Security

Trust posture

Certifications, regulatory stance, data residency, controls, AI use, retention, and contacts.

/trust

Pre-answered security questionnaire

CAIQ-style answers covering the ~50 most common procurement questions. Linkable into security portals.

/trust/security-questionnaire

Service status

Operational state per component, current incidents, and an RSS feed at /status/feed.xml for compliance-tool subscription.

/status

Vulnerability Disclosure Policy

Reporting channel, response SLAs, severity matrix, in/out of scope, and safe-harbor terms.

/security/disclosure

security.txt (RFC 9116)

Machine-readable contact and expiry. Procurement scanners and security researchers walk this path automatically.

/.well-known/security.txt

Data Processing Agreement

Article 28 GDPR terms, Annex A sub-processors, Annex B technical and organizational measures. Signed counterpart available on request.

/dpa

DPIA summary

Article 35 process and per-activity assessment outcomes, plus the voluntary light-touch DPIA for AI inference.

/dpia

Record of Processing Activities (summary)

Article 30 register — ten controller activities + two processor activities with lawful basis, retention, transfer safeguards.

/ropa

Incident Response Plan (summary)

Severity tiers, 72-hour GDPR Article 33 customer notification, IMY filing path, post-mortem cadence.

/irp

Sub-processors

Category-based list with 30-day change notice. RSS feed of changes at /subprocessors/feed.xml.

/subprocessors