What we have. What is coming.
We do not claim certificates we do not have. Below is an honest overview of our current compliance posture and the certifications we are working towards. Links to the full technical details where relevant.
- GDPRActive
General Data Protection Regulation (GDPR)
Hops processes staff data per GDPR. Processing register active (Article 30), encryption, access control, right to export and deletion guaranteed in the architecture. Data processing agreement available for all customers.
- EU Data ResidencyActive
EU hosting — data localisation
All customer data resides exclusively in Microsoft Azure EU-West (Amsterdam, Netherlands). No data transfer to third countries outside the EU. No US CLOUD Act exposure — Azure operates under Standard Contractual Clauses (SCC) for EU/EEA.
- NEN 7510In progress · formal audit planned 2026
NEN 7510 — Information security in healthcare
Phase 1 (audit preparation) completed: risk analysis, asset register, policy documentation, technical measures. Phase 2 (formal audit by external party) planned for 2026. Phase 3 (certification) follows a successful audit. See our compliance roadmap for the full timeline.
- ISO 27001In progress — parallel to NEN 7510
ISO/IEC 27001 — Information security management
ISO 27001 and NEN 7510 share a large portion of controls. Our audit preparation runs in parallel for both standards. Certification is pursued after the NEN 7510 formal audit.
- SOC 2Planned — after ISO 27001
SOC 2 Type II
SOC 2 Type II is relevant for customers with international or financial compliance requirements. We start SOC 2 audit preparation after completing ISO 27001 certification. No date set.