Estándar Internacional de Seguridad | 02/2026

Centro de Confianza y Seguridad
LegallyMail

Nuestra infraestructura está blindada siguiendo rigurosamente el NIST Cybersecurity Framework.
Transparencia radical sobre cómo protegemos tus datos más críticos.

Ver Informe Detallado Contactar DPO
Estado
100% Seguro
LegallyMail
Cifrado E2E
Activo
97.1%
Cumplimiento

Comprometidos con tu Seguridad

En LegallyMail, alineamos nuestros controles de seguridad con el NIST Cybersecurity Framework (CSF), el estándar de oro internacional para la gestión de riesgos cibernéticos. Nuestro compromiso es proteger la confidencialidad, integridad y disponibilidad de tus comunicaciones certificadas.

Controles Implementados: 100
Total Controles: 103
99.98%
Uptime (último año) Comprobar
0
Brechas de seguridad
100%
Datos cifrados E2E
<48h
Respuesta a incidentes

¿Por qué NIST CSF en lugar de ISO 27001?

Comparativa de los dos principales marcos de ciberseguridad

Característica
NIST CSF 2.0
ISO 27001
Institución responsable
Gobierno de EE.UU
ISO e IEC
Enfoque
Gestión de Riesgos
Orientado a resultados
Cumplimiento de Procesos Orientado a auditoría
Flexibilidad
Alta adaptabilidad
Framework escalable
Estructura rígida Controles predefinidos
Última Actualización
02/2024
Evoluciona con amenazas
2022 Revisiones cada 7 - 10 años
Transparencia Pública
100% Gratuito y Público
Accesible a todos
Requiere certificación pagada Auditorías costosas
Integración con otros frameworks
Mapeo directo
Compatible con GDPR, PCI-DSS
Limitada Requiere adaptación
Evidencia de implementación
Auto-evaluación transparente
Esta página es la prueba
Auditoría privada Solo certificado visible
Costes de implementación
Sin costes de licencia
Solo recursos internos
€15,000 - €50,000/año Certificación + mantenimiento
¿Por qué elegimos NIST CSF?

NIST Cybersecurity Framework fue desarrollado por el Instituto Nacional de Estándares y Tecnología de EE.UU. y es el estándar de oro para la gestión de riesgos de ciberseguridad. A diferencia de ISO 27001, NIST CSF se centra en resultados medibles y permite una transparencia total con nuestros usuarios, como puedes ver en esta misma página.

Nuestra Postura de Seguridad

Desglose por funciones del Marco de Ciberseguridad NIST

🎯
Identificar
92% Implementado

Desarrollar la comprensión organizacional para gestionar el riesgo de ciberseguridad.

  • Gestión de Activos
  • Business Environment
  • Gobernanza
  • Evaluación de Riesgos
  • Gestión de Riesgos
🛡️
Proteger
97% Implementado

Implementar salvaguardias para garantizar la entrega de servicios críticos.

  • Control de Acceso
  • Concientización y Capacitación
  • Seguridad de Datos
  • Protección de Información
  • Mantenimiento
  • Tecnología de Protección
🔍
Detectar
100% Implementado

Desarrollar actividades para identificar la ocurrencia de un evento de ciberseguridad.

  • Anomalías y Eventos
  • Monitoreo Continuo
  • Procesos de Detección
Responder
100% Implementado

Tomar acción ante incidentes detectados de ciberseguridad.

  • Planificación de Respuesta
  • Comunicaciones
  • Análisis
  • Mitigación
  • Mejoras
♻️
Recuperar
100% Implementado

Mantener planes de resiliencia y restaurar capacidades afectadas.

  • Planificación de Recuperación
  • Mejoras
  • Comunicaciones

Controles Implementados

Transparencia detallada sobre nuestros controles de seguridad activos

Gestión de Activos
ID.AM-1

Physical devices and systems within the organization are inventoried

Evidencia:
Inventory And Asset Management.md), Hetzner Infrastructure Console, GitHub Asset Tracking.
ID.AM-2

Software platforms and applications are inventoried

Evidencia:
Inventory And Asset Management.md), Hetzner Infrastructure Console, GitHub Asset Tracking.
ID.AM-3

Organizational communication and data flows are mapped

Evidencia:
Inventory And Asset Management.md), Hetzner Infrastructure Console, GitHub Asset Tracking.
ID.AM-4

External information systems are catalogued

Evidencia:
Third-party service documentation, integration records
ID.AM-5

Resources are prioritized based on their classification, criticality, and business value

Evidencia:
Data Classification Policy.md), Database Encryption Architecture.
Business Environment
ID.BE-1

The organization's role in the supply chain is identified and communicated

Evidencia:
Service provider documentation, TSA integration, Stripe payment processing
ID.BE-2

The organization's place in critical infrastructure is identified

Evidencia:
Service architecture documentation, critical service monitoring
ID.BE-3

Priorities for organizational mission, objectives, and activities are established

Evidencia:
NIST compliance framework, GDPR compliance, service SLAs
ID.BE-4

Dependencies and critical functions are established

Evidencia:
Service dependency mapping, critical function documentation
ID.BE-5

Resilience requirements to support delivery of critical services are established

Evidencia:
Service status dashboard, maintenance mode system, error handling framework
Gobernanza
ID.GV-1

Organizational cybersecurity policy is established and communicated

Evidencia:
Cybersecurity Policy.md), NIST CSF Compliance Dashboard, GDPR Compliance Documentation, Security Policies Library, Cybersecurity Leadership Designation Records
ID.GV-2

Cybersecurity roles and responsibilities are coordinated and aligned

Evidencia:
Internal security coordination, admin role structure
ID.GV-3

Legal and regulatory requirements are understood and managed

ID.GV-4

Governance and risk management processes address cybersecurity risks

Evidencia:
NIST compliance dashboard, risk assessment through compliance monitoring
Evaluación de Riesgos
ID.RA-1

Asset vulnerabilities are identified and documented

Evidencia:
Past audit with Cloude Sonnet 4.5 in January 2026
ID.RA-2

Cyber threat intelligence is received from information sharing forums

Evidencia:
Composer security advisories, dependency monitoring
ID.RA-3

Threats, both internal and external, are identified and documented

Evidencia:
Risk Management Framework.md), Risk Register, Security Advisory Monitoring.
ID.RA-5

Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

Evidencia:
Risk Management Framework.md), Risk Register, Security Advisory Monitoring.
ID.RA-6

Risk responses are identified and prioritized

Evidencia:
Security improvements, vulnerability patching process
Gestión de Riesgos
ID.RM-1

Risk management processes are established, managed, and agreed to

Evidencia:
Risk Management Framework.md), Risk Register, Security Advisory Monitoring.
ID.RM-2

Organizational risk tolerance is determined and clearly expressed

Evidencia:
NIST CSF compliance, GDPR compliance, security headers implementation
ID.RM-3

The organization's determination of risk tolerance is informed by its role

Evidencia:
Risk Management Framework.md), Risk Register, Security Advisory Monitoring.

Control de Acceso
PR.AC-1

Identities and credentials are issued, managed, verified, revoked, and audited

Evidencia:
Identity Access Management Policy.md), SSH Configuration Files, Admin Dashboard RBAC.
PR.AC-2

Physical access to assets is managed and protected

Evidencia:
Hetzner ISO 27001 certification, data center security documentation
PR.AC-3

Remote access is managed

Evidencia:
Identity Access Management Policy.md), SSH Configuration Files, Admin Dashboard RBAC.
PR.AC-4

Access permissions and authorizations are managed

Evidencia:
Identity Access Management Policy.md), SSH Configuration Files, Admin Dashboard RBAC.
PR.AC-5

Network integrity is protected (e.g., network segregation)

Evidencia:
Network Security Protocol.md), SSL Labs A+ Report, Cloud Firewall Configuration.
PR.AC-6

Identities are proofed and bound to credentials

Evidencia:
Email verification system, email_verified column in users table
PR.AC-7

Users, devices, and assets are authenticated

Concientización y Capacitación
PR.AT-1

All users are informed and trained on cybersecurity awareness

Evidencia:
Privacy policy, terms of service, GDPR compliance documentation
PR.AT-2

Privileged users understand their roles and responsibilities

Evidencia:
Admin dashboard with security controls, role-based access documentation
PR.AT-3

Third-party stakeholders understand their roles and responsibilities

Evidencia:
Vendor agreements, partner documentation, API documentation
PR.AT-4

Senior executives understand their roles and responsibilities

PR.AT-5

Physical and cybersecurity personnel understand their roles

Evidencia:
Admin role documentation, Hetzner security procedures
Seguridad de Datos
PR.DS-1

Data-at-rest is protected

Evidencia:
By Google Cloud (external provider)
PR.DS-2

Data-in-transit is protected

PR.DS-3

Assets are formally managed throughout removal, transfers, and disposition

Evidencia:
User data management, certified_emails retention, data export capabilities
PR.DS-4

Adequate capacity to ensure availability is maintained

Evidencia:
Hetzner infrastructure monitoring, service status tracking
PR.DS-5

Protections against data leaks are implemented

Evidencia:
HASH 256 AES bits in sensitive data
PR.DS-6

Integrity checking mechanisms verify software and information integrity

PR.DS-7

Development and testing environment(s) are separate from production

Evidencia:
Secure Development Policy.md), Git Commit History, Isolated Production Environment.
PR.DS-8

Integrity checking mechanisms verify hardware integrity

Evidencia:
Hetzner infrastructure security, ISO 27001 certification
Protección de Información
PR.IP-1

A baseline configuration of systems is created and maintained

Evidencia:
Secure Development Policy.md), Git Commit History, Isolated Production Environment.
PR.IP-2

A System Development Life Cycle to manage systems is implemented

Evidencia:
Secure Development Policy.md), Git Commit History, Isolated Production Environment.
PR.IP-3

Configuration change control processes are in place

Evidencia:
Git repository, .env file management, version control practices
PR.IP-4

Backups of information are conducted, maintained, and tested

Evidencia:
Backup And Recovery Policy.md), Hetzner Backup Logs, Google Drive Forensic Archival Records.
PR.IP-5

Policy and regulations regarding the physical operating environment

Evidencia:
Hetzner data center certifications, environmental controls documentation
PR.IP-6

Data is destroyed according to policy

Evidencia:
Data Retention Disposal Policy.md), Hard Delete Database Functions, Backup Rotation Policy.
PR.IP-7

Protection processes are improved

Evidencia:
NIST compliance dashboard, regular security updates, dependency updates
PR.IP-8

Effectiveness of protection technologies is shared

Evidencia:
Internal security reviews, NIST compliance public page
PR.IP-9

Response and recovery plans are in place and managed

PR.IP-10

Response and recovery plans are tested

Evidencia:
Backup And Recovery Policy.md), Hetzner Backup Logs, Google Drive Forensic Archival Records.
PR.IP-11

Cybersecurity is included in human resources practices

PR.IP-12

A vulnerability management plan is developed and implemented

Evidencia:
Vulnerability Management Policy.md), Composer.lock Security Scan History.
Mantenimiento
PR.MA-1

Maintenance and repair of assets are performed and logged

Evidencia:
Maintenance Approval Process.md), Git Commit History With Detailed Logs, Hetzner Infrastructure Maintenance Logs, SSH Access Logs, Development Workflow Documentation
PR.MA-2

Remote maintenance of assets is approved, logged, and performed

Evidencia:
Server access logs, admin activity monitoring
Tecnología de Protección
PR.PT-1

Audit/log records are determined, documented, implemented, and reviewed

Evidencia:
Logging Auditing Policy.md), MariaDB Binary Logs, Application Error Logs.
PR.PT-2

Removable media is protected and its use restricted

Evidencia:
File upload validation, allowed file type restrictions
PR.PT-3

The principle of least functionality is incorporated

Evidencia:
Secure Development Policy.md), Git Commit History, Isolated Production Environment.
PR.PT-5

Mechanisms are implemented to achieve resilience requirements

Evidencia:
ErrorController, maintenance mode, service_status monitoring, Hetzner backups

Anomalías y Eventos
DE.AE-1

A baseline of network operations and expected data flows is established

Evidencia:
Service status monitoring, normal operation baselines
DE.AE-2

Detected events are analyzed to understand attack targets and methods

Evidencia:
Error logs, admin notification system, support ticket analysis
DE.AE-3

Event data are collected and correlated from multiple sources

Evidencia:
Logging Auditing Policy.md), MariaDB Binary Logs, Application Error Logs.
DE.AE-4

Impact of events is determined

Evidencia:
Service status levels, impact assessment in monitoring
DE.AE-5

Incident alert thresholds are established

Evidencia:
PasswordResetLimiter.php, rate_limits table, API rate limiting
Monitoreo Continuo
DE.CM-1

The network is monitored to detect potential cybersecurity events

Evidencia:
Hetzner infrastructure monitoring, rate_limits table, authentication logs, service status dashboard, admin alerts for suspicious activity
DE.CM-2

The physical environment is monitored to detect cybersecurity events

Evidencia:
Hetzner data center monitoring, environmental controls
DE.CM-3

Personnel activity is monitored to detect cybersecurity events

Evidencia:
Login logs, session tracking, admin activity logs, rate_limits enforcement, email usage patterns, anomaly detection for bulk sending
DE.CM-4

Malicious code is detected

Evidencia:
File upload validation, MIME type checking, input sanitization
DE.CM-5

Unauthorized mobile code is detected

Evidencia:
Code Integrity Detection.md), Restrictive CSP Implementation In Init.php, File Upload MIME Validation Logic.
DE.CM-6

External service provider activity is monitored

Evidencia:
Stripe webhook monitoring, email service status tracking
DE.CM-7

Monitoring for unauthorized personnel, connections, devices, and software

Evidencia:
Session tracking, authentication logs, rate limiting system
DE.CM-8

Vulnerability scans are performed

Evidencia:
Vulnerability Management Policy.md), Composer.lock Security Scan History.
Procesos de Detección
DE.DP-1

Roles and responsibilities for detection are well defined

Evidencia:
Admin role system, automated monitoring, alert notifications
DE.DP-2

Detection activities comply with all applicable requirements

Evidencia:
GDPR compliance, privacy policy, data protection measures
DE.DP-3

Detection processes are tested

Evidencia:
Detection Testing Procedures.md), Security Testing Log (admin Records), Rate Limits Table History.
DE.DP-4

Event detection information is communicated

Evidencia:
Admin email notifications, user notification system, service status dashboard (/service-status), error notification emails, automated monitoring alerts
DE.DP-5

Detection processes are continuously improved

Evidencia:
NIST compliance dashboard, continuous improvement process

Planificación de Respuesta
RS.RP-1

Response plan is executed during or after an incident

Evidencia:
Incident Response Disaster Recovery.md), Hetzner Backup Logs.
Comunicaciones
RS.CO-1

Personnel know their roles and order of operations

Evidencia:
Cybersecurity personnel identified (ID.AM-6), admin role documentation, incident response procedures, escalation contacts
RS.CO-2

Incidents are reported consistent with established criteria

Evidencia:
Support ticket system, admin alert mechanisms, service_status table, incident classification system, automated notification triggers
RS.CO-3

Information is shared consistent with response plans

Evidencia:
Service status page, notification system, user communication channels
RS.CO-4

Coordination with stakeholders occurs

Evidencia:
Support ticket system, admin dashboard, stakeholder communication
RS.CO-5

Voluntary information sharing occurs with external stakeholders

Evidencia:
Internal incident communication, public status page
Análisis
RS.AN-1

Notifications from detection systems are investigated

Evidencia:
Error logging system, admin monitoring dashboard, support ticket investigation
RS.AN-2

The impact of the incident is understood

Evidencia:
Service status levels (operational/degraded/outage), impact tracking
RS.AN-3

Forensics are performed

Evidencia:
Digital Forensics Protocol.md), Admin Activity Logs, Forensic Archival Records.
RS.AN-4

Incidents are categorized consistent with response plans

Evidencia:
Service status categories, support ticket types, incident classification
RS.AN-5

Processes are established to receive, analyze and respond to vulnerabilities

Evidencia:
Composer security advisories, dependency update workflow, security patch deployment, audit findings implementation, NIST compliance continuous improvement
Mitigación
RS.MI-1

Incidents are contained

Evidencia:
Maintenance mode, rate limiting system, authentication controls
RS.MI-2

Incidents are mitigated

Evidencia:
ErrorController, automatic error recovery, admin tools
RS.MI-3

Newly identified vulnerabilities are mitigated or documented as accepted risks

Evidencia:
Security update history, dependency version upgrades, code fix commits, NIST compliance status tracking, risk acceptance documentation in compliance notes
Mejoras
RS.IM-1

Response plans incorporate lessons learned

Evidencia:
Post Incident Review Protocol.md), Internal Security Testing Logs.
RS.IM-2

Response strategies are updated

Evidencia:
NIST compliance updates, continuous security enhancements

Planificación de Recuperación
RC.RP-1

Recovery plan is executed during or after a cybersecurity incident

Evidencia:
Incident Response Disaster Recovery.md), Hetzner Backup Logs.
Mejoras
RC.IM-1

Recovery plans incorporate lessons learned

Evidencia:
Post Incident Review Protocol.md), Internal Security Testing Logs.
RC.IM-2

Recovery strategies are updated

Evidencia:
NIST compliance monitoring, recovery process updates
Comunicaciones
RC.CO-1

Public relations are managed

Evidencia:
Public status page at /status, user notification system
RC.CO-2

Reputation is repaired after an incident

Evidencia:
Service Status), Automated Incident Notification Templates.
RC.CO-3

Recovery activities are communicated to stakeholders

Evidencia:
Internal communication channels, user notification system, service_status table and dashboard, vendor contact procedures, stakeholder communication templates, public recovery announcements

Nuestro Compromiso con la Seguridad

Políticas y contactos directos para garantizar tu tranquilidad

Divulgación Responsable

Si descubres una vulnerabilidad de seguridad, te pedimos que nos la reportes de forma responsable:

Reportar Vulnerabilidad
Equipo de Seguridad

¿Tienes preguntas sobre nuestra seguridad o necesitas información para una auditoría?

  • DPO: Disponible para consultas GDPR
  • NDA: Firmamos acuerdos de confidencialidad
  • Auditorías: Compartimos informes con clientes enterprise
Contactar Equipo

¿Tienes preguntas sobre nuestra seguridad?

Nuestro equipo de seguridad y cumplimiento está disponible para resolver tus dudas.

Contactar con Seguridad
Tiempo Real