Security & resilience

Effective: 2026-04-26 · Last updated: 2026-04-26

Certbond operates on EU-resident infrastructure with industry-standard security controls. We work to a NIS2-equivalent baseline because our partner-company customers require it of their suppliers. ISO 27001 certification is on our roadmap. This page describes how to reach our security team and the high-level frameworks we operate under. Detailed control mapping, incident-response procedure, and TPRM-questionnaire response are provided to authenticated members and to Controllers under NDA.

Reporting a security issue

Vulnerability disclosure: [email protected]. We acknowledge within 24 hours, triage promptly, and follow a coordinated-disclosure approach.
Active incident affecting your data: [email protected].
Data Protection Officer: [email protected].

Frameworks we operate to

Certbond aligns its security and compliance practices with the recognised frameworks relevant to its operations:

GDPR (EU 2016/679) — full scope. See Privacy policy and DPA.
NIS2-baseline — we operate to NIS2 Annex II equivalent measures. Detailed mapping provided to enterprise Controllers under NDA.
ISO/IEC 27001 — on roadmap.
EAA (EU 2019/882) — in scope. See Compliance · Accessibility statement.

High-level security posture

Industry-standard technical and organisational measures appropriate to the risk, including encryption, access control, audit logging, EU-resident primary infrastructure, regular backups, and a 72-hour personal-data-breach notification commitment per GDPR Art. 33. Detailed measures are provided to enterprise Controllers under NDA.

Security organisation

Data Protection Officer, Chief Information Security Officer and Incident Response lead are appointed and reachable at the addresses above.

Due-diligence and TPRM

Partner-company security teams completing a TPRM (Third Party Risk Management) checklist for Certbond should email [email protected] with subject "TPRM — [your company]". On signature of a mutual NDA, we provide: filled SIG-Lite or SIG-Core questionnaire, CAIQ, our TOM annex, named sub-processor register, attestations on file, and the detailed NIS2 baseline mapping. Typical turnaround: 5 business days.