NIS2 controls

Loading version…Policy Center

We track our information-security programme against the EU NIS2 Directive (Art. 21) and ISO 27001 control families. Below is a public summary; full evidence is available to regulators and prospective partners on request via security@arze.example.

1. Governance & risk management

  • Documented information-security policy reviewed annually.
  • Risk register with owners and review cadence — see /risk-register.
  • Annual Data Protection Impact Assessment — see /dpia.

2. Incident handling (24-hour notification target)

  • Documented incident response plan with detection, containment, eradication, recovery, lessons-learned phases.
  • Significant incidents reported to affected users within 24 hours and to the relevant supervisory authority within 72 hours.
  • All admin actions written to an immutable audit log.

3. Business continuity

  • Daily encrypted database backups with point-in-time recovery.
  • Offline-first client cache so the app keeps working during provider outages.
  • Outbox queue for writes when the user is offline.

4. Supply-chain security

  • Every sub-processor listed publicly at /subprocessors with transfer mechanism.
  • Data Processing Agreements with every processor.
  • Automated dependency vulnerability scanning with timely patching.

5. Cryptography

  • TLS 1.2+ in transit; AES-256 at rest for the managed database and storage.
  • Client-side AES-GCM encryption for any sensitive data cached on-device, with PBKDF2-derived key bound to your session.
  • Idle auto-lock wipes decrypted material after extended inactivity.

6. Access control & authentication

  • Row-Level Security on every database table — least-privilege by default.
  • Roles separated into user, verified_lb, moderator, admin.
  • Role assignment is audited and reviewed quarterly.

7. Awareness & training

  • Mandatory privacy & safety training for every moderator and admin before access is granted.
  • Annual refresher and tabletop incident exercise.

8. Vulnerability disclosure

Found a security issue? Email security@arze.example. We aim to acknowledge within 72 hours and we credit responsible reporters.