Information Security Statement
Temoche Consulting maintains an internal information-security program aligned to ISO/IEC 27001:2022 and applicable Peruvian regulation (Ley 29733 and its Regulation; Information Security Directive, Directorial Resolution 019-2013-JUS/DGPDP). The statement below describes our public commitments and channels.
Scope
This statement applies to Temoche Consulting's own infrastructure (website, internal collaboration tooling, working repositories) and to the engagement lifecycle when Temoche Consulting acts as data processor on behalf of a client.
Public commitments
- Periodic internal risk assessments and management review.
- Access control under least-privilege and need-to-know principles.
- Incident management protocol with internal escalation and client notification within contractual SLAs.
- Encryption in transit (TLS 1.2+) and at rest for sensitive data assets.
- Secure repository management with audit trails for all working artifacts.
- Continuity protocols including backup, escrow and designated backup consultant per engagement.
This website: security posture
The public website is statically hosted on an edge platform with security hardening: HTTPS-only, modern security headers (including a strict Content Security Policy), origin isolation, and disabling of browser capabilities we do not use. The specific configuration is kept private and reviewed periodically.
Responsible disclosure
We accept reports of security vulnerabilities affecting our public infrastructure. Please report findings privately to legal@temocheconsulting.com with the subject line "Security · Responsible Disclosure" and a brief description of the issue.
Please do not exploit findings beyond what is strictly necessary to demonstrate the vulnerability. We do not currently operate a bug-bounty program; recognition is offered upon request and never includes monetary reward unless a formal program is announced.
Machine-readable channel
A machine-readable security contact file is published per
RFC 9116
at /.well-known/security.txt.
Out of scope
- Social engineering of Temoche Consulting personnel or clients.
- Physical security testing of any office or facility.
- Denial-of-service or volumetric tests.
- Testing against client engagement infrastructure (out of our authority).
For clients under active engagement
Detailed security architecture, incident-response playbook, audit trails and insurance certificates are shared under NDA during the proposal phase. The Information Security Policy applicable to a specific engagement is referenced in the Statement of Work.