Skip to content
Octo Inc. — Data Protection Unit
Octoberus DATA

CASE — WE AUDITED OURSELVES FIRST

We practice what we sell

Octoberus runs physical-security platforms for energy and telecom clients. Before offering Law 21,719 compliance to others, we applied the same methodology to our own systems. Here is the summary — with no sensitive detail.

The scope

Four components, one methodology.

Services API

Backend governing users, access and media

Web console

The clients' operations interface

Mobile app

Door opening via Bluetooth, PIN and QR

Firmware

Physical door and gate devices

READ-ONLY REVIEW · NO ACCESS TO PRODUCTION DATA · NO TESTS AGAINST LIVE SYSTEMS

What we found

Categories of findings.

We classified each finding by its exposure under the law (minor, serious, very serious). Here are the categories, in aggregate — the technical detail lives in a restricted report, never in public.

01

Sensitive data

Facial recognition and biometrics with no defined lifecycle: the law's most demanding category.

02

Internal logs

Full personal data written in clear text into audit logs.

03

API surface

API origins without restriction.

04

Crash reports

Secrets and personal data sent to third-party services without scrubbing.

05

On-device storage

Credentials and sensitive data unencrypted in the app.

06

Retention

No deletion policy: everything was kept indefinitely.

What we fixed

Right away, the highest-impact items.

  • 01 Redaction of personal data in audit logs (secrets removed, identifiers masked).
  • 02 Configurable origin allowlist for the APIs.
  • 03 Removal of secrets from the mobile app's crash reports.
  • 04 Telemetry and signing credentials moved out of the code, managed by environment.

What required database changes, business decisions or infrastructure validation went into a prioritized roadmap — the same structure we deliver to our clients: fix what's safe now, plan the rest in order.

WHY IT MATTERS

Anyone can sell a report. We went through the full process — assessment, remediation and roadmap — on real systems running critical infrastructure. We know where it hurts because it hurt us first.