Trust center
Maps to ISO 27001 and 27701
- Information Security Management System (ISMS) with scope, policy and risk register
- Privacy Information Management System (PIMS) as an extension (ISO 27701)
- Least-privilege and need-to-know access policy
- Onboarding and offboarding procedure with access review
- Background checks (VOG in NL) documented per role with access to customer data
- Confidentiality agreements for all employees and contractors
- Security awareness training, annual and at hire
- AI literacy training (mandatory under AI Act art. 4, aligned with ISO 42001)
- Incident response procedure with roles, escalation paths and drills
- Detached conversation flows: a user message keeps processing on the server even if the user's tab disconnects, and the resulting state is restored when they return — no silent data loss on browser refresh
- Server-side configuration freeze: production cannot be tricked into pointing the orchestrator at the wrong tool, document or assistant endpoint — the production values come from environment variables, not the request body
- Per-user JWT for internal document retrieval, regenerated on every call so a leaked token has a minute-scale lifetime
- Vendor management with DPA, security review and annual reassessment
- Risk assessment process, annual and on material change
- Data Protection Officer appointed (mandatory for PIMS)
- Internal audit programme
- Management review, at least annually