Effective July 13, 2026 · Version 1.1
Purpose and scope
This statement describes the security boundary of the OCO Ingenieria public website and the process for initiating a security report. It does not publish sensitive architecture, credentials, client controls, or exploit details.
A client system, research environment, authority integration, API, SDK, protocol, automation interface, evidence interface, or custom integration requires its own threat model, data classification, access model, incident process, recovery requirements, and written responsibility.
Current public-site architecture
The public site is generated as static files and delivered through Cloudflare Pages. A limited Cloudflare Function accepts contact-form POST requests and sends validated inquiries through Google's Gmail API. The site does not expose public accounts, a customer database, payment processing, an administrative console, or a regulated filing workflow.
This public architecture does not indicate that a client system, authority integration, or regulated operating service exists. Those systems require a separately authorized and documented implementation.
Public-site controls
The repository and delivered site implement controls proportionate to the current public information surface.
- A restrictive Content Security Policy limits scripts, styles, connections, forms, images, framing, and base URLs to the intended site boundary.
- Content-type, referrer, frame, and browser-permission headers reduce common browser attack paths.
- The contact endpoint accepts only expected methods and content types, validates required values, constrains field lengths, and does not expose provider credentials to the browser.
- The contact Function does not intentionally create a separate submission database; valid messages are transmitted to the configured OCO mailbox.
- Public-site delivery is separated from future client evidence, credentials, official systems, and regulated operating data.
Limits of the statement
This page is not a certification, penetration-test report, audit opinion, guarantee, service-level agreement, or representation of compliance with an unstated standard. The absence of a listed control does not confirm its absence, and the description of a control does not eliminate all risk.
Cloud, email, network, browser, DNS, software-supply-chain, and human factors can fail or be attacked. OCO reviews controls according to the information handled and the consequences of compromise.
Data and secret boundaries
The public website is not approved for passwords, API keys, tokens, private keys, identity documents, credit data, health data, biometric data, regulated evidence, confidential cases, production logs, or exploit material. The initial contact message must remain non-sensitive.
A controlled exchange begins only after OCO confirms the recipient, lawful purpose, system owner, scope, classification, minimum data, transfer mechanism, access, retention, and deletion. Secrets must remain in scoped provider or environment controls and must not be committed to a repository or copied into public records.
Security for regulated engagements
For a regulated engagement, controls are selected from the exact obligation and data flow. The design must identify the authoritative system, responsible actors, permitted interfaces, professional or official decision points, evidence requirements, failure consequences, and recovery objectives.
Depending on scope, the written design may require strong identity, least privilege, segregation of duties, environment separation, encryption, logging, integrity checks, change review, backup, tested recovery, vulnerability management, supplier controls, retention, deletion, incident exercises, and independent assurance. No control or certification is claimed until it is implemented and evidenced for that system.
Legal boundary for computer systems
Paraguayan criminal law addresses unauthorized access, interference, data alteration, sabotage, and related computer offenses. A good intention, public URL, or later report does not by itself create authorization or a legal defense.
This reporting process is not a safe-harbor promise, bug-bounty program, invitation to test, waiver of rights, or consent to acts otherwise prohibited by law or contract. Researchers must obtain written permission before active testing.
Initiating a security report
Use the public contact form only to request a secure security-reporting channel. Choose “Other,” identify the affected OCO public hostname or page, provide a non-sensitive summary of the suspected issue, state whether any data or account may be affected, and give a reliable reply address.
Do not place payloads, exploit code, credentials, personal information, private URLs, logs, screenshots containing secrets, or reproduction details in the initial form. OCO will provide a controlled channel if further material is necessary.
Report handling
OCO may acknowledge the report, verify ownership and scope, request clarification, classify impact, preserve evidence, coordinate with a provider or affected owner, implement a correction, monitor recovery, or close a report that is unsupported or outside OCO's control.
OCO does not promise a response time, remediation time, reward, public credit, or disclosure date through this public statement. Contractual response and notice commitments apply only when stated in the relevant agreement.
Evidence handling and disclosure
Security evidence is limited to the minimum needed to assess and respond. Access is restricted to people and providers with a response role, and retention follows the incident, legal, contractual, and evidence requirements.
A reporter must not retain, use, publish, transfer, or demand payment for personal data, credentials, confidential material, or third-party information. Public disclosure must be coordinated with the affected owner and must not expose users to additional harm. OCO may notify the relevant owner, provider, authority, or law-enforcement body when legally required or necessary to protect systems and people.
Personal-data incidents
A suspected personal-data incident is assessed separately from an ordinary software defect. OCO determines the information involved, persons affected, likely consequences, containment, recovery, evidence, responsible parties, and applicable notice duties.
Law No. 7593/2025 requires continuing security measures and, once effective, notice to the control authority and, where applicable, the data subject within no more than 72 hours after awareness of a qualifying incident. Before that date, OCO follows currently applicable constitutional, sector, contractual, consumer, civil, and criminal obligations.
Third-party incidents
If an issue concerns a regulator, client, association, cloud provider, email provider, domain registrar, certificate authority, or another third party, the reporter must use that organization's authorized process. OCO may route a non-sensitive notice but cannot accept ownership or authorize investigation for another party.
CERT-PY coordinates cybersecurity incident notifications in Paraguay and publishes official reporting information. A report to OCO does not replace a legally required report to CERT-PY, law enforcement, a sector regulator, a data-protection authority, or an affected organization.
Continuity and change
OCO may change public-site controls, hosting, email routing, or reporting procedures as the service and threat environment change. Material changes to the public security boundary will be reflected in this statement's effective date and version.
A change to this public statement does not alter a signed security schedule, incident plan, data-processing agreement, or service level. Those documents change only through their own written process.
Official legal sources
These links are provided for verification and lead to official Spanish-language sources. The official published text, competent authority, and binding decision control. The list identifies the principal sources relevant to this public notice; it is not a complete legal inventory for a particular engagement.
- Law No. 4439/2011 — Amendments to the Criminal CodeUnauthorized access, interference, data-related offenses, and related computer crime.
- Law No. 7593/2025 — Personal Data ProtectionComprehensive personal-data framework; effective 24 months after official publication.
- MITIC — Scope and transition for Law No. 7593/2025Official transition notice stating that the law is expected to take effect in late 2027.
- MITIC / CERT-PY — Cybersecurity incident coordinationOfficial national incident-response role and public information.