Data Privacy Policy

1. Legal basis and scope of application

BPO LABS S.A.S, in order to ensure compliance with Statutory Law 1581 of 2012 on Data Protection (LEPD) and Decree 1377 of 2013, adopts this Internal Security Manual, which includes the necessary technical, human, and administrative measures to provide security to records in order to prevent their alteration, loss, consultation, unauthorized or fraudulent use or access, in accordance with the security principle stated in Article 4, letter g of the LEPD.

This manual belongs to: BPO LABS S.A.S.

The provisions of this document apply to the databases under the responsibility of BPO LABS S.A.S, as well as to the information systems, media, and equipment used in the processing of data, which must be protected in accordance with the current regulations, to the individuals involved in the processing, and to the premises where such databases are located.

2. Definition of concepts related to security
  • Authorized Access:Authorization granted to a user for the use of specific resources. In automated devices, it is the result of successful authentication, usually through the input of a username and password.
  • Authentication:The process of verifying the identity of a user.
  • Password:A secret code or phrase that grants access to devices, information, or previously inaccessible databases. It is used in user authentication to enable authorized access.
  • Access Control:Mechanism that allows access to devices, information, or databases through authentication.
  • Backup:A copy of database data stored on a medium that enables its recovery.
  • Identification:The process of recognizing the identity of users.
  • Incident:Any anomaly that affects or could affect the security of data, constituting a risk to the confidentiality, availability, or integrity of databases or the personal data they contain.
  • User Profile:A group of users who are granted access.
  • Protected Resource:Any component of the information system, such as databases, programs, media, or equipment, used for the storage and processing of personal data.
  • Security Officer:One or more individuals designated by the data controller to control and coordinate security measures.
  • Information System:A collection of databases, programs, media, and/or equipment used for the processing of personal data.
  • Media:Material on which information is recorded or from which data can be stored or retrieved, such as paper, video tape, CD, DVD, hard disk, etc.
  • User:An authorized subject who accesses data or resources, or a process that accesses data or resources without the identification of a subject.
3. Compliance and updating

The Internal Security Manual is an internal document of the company that is mandatory for all personnel of BPO LABS S.A.S. who have access to information systems containing personal data.

This manual must undergo continuous review and updating whenever there are changes in the information systems, the processing system, the organization, or the content of the database information that may affect the implemented security measures. Additionally, the manual must always be in compliance with the legal regulations regarding the security of personal data.

4. Security measures

The databases are only accessible by individuals designated by BPO LABS S.A.S, as referred to in section 6 of this document.

The security officers of BPO LABS S.A.S, mentioned in section 6 of this manual, are responsible for managing user access permissions, the procedure for assigning and distributing passwords to ensure confidentiality, integrity, and storage during their validity period, as well as the frequency at which passwords are changed.

The following are the security measures implemented by BPO LABS S.A.S:

4. 1. Common security measures
4. 1. 1. Management of documents and media

The documents and media containing the databases are determined in the inventory of documents and media. Authorized users who have access to these documents and media are responsible for ensuring that unauthorized individuals cannot access them. The authorized users are specified in section 6 on databases and information systems in this manual. The documents and media must classify the data according to the type of information they contain, be inventoried, and be accessible only to authorized personnel, unless their characteristics make it impossible to identify them, in which case a justified record will be made in the incoming and outgoing document register and in the Internal Security Manual. Documents and media containing sensitive personal data must be identified using comprehensible and meaningful labeling systems that allow authorized users to identify their content and make identification difficult for other individuals. The removal of documents and media containing personal data from the premises under the control of the data controller must be authorized by the data controller. This provision also applies to documents or media attached to and sent by email. The inventory of documents and media of BPO LABS S.A.S must be included as an annex to this manual.

4. 1. 2. Access control

The personnel of BPO LABS S.A.S should only access the data and resources necessary for the performance of their duties and for which they are authorized by the data controller in this manual. BPO LABS S.A.S is responsible for maintaining an updated list of users, user profiles, and authorized accesses for each of them. It also has mechanisms to prevent access to data with rights other than those authorized. In the case of computer media, this may involve the assignment of passwords, and in the case of documents, the delivery of keys or mechanisms to open storage devices where the documentation is archived. The modification of any data or information, as well as the granting, alteration, inclusion, or cancellation of authorized accesses and users listed in the updated list mentioned in the previous paragraph, is the exclusive responsibility of authorized personnel. Any external personnel authorized and legally authorized to access protected resources will be subject to the same conditions and security obligations as the internal personnel. The authorized users for accessing databases are specified in section 6 of this manual.

4. 1. 3. Processing outside the premises

The storage of personal data by the data controller or data processor on portable devices and their processing outside the premises requires prior authorization from BPO LABS S.A.Sand compliance with the corresponding security guarantees for the processing of this type of data.

4. 1. 4. Temporary databases, copies, and reproductions

Temporary databases or copies of documents created for temporary or auxiliary work must comply with the same level of security as the original databases or documents. Once they are no longer needed, these temporary databases or copies must be deleted or destroyed, preventing access or recovery of the information they contain. Only the personnel authorized in section 6 are allowed to make copies or reproduce the documents.

4. 1. 5. Security officer

BPO LABS S.A.S has appointed respective security officers responsible for coordinating and controlling the security measures contained in this manual. According to data protection regulations, the appointment of security officers does not exempt the data controller or data processor from liability.

4. 1. 6. Audits

Databases containing personal data processed by BPO LABS S.A.S, classified with a sensitive or private security level, must undergo an internal or external audit every year to verify compliance with the security measures contained in this manual.

Both the information systems and the data storage and processing facilities will be audited. BPO LABS S.A.S will carry out an extraordinary audit whenever substantial modifications are made to the information system that may affect compliance with the security measures, in order to verify their adaptation, suitability and the effectiveness of the same.

The audits will conclude with an audit report that will contain:

  • The opinion on the adequacy of the measures and controls to the regulations on data protection.
  • Identification of deficiencies found and suggestions for necessary corrective or complementary measures. 
  • Description of the data, facts, and observations on which the opinions and proposed recommendations are based. The corresponding security officer will study the report and communicate the findings to the data controller for the implementation of corrective measures. 

The audit reports will be attached to the Internal Security Manual and made available to the Supervisory Authority.

4. 2. Security measures for non-automated databases
4. 2. 1. File of documents

BPO LABS S.A.S establishes the criteria and procedures for filing documents containing personal data in accordance with the law. The filing criteria ensure the preservation, location, and consultation of documents, enabling the rights of access and claims by data subjects. These criteria and procedures are outlined in section 6 of this manual.

It is recommended that documents be filed considering criteria such as the degree of use by users with authorized access, the currency of their management and/or processing, and differentiation between historical databases and those for company administration or management. Document storage devices must have keys or other mechanisms that hinder their opening, except when the physical characteristics of the devices prevent it. In such cases, BPO LABS S.A.S will take necessary measures to prevent unauthorized access.

The devices are identified and described in section 6 of this manual. When documents containing personal data are under review or processing and, therefore, outside the storage devices, whether before or after filing, the person in charge must safeguard them and prevent unauthorized access.

Storage devices containing documents with classified sensitive security levels must be located in areas or premises with access protected by locked doors or similar mechanisms. These areas must remain closed when access to such documents is not required. If compliance with this requirement is not possible, BPO LABS S.A.S may adopt duly justified alternative measures, which will be included in this manual.

Descriptions of storage security measures are provided in section 6 of this document.

4. 2. 2. Document access

Access to documents must be carried out exclusively by authorized personnel as specified in section 6 of the manual, following the defined mechanisms and procedures. These procedures must record and retain access to documentation classified with sensitive security levels, whether by authorized users or unauthorized individuals, as reflected in the aforementioned section. The access procedure for documents containing classified sensitive data involves recording access to the documentation, the identity of the user accessing, the time of access, and the accessed documents. Access to documents with this type of data is carried out by authorized personnel; if accessed by unauthorized individuals, it must be supervised by an authorized user or the responsible security officer at BPO LABS S.A.S

4. 3. Security measures for automated databases
4. 3. 1. Identification and authentication

BPO LABS S.A.S must install an information security system that correctly identifies and authenticates users of information systems to ensure that only authorized personnel can access databases. It must also establish a mechanism that allows personalized and unambiguous identification of any user attempting to access the information system and verifies their authorization.

Identification must be performed through a unique system for each user accessing the information, considering the username, employee identification, department name, etc. The nomenclature used for assigning usernames to access the information system and the user authentication system are described in section 6 of this document.

When the authentication system is based on password entry, a procedure for assigning, distributing, and storing passwords must be implemented to ensure their integrity and confidentiality. It is recommended that passwords have a minimum of nine characters and contain uppercase letters, lowercase letters, numbers, and letters. The password policy of BPO LABS S.A.S.

5. Functions and responsibilities

All individuals involved in the storage, processing, retrieval, or any other activity related to personal data and information systems of BPOLABS S.A.S are required to act in accordance with the functions and responsibilities outlined in this section.

BPOLABS S.A.S must inform its service personnel of the security measures and standards relevant to their duties, as well as the consequences of non-compliance, through any means of communication that ensures receipt or dissemination (email, notice boards, etc.). Likewise, the company must provide its personnel with this manual to familiarize themselves with the company's security regulations and their obligations based on their respective roles.

BPOLABS S.A.S fulfills its duty of information by including confidentiality agreements and the obligation of secrecy, where applicable, signed by the users of identification systems mentioned in item 6 regarding databases and information systems. The company also provides an informative circular to the same individuals.

The functions and obligations of the personnel at BPOLABS S.A.S are generally defined based on the type of activity they perform within the company and specifically outlined in this manual. The list of users and profiles with access to protected resources is documented in item 6 regarding databases and information systems. In general, when a user handles documents or media containing personal data, they have the responsibility to safeguard them and ensure that unauthorized individuals cannot access them.

Failure to comply with the obligations and security measures established in this manual by the personnel of BPOLABS S.A.S is subject to sanctions in accordance with the applicable regulations governing the legal relationship between the user and the company.

The functions and responsibilities of users of personal databases under the responsibility of BPOLABS S.A.S are as follows:

  • Duty of secrecy:Applies to all individuals who, in the course of their profession or work, access personal databases, including both users and contracted service providers. In compliance with this duty, users within the company or organization cannot disclose or release data they handle or have knowledge of in the performance of their duties and must ensure the confidentiality and integrity of such data.
  • Control functions and delegated authorizations:The data controller may delegate data processing to third parties, who act as data processors, through a data transmission contract. When data transmission contracts are signed, they should be appended to this manual (Annex IV).
  • Obligations related to implemented security measures:
    • Access databases only with proper authorization and when necessary for the performance of their duties.
    • Do not disclose information to third parties or unauthorized users.
    • Observe security regulations and work to improve them.
    • Do not take actions that pose a risk to information security.
    • Do not remove information from the organization's premises without proper authorization.
  • Use of resources and work materials:Must be oriented towards the performance of assigned duties. The use of these resources and materials for personal or non-work-related purposes is not authorized. When the removal of peripheral or removable devices is necessary for justified work reasons, it should be communicated to the security officers who can authorize and, if applicable, register it.
  • Use of printers, scanners, and other copying devices:When using such devices, copies should be immediately collected, avoiding leaving them in the device trays.
  • Obligation to report incidents:Users have an obligation to report any incidents they become aware of to the security officers, who will handle and resolve them. Some examples of incidents include: the failure of the computer security system allowing unauthorized access to personal data, unauthorized attempt to remove a document or media, data loss or total or partial destruction of media, relocation of databases, knowledge of passwords by third parties, unauthorized modification of data, etc.
  • Duty of custody of used media:Authorized users are obliged to monitor and control access to the information contained in the media by unauthorized individuals. Media containing databases should be labeled to identify the type of information they contain and should be inventoried. When information is classified as sensitive security level, the labeling system should only be understandable to users authorized to access such information.
  • Responsibility for workstations and laptops:Each user is responsible for their own workstation; when absent from their workstation, they must lock the terminal (e.g., screen protector with a password) to prevent the viewing or access of the information it contains, and they must turn off the terminal at the end of the workday. Additionally, laptops must be under constant control to prevent loss or theft.
  • Limited use of the Internet and email:The sending of information electronically and the use of the Internet by personnel is limited to the performance of their activities within the company.
  • Safeguarding and protection of passwords:Passwords provided to users are personal and non-transferable, so their disclosure or communication to unauthorized individuals is prohibited. When a user logs in for the first time with the assigned password, it is necessary to change it. If it is necessary to restore the password, the user must notify the system administrator.
  • Backup copies and data recovery:Backup copies of all personal database information of the company must be performed.
  • Duty of archiving and management of documents and media:Documents and media must be properly archived with the security measures established in section 4 of this manual.
6. Data bases and information systems.

The databases stored and processed by BPOLABS S.A.S are listed in the following table (Table I), which indicates the security level and treatment system for each of them.

Table I. Data bases and Security level

Data Base
Security Level
Treatment System
Video Surveillance

The Following table (Table II) outlines the structure of the databases of BPOLABS S.A.S

Table II. Database Structure

Video Surveillance
Data Controller
BPO LABS S.A.S, NIT: 901426055-2, Address: Carrera 58 # 75-137, Barranquilla -Atlántico, Phone: 3022462684, e-mail:
Incharge of inquiries and complaints
BPO LABS SAS Phone: 3022462684, e-mail:
Types of data
Data Processing
Origin and source data
Collecte by the data controller
Group or category of data subjects
Employees and Exemployees
All individuals who enter the premises

BPOLABS S.A.S appoints security officers and develops specific security measures for each database. All of this is outlined in the following table (Table III).

The appointment of security officers does not exempt the data controller or data processor from their obligations.

Table III. Security officers and database security measures

Security Officers
Sensitive data: BPO LABS SAS
Private data: BPO LABS SAS
Physical Access control
Authorized users, Double key.
Authorized users, key
Records Management
Organizing documents in alphabetical folders (A to Z), storing them in cabinets, avoiding document transportation, and disposing of documents using a paper shredder.
Logical Access Control
User and password, entry log, password change once a year, access lock after three attempts
Backups and recovery procedures
Backups every 15 days; recovery procedure
System of identification and authentication
User and password, password: minimum length: eight characters, numbers and letters; password change at least once a year, three login attempts, encrypted storage.
Document Access Log
Authorized Users

BPOLABS S.A.S identifies in this manual the data processors and specifies the conditions of the processing. When there is a data transmission contract, the data processors are identified in the data transmission annex of this document. The data processors must comply with the functions and obligations related to the security measures outlined in this manual.

7. Procedure for incident notification, management, and response

BPO LABS S.A.S establishes an incident notification, management, and response procedure in order to ensure the confidentiality, availability, and integrity of the information contained in the databases under its responsibility. All users, procedure managers, and any person related to the storage, processing, or querying of the databases outlined in this document must be familiar with the procedure to follow in the event of an incident.

The procedure for incident notification, management, and response is as follows:

  • When a person becomes aware of an incident that affects or may affect the confidentiality, availability, or integrity of the protected information of the company, they must immediately report it to the security officers, providing a detailed description of the type of incident, identifying individuals who may be involved, specifying the date and time of occurrence, the person reporting the incident, the person notified, and the effects produced.
  • Once the incident has been reported, the person should request an acknowledgment of receipt from the corresponding security officer, which confirms the incident notification along with all the previously mentioned requirements.

BPO LABS S.A.S maintains an incident register that includes the type of incident, date and time of occurrence, person reporting it, person notified, effects of the incident, and corrective measures when applicable. This register is managed by the database security officer and should be included as an annex to this manual (Annex III). Additionally, procedures should be implemented for data recovery, specifying the responsible party for executing the process, the restored data, and, if applicable, any data that needed to be manually entered during the recovery process.

8. Measures for transportation, destruction, and reuse of documents and media.

When necessary, any document (original, copy, or reproduction) or media containing personal data should be destroyed or erased, implementing measures to prevent unauthorized access or recovery of the information contained in the document or media. Before initiating the destruction, an acknowledgment or record will be made in a book or agenda, describing the document to be destroyed, the date, time, and signatures of the two individuals witnessing the destruction.

When physically transferring documents or media, necessary measures should be taken to prevent unauthorized access, manipulation, theft, or loss of information. The transfer of media containing personal data should be done by encrypting the information or using any other mechanism that ensures it is not tampered with or accessed.

Data contained in portable devices should be encrypted when outside the premises under the control of BPO LABS S.A.S If encryption is not possible, the processing of personal data through such devices should be avoided. However, processing may be allowed when strictly necessary, taking into account the risks and including security measures in this manual.

9. Final provisions

This manual has been approved by BPO LABS S.A.S, as the data controller, on 01/01/2023. The company accepts its content, orders its execution and compliance, for all personnel of the company in general, and particularly for those mentioned in this document.