Concrete evidence of 23people's commitment to information security, personal data protection, and environmental responsibility.
ISO/IEC 27001:2022
International standard
Valid until Mar 24, 2029
Active certification
Certified by QCC
Accredited body
ISO/IEC 27001:2022 is the most widely recognized international standard for information security management. Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it establishes the requirements for implementing, maintaining, and continuously improving an Information Security Management System (ISMS).
For 23people's clients, having an ISO 27001 certified partner means the company has been audited by an independent, accredited body —Quality Control Certification (QCC)— and complies with over 90 security controls organized under the Annex A domains of the standard. This is not a self-declaration: it is an external, periodic verification that our processes, technology, and people operate under a robust security framework.
Being certified means 23people proactively manages information security risks across all services: from software development to technology consulting and platform operations. For our clients, this translates into verifiable trust, reduced supply chain risk, compliance with regulatory and contractual requirements, and the assurance that security is an institutional commitment, not an isolated initiative.
Identity management, multi-factor authentication, least privilege, and periodic access reviews.
Encryption at rest and in transit, cryptographic key management, and secure algorithm policies.
Certified data centers, physical access controls, environmental monitoring, and perimeter protection.
Change management, malware protection, backups, and recovery procedures.
Segmented networks, next-gen firewalls, VPNs, and continuous traffic monitoring.
Secure SDLC, code reviews, automated security testing, and vulnerability management.
Security due diligence, security SLA agreements, and continuous third-party monitoring.
Incident response plan, timely notification, and lessons learned for continuous improvement.
Definition of security policies, ISMS objectives, risk assessment, and selection of controls appropriate to the organizational context.
Deployment of selected security controls, staff training and awareness, and daily operation of the management system.
Regular internal audits, performance indicator monitoring, control effectiveness measurement, and compliance review.
Implementation of corrective and preventive actions, continuous ISMS improvement, and management review to ensure strategic alignment.
| Initiative | Status | Date |
|---|---|---|
| ISO/IEC 27001:2022 Certification | ✅ Completed | Mar 2026 |
| Surveillance Audit 1 | 🔄 In progress | Sep 2026 |
| Security Awareness Program | 🔄 In progress | Dec 2026 |
| ISO/IEC 27701 Certification (Privacy) | 📋 Upcoming | Jun 2027 |
| Annual External Pentesting | 📋 Upcoming | Dec 2026 |
You can download a digital copy of the certificate directly from this page, in the ISO 27001 Security section, where you'll find the available PDF. If you require an additional official or verified copy, you can email us at seguridad@23people.io and we will send it to you.
The certification covers 23people SpA's Information Security Management System (ISMS), including all software development, technology consulting, and platform operation services delivered to clients. The scope encompasses design, development, implementation, operation, and support processes, as well as associated technical talent management. The certificate details the exact scope and is available for download and external verification on this page.
ISO 27001 certification is valid for three years. During that period, annual surveillance audits are conducted to verify that the management system remains compliant with the standard's requirements. At the end of the three-year cycle, a complete recertification audit is performed. This ensures that 23people not only obtained certification but maintains and continuously improves its ISMS.
If you detect a security vulnerability or wish to report an incident, you can email us directly at seguridad@23people.io. Our security team reviews these reports with priority and maintains communication with the reporter throughout the investigation and remediation process. We commit to acknowledging receipt within a maximum of 48 business hours and keeping you informed about the resolution progress.
Security when working with external talent is an integral part of our ISMS and is covered by our Supplier Management process. We conduct security due diligence before onboarding any external collaborator, require NDAs and confidentiality agreements, verify backgrounds when applicable, and all personnel —internal and external— receive mandatory information security training. Additionally, access to our systems and our clients' systems is governed by the principle of least privilege and is periodically reviewed.
If you suspect a security breach involving 23people or any of its services, you must notify us immediately via seguridad@23people.io. In your message, include all information you can provide: incident description, approximate date and time, affected services or systems, and any available evidence. This will activate our Incident Management Procedure, which includes containment, investigation, notification to affected parties when applicable, and corrective actions. Do not investigate on your own — it is preferable to preserve evidence and let our specialized team conduct the forensic analysis.
For any inquiries related to information security or our ISO/IEC 27001:2022 certification, you can contact us through the following channels:
Security: seguridad@23people.io
General inquiries: trust@23people.io
We commit to responding within a maximum of 48 business hours.
Law No. 21.719 on Personal Data Protection, published on December 13, 2024, is Chile's new regulation that modernizes the privacy and personal data processing framework. This law is fully enforceable and subject to oversight starting December 2026, and is enforced by the new Personal Data Protection Agency, the technical body responsible for ensuring compliance and applying sanctions.
Non-compliance with Law 21.719 may result in fines of up to 20,000 UTM (approximately USD $2.5 million at 2026 value) or up to 4% of the company's annual revenue, whichever is greater. Additionally, the authority may order the temporary suspension of data processing operations and impose mandatory corrective measures.
| Initiative | Status | Date |
|---|---|---|
| Data Protection Officer designation | ✅ Completed | Jan 2026 |
| Personal data inventory | ✅ Completed | Feb 2026 |
| Updated Privacy Policy | ✅ Completed | Mar 2026 |
| ARCO rights procedures | 🔄 In progress | Jun 2026 |
| Data Protection Impact Assessment (DPIA) | 🔄 In progress | Sep 2026 |
| Data processing agreements | 📋 Upcoming | Oct 2026 |
| Full Law 21.719 compliance | 📋 Upcoming | Dec 2026 |
ARCO Legal is the SaaS platform developed by 23people that automates compliance with Law No. 21.719. Designed for Chilean companies that need to comply with the new personal data protection regulation without legal or technical complexity.
23people has formally adopted the Science Based Targets initiative (SBTi), the global initiative that validates that a company's emission reduction targets are aligned with climate science and the Paris Agreement —limiting global warming to 1.5°C above pre-industrial levels—.
Our science-based greenhouse gas (GHG) emission reduction targets, currently under SBTi validation, are:
As a 100% digital and remote company, our direct operational footprint is inherently low compared to traditional industries. However, we are aware of the impact of our cloud services and technology infrastructure, and we work with cloud providers that hold renewable energy and energy efficiency certifications. Our SBTi commitment is public, measurable, and audited.
| Initiative | Status | Date |
|---|---|---|
| SBTi commitment adoption | ✅ Completed | Jan 2025 |
| Environmental policy definition | ✅ Completed | Jun 2025 |
| Carbon footprint measurement (GHG Protocol) | 🔄 In progress | Dec 2026 |
| Emission reduction strategy | 📋 Upcoming | Jun 2027 |
| Carbon offsetting | 📋 Upcoming | Dec 2027 |
| Sustainability report | 📋 Upcoming | Mar 2027 |
Sustainability governance at 23people is structured to ensure that environmental commitment is cross-cutting across the entire organization, with clear responsibilities and periodic accountability.
Responsible for corporate environmental strategy, reports directly to executive leadership. Defines objectives, oversees footprint measurement, and represents 23people before SBTi and other sustainability forums.
One representative per team (engineering, design, operations, talent) who promotes sustainable practices day-to-day, leads local impact reduction initiatives, and reports to the Sustainability Leader.
Focused on energy efficiency of our technology infrastructure, cloud workload optimization, supplier selection with sustainability criteria, and technological Scope 3 measurement.
Monthly meetings of the sustainability committee, annual measurement of carbon footprint under GHG Protocol, and transparent reporting of progress to all stakeholders.
Science Based Targets (SBTi) are greenhouse gas emission reduction targets aligned with what the latest climate science deems necessary to limit global warming to 1.5°C. The SBTi initiative is a collaboration between CDP, the UN Global Compact, WRI, and WWF. Companies that adopt SBTi publicly commit to quantifiable, verifiable reduction targets with defined timelines, demonstrating a real —not merely declarative— climate commitment.
We use the GHG Protocol (Greenhouse Gas Protocol) methodology, the most widely used international standard for emissions accounting. This includes measurement of all three scopes: Scope 1 (direct emissions from owned sources), Scope 2 (indirect emissions from electricity consumption), and Scope 3 (value chain emissions, including cloud providers, business travel, and employee commuting). Measurement is conducted annually, and results will be published in our sustainability report.
Our goal is to achieve carbon neutrality (net-zero) by 2040, covering all three emissions scopes. This is a long-term goal requiring progressive transformations in our value chain, adoption of more efficient technologies, and offsetting of residual emissions. As intermediate milestones, we have set a 50% reduction in Scope 1+2 emissions by 2030 and a 30% reduction in Scope 3 by the same year.