Information Security Policy
How Zynvio protects the information you entrust to it: principles and controls aligned with ISO/IEC 27001 and ISO/IEC 27701, and the technical and organisational measures required by Article 32 of the GDPR.
Version 1.1 — Last updated: July 11, 2026 · PIXELARIS S.L.
Encryption in transit and at rest
Communications protected with TLS/SSL and stored data encrypted with AES-256. Passwords stored using salted hash functions.
Granular access control
Least-privilege principle, role-based access control and granular permissions across the entire platform.
Multi-company isolation
Multi-tenant architecture with logical separation of each company's data.
Audit and traceability
Audit log with traceability of operations: who did what, and when.
Backups
Periodic backups aimed at the availability and recovery of information.
EU hosting
Infrastructure hosted in the European Union, with suppliers selected under adequate guarantees.
Regulatory and reference framework
Zynvio applies the principles and controls of these standards and regulations as its working framework. This policy does not constitute a claim of certification under ISO/IEC 27001 or ISO/IEC 27701.
Full text of the policy
1. Purpose and scope
This Information Security Policy describes the principles and measures by which Zynvio, a platform operated by PIXELARIS S.L., protects the information it processes, including information belonging to its customers and users. This policy applies to:
- The Zynvio platform (app.zynvio.com) and the corporate website.
- All personnel with access to systems or information.
- The development, operation and support processes of the service.
2. Security objectives
The security management system aims to guarantee four properties of information:
- Confidentiality: information is only accessed by those authorised to do so.
- Integrity: information is accurate and complete, and any modification is detectable.
- Availability: information and the service are accessible when needed, backed by backups that support recovery.
- Traceability: operations are logged, so it can be verified who did what and when.
3. Reference framework
Our information security management system is based on the principles and controls of the ISO/IEC 27001 standard, and the management of personal information is aligned with the guidelines of ISO/IEC 27701 (privacy information management extension). We also apply the technical and organisational measures required by Article 32 of Regulation (EU) 2016/679 (GDPR) and by the Spanish LOPDGDD.
This policy is a statement of security principles and practices; it does not constitute a claim of certification under these standards.
4. Governance and management commitment
The management of PIXELARIS S.L. is committed to information security and is responsible for:
- Approving this policy and reviewing it periodically.
- Assigning security responsibilities.
- Providing the resources needed for compliance.
- Promoting continuous improvement of the management system.
5. Risk management
We periodically assess the risks affecting the confidentiality, integrity and availability of information, as well as the effectiveness of the security measures in place. Measures are adjusted when risks, technology or the service context change.
6. Access control
Access to information is managed according to the following principles:
- Least-privilege principle for data access.
- Role-based access control and granular permissions.
- Logical data isolation between companies (multi-tenant architecture).
- Cryptographically generated session tokens.
7. Encryption and data protection
We apply encryption to protect information in all its states:
- Encryption of data in transit using TLS/SSL.
- Encryption of data at rest using AES-256.
- Password storage using salted hash functions.
- Encrypted protection of electronic certificates and sensitive credentials.
8. Security in development and operations
The development and operation of the platform incorporate security measures by design:
- SQL injection prevention through parameterised queries.
- Validation and sanitisation of uploaded files.
- Protection against automated attacks.
- Audit logging with operation traceability.
9. Integrity of billing records (VERI*FACTU)
As an invoicing system operating in VERI*FACTU mode, Zynvio guarantees the integrity, preservation, traceability and inalterability of billing records:
- Each record carries a SHA-256 fingerprint chained to the previous record's, forming a verifiable chain.
- Records are submitted continuously to the Spanish tax agency (AEAT).
- Each invoice includes a verifiable QR code.
- No record can be modified or deleted without the system detecting it; corrections are made through new records that preserve the originals.
10. Backups and continuity
We perform periodic backups aimed at ensuring the availability and recovery of information in the event of incidents.
11. Incident management and breach notification
We have security incident management procedures in place. When an incident constitutes a personal data breach, we act in accordance with Articles 33 and 34 of the GDPR and with our Privacy Policy:
- As data controller: notification to the Spanish supervisory authority (AEPD) within a maximum of 72 hours when there is a risk to the rights and freedoms of data subjects and, if the risk is high, direct communication to those affected.
- As data processor: notification to the customer (controller) without undue delay, providing the information needed for them to meet their own notification obligations.
12. Privacy by design
In line with ISO/IEC 27701, the management of personal information is integrated into the security system according to the principles of privacy by design and by default:
- Distinct data controller and data processor roles, as described in the Privacy Policy.
- Data processing agreement (DPA) with platform customers.
- Management of sub-processors with equivalent guarantees.
- Data minimisation and purpose limitation.
13. Personnel
All personnel are bound by confidentiality obligations, access information under the least-privilege principle and apply this policy in the performance of their duties.
14. Suppliers and hosting
Suppliers involved in providing the service are selected subject to adequate security and data protection guarantees. Zynvio's infrastructure is hosted in the European Union.
15. Review and continuous improvement
This policy is reviewed periodically and updated when risks, technology or applicable legal requirements change. The version published on this page is the one in force.
16. Contact and vulnerability reporting
If you detect a vulnerability or a security issue related to Zynvio, or have any questions about this policy, write to us at: