Compliance · NEN 7510 · ISO 27001
Our path to certification.
We publish this roadmap because our customers — and their IT departments — deserve transparency. The phases below reflect where we actually are, not where we wish to be. No fabricated dates, no marketing speak.
Last updated
June 2026
- Phase 1Completed
Audit preparation
- Internal risk analysis conducted per NEN 7510 methodology
- Asset register created for all processing systems
- Processing register per GDPR Article 30 active
- Security policy documented
- Incident response procedure established
- Supplier management and data processing agreements in place
- Technical measures: AES-256, RLS, HTTPS, Key Vault, PITR back-ups
- Phase 2Planned · 2026
Formal audit preparation
- Statement of Applicability (SoA) drafting
- Gap analysis by external party
- Risk management plan formalisation
- Internal audit execution
- Management review
- Audit-ready documentation structure
- Phase 3Planned · after Phase 2
Certification
- Stage 1 audit by accredited certification body
- Stage 2 audit (main audit)
- Resolve nonconformities
- NEN 7510 / ISO 27001 certificate
- Annual surveillance audits
Current posture
What is already in place.
- Hosting
- Microsoft Azure · EU-West (Amsterdam) · GDPR-compliant
- Encryption
- AES-256 at-rest · TLS 1.2+ in transit · Azure Key Vault
- Data residency
- All customer data in the Netherlands / EU — no Atlantic crossing
- Back-up
- Automatic every hour + 14-day PITR · annual restore drill
- Access control
- Microsoft Entra External ID · RBAC · MFA required for admins
- GDPR
- Data processing agreement available · right to export + deletion guaranteed
- Staff data
- RLS per tenant · NOBYPASSRLS active · no cross-tenant access