Skip to content
OCOIngenieria Paraguay
CompanyMethodInfrastructureStudiesCooperationInnovation Let's talk
HomeSecurity

Security

Security

01 Purpose and scope02 Current public-site architecture03 Public-site controls04 Limits of the statement05 Data and secret boundaries06 Security for regulated engagements07 Authorization required08 Legal boundary for computer systems09 Initiating a security report10 Report handling11 Evidence handling and disclosure12 Personal-data incidents13 Third-party incidents14 Continuity and change15 Sources

Effective July 13, 2026 · Version 1.1

Purpose and scope

This statement describes the security boundary of the OCO Ingenieria public website and the process for initiating a security report. It does not publish sensitive architecture, credentials, client controls, or exploit details.

A client system, research environment, authority integration, API, SDK, protocol, automation interface, evidence interface, or custom integration requires its own threat model, data classification, access model, incident process, recovery requirements, and written responsibility.

Current public-site architecture

The public site is generated as static files and delivered through Cloudflare Pages. A limited Cloudflare Function accepts contact-form POST requests and sends validated inquiries through Google's Gmail API. The site does not expose public accounts, a customer database, payment processing, an administrative console, or a regulated filing workflow.

This public architecture does not indicate that a client system, authority integration, or regulated operating service exists. Those systems require a separately authorized and documented implementation.

Public-site controls

The repository and delivered site implement controls proportionate to the current public information surface.

  • A restrictive Content Security Policy limits scripts, styles, connections, forms, images, framing, and base URLs to the intended site boundary.
  • Content-type, referrer, frame, and browser-permission headers reduce common browser attack paths.
  • The contact endpoint accepts only expected methods and content types, validates required values, constrains field lengths, and does not expose provider credentials to the browser.
  • The contact Function does not intentionally create a separate submission database; valid messages are transmitted to the configured OCO mailbox.
  • Public-site delivery is separated from future client evidence, credentials, official systems, and regulated operating data.

Limits of the statement

This page is not a certification, penetration-test report, audit opinion, guarantee, service-level agreement, or representation of compliance with an unstated standard. The absence of a listed control does not confirm its absence, and the description of a control does not eliminate all risk.

Cloud, email, network, browser, DNS, software-supply-chain, and human factors can fail or be attacked. OCO reviews controls according to the information handled and the consequences of compromise.

Data and secret boundaries

The public website is not approved for passwords, API keys, tokens, private keys, identity documents, credit data, health data, biometric data, regulated evidence, confidential cases, production logs, or exploit material. The initial contact message must remain non-sensitive.

A controlled exchange begins only after OCO confirms the recipient, lawful purpose, system owner, scope, classification, minimum data, transfer mechanism, access, retention, and deletion. Secrets must remain in scoped provider or environment controls and must not be committed to a repository or copied into public records.

Security for regulated engagements

For a regulated engagement, controls are selected from the exact obligation and data flow. The design must identify the authoritative system, responsible actors, permitted interfaces, professional or official decision points, evidence requirements, failure consequences, and recovery objectives.

Depending on scope, the written design may require strong identity, least privilege, segregation of duties, environment separation, encryption, logging, integrity checks, change review, backup, tested recovery, vulnerability management, supplier controls, retention, deletion, incident exercises, and independent assurance. No control or certification is claimed until it is implemented and evidenced for that system.

Authorization required

Public access does not authorize vulnerability scanning, automated enumeration, authentication testing, credential use, access-control bypass, source or data extraction, persistence, malware, social engineering, denial of service, destructive testing, or access to a third-party system.

Testing requires prior written authorization from the owner of every affected system. Authorization must identify the assets, dates, methods, rate limits, data-handling rules, stop conditions, reporting path, and responsible contacts. OCO cannot authorize testing of Cloudflare, Google, a regulator, client, association, provider, or other third party.

Legal boundary for computer systems

Paraguayan criminal law addresses unauthorized access, interference, data alteration, sabotage, and related computer offenses. A good intention, public URL, or later report does not by itself create authorization or a legal defense.

This reporting process is not a safe-harbor promise, bug-bounty program, invitation to test, waiver of rights, or consent to acts otherwise prohibited by law or contract. Researchers must obtain written permission before active testing.

Initiating a security report

Use the public contact form only to request a secure security-reporting channel. Choose “Other,” identify the affected OCO public hostname or page, provide a non-sensitive summary of the suspected issue, state whether any data or account may be affected, and give a reliable reply address.

Do not place payloads, exploit code, credentials, personal information, private URLs, logs, screenshots containing secrets, or reproduction details in the initial form. OCO will provide a controlled channel if further material is necessary.

Report handling

OCO may acknowledge the report, verify ownership and scope, request clarification, classify impact, preserve evidence, coordinate with a provider or affected owner, implement a correction, monitor recovery, or close a report that is unsupported or outside OCO's control.

OCO does not promise a response time, remediation time, reward, public credit, or disclosure date through this public statement. Contractual response and notice commitments apply only when stated in the relevant agreement.

Evidence handling and disclosure

Security evidence is limited to the minimum needed to assess and respond. Access is restricted to people and providers with a response role, and retention follows the incident, legal, contractual, and evidence requirements.

A reporter must not retain, use, publish, transfer, or demand payment for personal data, credentials, confidential material, or third-party information. Public disclosure must be coordinated with the affected owner and must not expose users to additional harm. OCO may notify the relevant owner, provider, authority, or law-enforcement body when legally required or necessary to protect systems and people.

Personal-data incidents

A suspected personal-data incident is assessed separately from an ordinary software defect. OCO determines the information involved, persons affected, likely consequences, containment, recovery, evidence, responsible parties, and applicable notice duties.

Law No. 7593/2025 requires continuing security measures and, once effective, notice to the control authority and, where applicable, the data subject within no more than 72 hours after awareness of a qualifying incident. Before that date, OCO follows currently applicable constitutional, sector, contractual, consumer, civil, and criminal obligations.

Third-party incidents

If an issue concerns a regulator, client, association, cloud provider, email provider, domain registrar, certificate authority, or another third party, the reporter must use that organization's authorized process. OCO may route a non-sensitive notice but cannot accept ownership or authorize investigation for another party.

CERT-PY coordinates cybersecurity incident notifications in Paraguay and publishes official reporting information. A report to OCO does not replace a legally required report to CERT-PY, law enforcement, a sector regulator, a data-protection authority, or an affected organization.

Continuity and change

OCO may change public-site controls, hosting, email routing, or reporting procedures as the service and threat environment change. Material changes to the public security boundary will be reflected in this statement's effective date and version.

A change to this public statement does not alter a signed security schedule, incident plan, data-processing agreement, or service level. Those documents change only through their own written process.

Official legal sources

These links are provided for verification and lead to official Spanish-language sources. The official published text, competent authority, and binding decision control. The list identifies the principal sources relevant to this public notice; it is not a complete legal inventory for a particular engagement.

  1. Law No. 4439/2011 — Amendments to the Criminal CodeUnauthorized access, interference, data-related offenses, and related computer crime.
  2. Law No. 7593/2025 — Personal Data ProtectionComprehensive personal-data framework; effective 24 months after official publication.
  3. MITIC — Scope and transition for Law No. 7593/2025Official transition notice stating that the law is expected to take effect in late 2027.
  4. MITIC / CERT-PY — Cybersecurity incident coordinationOfficial national incident-response role and public information.
OCO © 2026 OCO Ingenieria EAS Unipersonal. All rights reserved.
GovernanceLegalTermsPrivacySecurityLet's talk

OCO validations are not official approvals. The competent authority or legally authorized professional remains the authoritative source.

Analytics preferences

Choose whether OCO may measure website use.

Google Analytics is loaded only after consent. OCO uses aggregated measurements to improve the public website and does not enable advertising, Google Signals, or cross-site profiling. Read the privacy notice.