secrecy
Database Encryption: Transparent Data Encryption (TDE) for PostgreSQL and TimescaleDB instances
Key Rotation: Automatic key rotation every 90 days with cryptographic shredding on deletion

Access Control

SAML 2.0 SSO: Integration with Okta, Azure AD, OneLogin, and Ping Identity
RBAC: Role-based access control with customizable permission sets
MFA: Multi-factor authentication required for all administrative accounts
API Authentication: OAuth 2.0 with PKCE for API access, API keys for service accounts

Audit & Monitoring

Immutable Audit Logs

Cryptographic Hash Chaining: Each log entry includes hash of previous entry creating tamper-evident chain
Comprehensive Coverage: All authentication events, data access, configuration changes, and API calls logged
Retention: Audit logs retained for minimum 7 years with WORM (Write Once Read Many) storage
Export: SIEM integration via syslog, Splunk HEC, or Datadog API

Real-Time Monitoring

Anomaly Detection: Machine learning-based detection of unusual access patterns
Intrusion Detection: Network-level IDS/IPS with signature and behavioral analysis
Vulnerability Scanning: Weekly automated scans of all internet-facing endpoints
Alerting: 24/7 security operations center monitoring with 15-minute alert response SLA

Data Residency

Ibero.pro operates dedicated infrastructure regions to meet data sovereignty requirements for regulated industries.

US-East Region

Northern Virginia (AWS us-east-1). Primary region for East Coast customers. SOC 2 Type II certified data center.

US-West Region

Oregon (AWS us-west-2). Disaster recovery and West Coast latency optimization. Identical security controls.

Sovereign tier customers may request dedicated single-region deployment with explicit data residency guarantees in their DPA.

Compliance Roadmap

SOC 2 Type II

In progress. Third-party audit initiated Q1 2024. Expected completion Q3 2024. Scope includes Security, Availability, and Confidentiality trust service criteria.

ISO 27001 Alignment

Information Security Management System (ISMS) implemented aligned with ISO 27001:2022 requirements. Formal certification planned for 2025.

HIPAA BAA

Available for healthcare and pharmaceutical customers upon request. Includes enhanced access controls and audit logging per HIPAA Security Rule requirements.

Vulnerability Management

Testing Program

SAST: Static Application Security Testing integrated into CI/CD pipeline
DAST: Dynamic Application Security Testing weekly against staging environment
Dependency Scanning: Automated CVE detection for all third-party libraries
Container Scanning: Docker image vulnerability assessment before deployment

Penetration Testing

Annual Third-Party: External penetration test by CREST-certified firm
Quarterly Internal: Red team exercises targeting application and infrastructure
Bug Bounty: Private bug bounty program for vetted security researchers
Remediation SLA: Critical vulnerabilities patched within 72 hours

Blockchain Verification Disclaimer

Cryptographic anchoring to the Polygon blockchain provides proof of data integrity at the time of ingestion. The anchored Merkle root proves that specific data existed at a specific time and has not been altered since anchoring.

Blockchain records are immutable and publicly verifiable. However, blockchain anchoring does not guarantee the accuracy of source data at ingestion time. Customers maintain responsibility for ensuring IoT device integrity and data quality at the point of collection.

Questions about security?

Our security team can provide detailed documentation and answer technical questions about our controls and compliance posture.

Contact Security Team