CASE — WE AUDITED OURSELVES FIRST
We practice what we sell
Octoberus runs physical-security platforms for energy and telecom clients. Before offering Law 21,719 compliance to others, we applied the same methodology to our own systems. Here is the summary — with no sensitive detail.
Four components, one methodology.
Services API
Backend governing users, access and media
Web console
The clients' operations interface
Mobile app
Door opening via Bluetooth, PIN and QR
Firmware
Physical door and gate devices
READ-ONLY REVIEW · NO ACCESS TO PRODUCTION DATA · NO TESTS AGAINST LIVE SYSTEMS
Categories of findings.
We classified each finding by its exposure under the law (minor, serious, very serious). Here are the categories, in aggregate — the technical detail lives in a restricted report, never in public.
Sensitive data
Facial recognition and biometrics with no defined lifecycle: the law's most demanding category.
Internal logs
Full personal data written in clear text into audit logs.
API surface
API origins without restriction.
Crash reports
Secrets and personal data sent to third-party services without scrubbing.
On-device storage
Credentials and sensitive data unencrypted in the app.
Retention
No deletion policy: everything was kept indefinitely.
Right away, the highest-impact items.
- 01 Redaction of personal data in audit logs (secrets removed, identifiers masked).
- 02 Configurable origin allowlist for the APIs.
- 03 Removal of secrets from the mobile app's crash reports.
- 04 Telemetry and signing credentials moved out of the code, managed by environment.
What required database changes, business decisions or infrastructure validation went into a prioritized roadmap — the same structure we deliver to our clients: fix what's safe now, plan the rest in order.
WHY IT MATTERS
Anyone can sell a report. We went through the full process — assessment, remediation and roadmap — on real systems running critical infrastructure. We know where it hurts because it hurt us first.