Security policy

01Security commitment

Information security is a cornerstone of the Funneld service. We follow a layered approach, aligned with internationally recognised best practices (ISO/IEC 27001, NIST CSF, CIS Controls), to protect the confidentiality, integrity and availability of the data we process on behalf of our customers.

02Encryption in transit and at rest

• In transit: all communications between the client, the platform and internal services use TLS 1.2 or higher, preferring TLS 1.3 and modern cipher suites (AEAD).
• At rest: data stored in databases and backup systems is encrypted with AES-256.
• Key management: cryptographic keys are held in a managed KMS, with periodic rotation and separation of duties.
• Application secrets: credentials, tokens and API keys are stored in encrypted secret managers — never in source code or repositories.

03Identity and access control

• Least privilege: each person accesses only the resources strictly required for their role.
• Multi-factor authentication (MFA) is mandatory for access to internal systems, admin dashboards and cloud providers.
• Role-based access control (RBAC) and periodic permission reviews.
• Strong password policy with verification against breached-password lists.
• Inactive session expiry and automatic lockout after failed attempts.

04Isolation, redundancy and backups

• Environment isolation: production, staging and development environments are segregated at the network and credential level.
• Redundancy and high availability: multi-zone architecture with load balancing and automatic failover.
• Encrypted backups taken daily, with tiered retention (short, medium and long-term) and regular restore verification.
• Business continuity plan with RPO and RTO objectives defined by criticality.

05Logging, audit and monitoring

• Centralised, immutable logs of access, configuration changes and administrative actions.
• Continuous monitoring of service availability and anomaly detection.
• Per-lead traceability: origin, criteria and delivery documented in the Customer panel.
• Internal audits performed periodically and independent reviews when deemed appropriate.

06Vendor and sub-processor management

All providers that process data on Funneld's behalf undergo an evaluation that includes:

• Analysis of declared technical and organisational measures.
• Available certifications (ISO 27001, SOC 2, etc.) and references.
• Contractual clauses in accordance with art. 28 GDPR.
• International transfer mechanisms where applicable.

We maintain an up-to-date internal list of sub-processors, available under reasoned request for enterprise customers.

07Incident response

We have a formal incident-response procedure with assigned roles, defined scenarios and pre-established communication channels:

1. Detection: automatic alerts and internal or external reports.
2. Initial containment and mitigation to limit impact.
3. Forensic investigation and root-cause analysis.
4. Communication: notification to the Spanish Data Protection Agency within a maximum of 72 hours when applicable, and to affected customers and/or users depending on the level of risk.
5. Closure and lessons learned: internal documentation and system improvements.

08Secure development and continuous improvement

• Code reviews are mandatory before deploying changes.
• Automated static analysis and dependency scanning in the CI pipeline.
• Periodic security testing (pentesting, vulnerability scanning).
• Internal training on security and data protection for the whole team.
• Patch management for operating systems, dependencies and critical tooling.

09Responsible disclosure of vulnerabilities

If you have identified a security vulnerability in any part of the service, we ask that you communicate it responsibly to security@funneld.net. We investigate every report within a reasonable timeframe and acknowledge contributions publicly where appropriate.

Please do not perform tests that compromise the availability of the service or the privacy of other users.