Law 21.719: How HaddaCloud protects your data with AES-256 encryption

What does Law 21.719 require?

Law 21.719, Chile's new Personal Data Protection Framework, comes into force on December 1, 2026. Its Article 14 ter explicitly establishes the data controller's duty of security:

"The controller must adopt the necessary technical and organizational measures to ensure the security of personal data..." — Art. 14 ter, Law 21.719

This includes, among other obligations:

• Encryption at rest: stored data must be protected by cryptographic mechanisms that prevent reading in case of unauthorized physical access.
• Access controls: who can read, modify, or delete personal data.
• Breach notification: mandatory reporting of security incidents to authorities and data subjects.
• Impact assessments: prior analysis for high-risk processing activities.

For a collections and contact center operation handling millions of interactions per month, encryption at rest is the technical foundation for the entire security system. Without storage-level encryption, physical server access —no matter how strong the perimeter controls— would expose all personal data of debtors, patients, or customers.

AES-256-CTR encryption on ClickHouse

HaddaCloud's analytical engine, ClickHouse, stores critical data for collections campaigns: phone enrichment, contactability history, management rankings, recordings, and CDRs. Hundreds of gigabytes of personal data that feed predictive scoring algorithms and recovery reports.

Encryption is implemented at the native disk level of the engine (Encrypted Disk). All data files —.bin, .mrk3, .idx— are stored encrypted on the server's filesystem. The algorithm used is AES-256-CTR (Advanced Encryption Standard in Counter mode), managed by a 256-bit symmetric key controlled exclusively by the database process.

Covered databases include contact enrichment, portfolio management data, and voice analytics records — over 500 GB of personal data including phone numbers, management histories, and contactability records.

What this means for a collections campaign: Every time the scoring system assigns a priority to a phone number, every time an agent queries a debtor's history, and every time a recovery report consolidates thousands of interactions, the data is stored encrypted. Even with physical disk access, the data remains unreadable without the encryption key.

Learn more about our platform architecture.

AES-256-XTS encryption on MongoDB

HaddaCloud's operational CRM —where collections, sales, and service campaigns run in real time— operates on MongoDB in a ReplicaSet configuration. This is where transactional data lives: debtor phone numbers, case management, collections decision trees, voice assistant sessions, and chatbot flows.

For MongoDB, encryption is implemented at the OS block level using LUKS2 (Linux Unified Key Setup v2) with AES-256-XTS. This mechanism operates below the database engine: the entire partition where MongoDB stores its WiredTiger files is encrypted with dm-crypt, and decryption happens transparently as the OS reads blocks.

The encryption key is stored in a protected file with restrictive permissions (root only), referenced in the system's mount configuration for automatic boot without manual intervention. The encryption applies to all nodes in the ReplicaSet, leaving no blind spot in replication.

This directly impacts sales management and collections campaigns: every time a human agent or an AI voice agent queries or records an interaction, the data is encrypted at rest, and the traceability of every action is protected.

ISO 27001:2022 — the management framework

Encryption at rest is a technical measure. But an effective security policy also requires an organizational framework: policies, procedures, audits, and continuous improvement. That's exactly what ISO 27001:2022 certification provides.

HaddaCloud by Movatec holds ISO 27001:2022 certification on its information security management system. This means:

• A documented risk assessment and treatment process exists.
• Technical measures like encryption are based on formal risk-based decisions, not ad-hoc choices.
• Regular internal and external audits are conducted.
• A continuous improvement plan ensures measures evolve as threats change.

The combination of ISO 27001 + AES-256 encryption allows HaddaCloud to offer its collections, sales, and service clients a platform that meets the highest security standards, in both the technical and organizational layers. See our security policy and management system.

Impact on collections and sales campaigns

Beyond regulatory compliance, encryption at rest has concrete effects on daily operations:

For a collections operation handling sensitive data from thousands of debtors, encryption at rest is not just a legal obligation — it is a competitive advantage. Institutional clients —banks, retail, clinics, universities— increasingly demand concrete technical measures, not just contractual clauses. Learn more on collections portfolio management and analytics reports.

Frequently asked questions

What does Law 21.719 require regarding data security?

Article 14 ter establishes the duty to adopt technical and organizational measures to ensure personal data security, including encryption at rest, access controls, and breach notification. Effective from December 1, 2026.

What encryption algorithms does HaddaCloud use?

AES-256-CTR on ClickHouse (native disk encryption of the analytical engine) and AES-256-XTS over LUKS2 on MongoDB (block-level OS encryption). Both comply with NIST FIPS 197 and ISO/IEC 18033-3 standards.

Does encryption affect campaign performance?

No. Encryption at rest is transparent to the database engine. Analytical queries on ClickHouse and transactional operations on MongoDB maintain the same performance, because decryption happens at the disk/block level before data reaches the engine.

Is HaddaCloud ISO 27001 certified?

Yes. HaddaCloud by Movatec holds ISO 27001:2022 certification on its information security management system, complementing technical encryption measures with an organizational framework for continuous improvement.