Go to My Account
Request a Demo
a-minimalist-corporate-wallpaper-featuri_i0qJjvmeQFuLSRT4791Zug_cs3t7RsFR7yXmtqjsurSQw

Information Security Policy

CheckOP - SaaS Field Operations Management Platform

Last update: February 10, 2026

1. Introduction

This Information Security Policy describes the measures, controls and practices that Progresus S.A.S. (hereinafter "Progresus" or "we" or "us") implements to protect the information of CheckOP customers and users (hereinafter "the Service").

Security is a top priority for Progresus. We have invested in resources and controls designed to protect our customers' data and provide a reliable and secure service.

2. Security Objectives

CheckOP's security program is based on the following objectives:

2.1 Customer Trust and Protection.

To offer superior products and services while protecting the privacy and confidentiality of our customers' information.

2.2 Availability and Service Continuity

To ensure uninterrupted availability of Service and data to all authorized users by proactively reducing risks that threaten service continuity.

2.3 Information Integrity

Ensure that customer information is never corrupted or inappropriately altered, maintaining data accuracy and completeness.

2.4 Standards Compliance

Implement processes and controls aligned with international standards and industry best practices for cloud security.

3. Security Framework

3.1 Reference Standards

CheckOP has developed its security framework based on SaaS industry best practices, including:

  • OWASP (Open Web Application Security Project) recommendations.
  • Cloud security standards
  • ISO 27001 principles as a reference
  • Data protection best practices

3.2 Infrastructure Certifications

Our cloud infrastructure providers (Amazon Web Services and Google Cloud Platform) have the following certifications:

  • SOC 2 Type II
  • ISO 27001
  • Additional compliance and security certifications

These certifications guarantee high standards of physical, environmental and infrastructure security in the data centers where CheckOP operates.

4. Data Center Security

4.1 Infrastructure Providers

CheckOP uses top-tier cloud infrastructure providers:

  • Amazon Web Services (AWS): Instances located in the United States (us-east-1 region).
  • Google Cloud Platform (GCP): Instances located in the United States.

Progresus does not host its product systems at its own corporate offices.

4.2 Physical Security

Our vendors' data centers implement:

  • Restricted physical access through multiple layers of security.
  • 24/7 surveillance and monitoring systems
  • Biometric and card access control
  • Physical and electronic intrusion protection

4.3 Infrastructure and Redundancy

  • Minimum N+1 redundancy in power, networking, and HVAC services
  • Uninterruptible Power Supply (UPS) systems
  • Backup generators
  • Redundant cooling systems
  • Multiple and redundant network connectivity

5. Network Security

5.1 Perimeter Protection

CheckOP's infrastructure implements:

  • Firewalls: Network-level access control lists using Virtual Private Cloud (VPC) security groups.
  • Segmentation: Separation of networks using VPCs to isolate environments.
  • Secure Routing: Enterprise-level traffic control
  • Default Deny: All unauthorized traffic is automatically denied.

5.2 Network Access Control

  • Fine-grained control of traffic from public networks
  • Control of traffic between internal instances
  • Complete logging of network traffic for monitoring purposes
  • Protection at port and IP address level

5.3 DDoS Protection

CheckOP incorporates security measures against Distributed Denial of Service (DDoS) attacks, designed to ensure continuous availability of the Service.

6. Data Protection

6.1 Encryption in Transit

All communications with CheckOP are protected by:

  • TLS (Transport Layer Security) versions 1.0, 1.1, 1.2 or 1.3.
  • Encryption keys of 2048 bits or higher
  • Regularly updated SSL/TLS certificates

Encryption in transit applies to:

  • Authenticated user sessions
  • API calls
  • Login and authentication
  • Data transfer between system components

6.2 Encryption at Rest

Stored data is protected by:

  • AES-256 encryption for physical and virtualized hard disks
  • Long-term storage encryption (AWS S3)
  • Field or database level encryption for particularly sensitive information
  • Secure key management via KMS (Key Management System)

6.3 Key Management

  • Encryption keys stored in hardened key management systems
  • Periodic key rotation according to type and level of confidentiality
  • TLS certificates are renewed regularly
  • Restricted key access according to the principle of least privilege.

7. Access Control

7.1 User Authentication

For Clients and End Users:

  • Unique credentials (identifier and password) for each user.
  • Password complexity requirements
  • Prohibition of sharing access credentials
  • Multi-factor authentication option when available.

For Progresus Employees:

  • Industry-standard corporate password policy
  • Change passwords at least every 90 days
  • Minimum length of 8 characters with complexity requirements
  • Multi-factor authentication for access to critical systems
  • Unique SSH keys for server level authentication

7.2 Role Based Access Control (RBAC)

  • Progresus employees gain access based on their job function
  • Access strictly limited to job requirements
  • Automated daily access review
  • Semi-annual manual recertification of authorizations

7.3 Access to Customer Data

  • Limited group of employees with authorized access to production data
  • Limited access to technical support and troubleshooting functions
  • Time-limited access requests
  • Logging of all access to customer data

8. Application Security

8.1 Web Threat Protection

CheckOP implements automatic content protection by following:

  • OWASP Top 10 recommendations
  • Detection and blocking of malicious traffic
  • Protection against SQL injection, XSS and other common vulnerabilities
  • Data input validation

8.2 Secure Development

The CheckOP development process includes:

  • Code review by specialized teams
  • Quality checks at each stage of development
  • Approval control by designated repository owners
  • Continuous integration with automated testing
  • Automatic rollback on error detection

8.3 Vulnerability Management

  • Continuous vulnerability scanning against internal networks, applications and infrastructure
  • Daily network-based and application level vulnerability scanning
  • Static code analysis to detect security flaws
  • Periodic penetration testing at application and network layers
  • Continuous update of attack signatures

9. Monitoring and Logging

9.1 Activity Logs

CheckOP maintains logs of:

  • User and administrator activity
  • System accesses
  • Data and configuration modifications
  • Security events
  • Network traffic

9.2 Security Monitoring

  • Continuous monitoring of security events
  • Automated alerts for anomalies
  • Log review by security personnel
  • Event correlation for threat detection

9.3 Traceability

CheckOP's History module allows customers to view, filter and download logs of all actions performed in the system, providing full traceability of activities.

10. Personnel Security

10.1 Background Checks

All Progresus employees undergo third-party background checks prior to receiving an offer of formal employment, where permitted by local laws. The check includes:

  • Verification of previous employment
  • Education verification
  • Criminal background check

10.2 Confidentiality Agreements

All employees must comply with:

  • Confidentiality agreements
  • Acceptable use policy
  • Information Protection Commitments

10.3 Security Training

Progresus maintains a written Information Security Policy and trains its employees on:

  • Data processing requirements
  • Privacy considerations
  • Responding to security breaches
  • Good security practices

11. Incident Management

11.1 Response Process

CheckOP provides business day coverage for responding to security and privacy events. The process includes:

  1. Detection: Identification of the incident through automated alerts, vendors, customer requests, or other means.
  2. Classification: Determining the type and severity of the incident
  3. Containment: Isolation of the problem to avoid further impact.
  4. Investigation: Analysis of the origin and scope of the incident
  5. Resolution: Implementation of solutions and restoration of service
  6. Communication: Notification to affected customers as appropriate
  7. Review: Post analysis to prevent recurrence

11.2 Incident Communication

  • The security manager reviews all security-related incidents.
  • Contact with affected customers via email or telephone
  • Periodic updates during incident resolution
  • Post-incident reports when appropriate

11.3 Breach Notification

In the event of a security breach affecting customer data, Progresus:

  • Notify affected customers as required by applicable law.
  • Provide information about the nature of the incident
  • Describe measures taken to mitigate the impact
  • Provide guidance on actions that customers can take

12. Business Continuity

12.1 Continuity Plans

Progresus has business continuity and disaster recovery plans focused on:

  • Avoiding disruptions through redundancy
  • Rapid recovery strategies
  • Isolation and transparent problem resolution

12.2 Infrastructure Redundancy

  • Distribution of instances across multiple availability zones
  • Web, application and database components with minimum N+1 redundancy
  • Real-time data replication

12.3 Backup Strategy

  • Daily database backups
  • Minimum seven-day retention of recoverable copies
  • Distributed on-premises storage (AWS S3)
  • Real-time replication for immediate protection
  • Copy protection with database security and access controls

12.4 System Recovery

  • Continuous validation of recovery processes
  • Continuous implementation allowing daily practice of procedures
  • Reversion capability in case of detected errors
  • Recovery target time defined in the SLA

13. API Security

13.1 API Authentication

Access to the CheckOP API is controlled by:

  • API key authorization for prototypes and custom integrations.
  • OAuth 2.0 for production authentication and authorization
  • Mandatory OAuth for official integrations
  • Defined scopes for request authorization

13.2 Detailed Permissions

Customers can assign granular permissions for their accounts and restrict access to features and data as needed.

14. Customer Responsibilities

14.1 Credential Security

Customer is responsible for:

  • Maintaining the confidentiality of their login credentials.
  • Not sharing credentials between users
  • Immediately notifying any suspected unauthorized use
  • Using strong and unique passwords

14.2 Device Security

For mobile application users:

  • Keep devices secure and up to date
  • Use authorized devices according to account settings
  • Protect devices with password or biometrics
  • Report lost or stolen devices

14.3 Appropriate Use

The customer must:

  • Not upload unauthorized sensitive information
  • Comply with acceptable use policies
  • Report detected security vulnerabilities or incidents
  • Maintain updated security settings for your account

15. Security Contact

To report security incidents, vulnerabilities or security-related inquiries:

Progresus S.A.S.

  • E-mail: soporte@checkop.co
  • Support Portal: https://support.checkop.co

Notifications of possible vulnerabilities will be treated with priority and confidentiality.

16. Updates to this Policy

This Information Security Policy may be updated periodically to reflect improvements in our security practices or changes in the threat environment.

Important updates will be communicated to customers through appropriate channels.

This Information Security Policy reflects CheckOP's current practices. Protective measures are constantly being improved, and the information contained in this document is not intended to create additional contractual obligations beyond those set forth in the Terms and Conditions of Service.