Compliance Frameworks

Overview of all compliance frameworks that Onesurance monitors and adheres to. From GDPR and DORA to ISO 27001 and the EU AI Act — we ensure our services meet the most stringent requirements.

Compliance overview

  • 6 frameworks — Actively monitored and audited
  • GDPR + DORA compliant — Full compliance since inception
  • ISO 27001 in progress — ISMS operational, certification Q2 2026

Compliance Dashboard

Compliant

AVG / GDPR

Full compliance since inception. All 7 principles upheld.

Q2 2026

ISO 27001

ISMS operational. Certification audit scheduled Q2 2026.

Compliant

DORA

All 5 pillars implemented. Insurance sector requirements met.

Monitoring

EU AI Act

Limited Risk classification. Active monitoring of requirements.

Monitoring

NIST CSF

Core controls implemented. Continuous improvement.

Monitoring

CIS Controls

Top 10 critical controls active. Periodic evaluation.

Compliant

General Data Protection Regulation

Onesurance has been fully GDPR compliant since inception. All 7 data processing principles are upheld, supported by technical and organisational measures.

GDPR Principles

  • Lawfulness, fairness and transparency — Processing based on valid legal grounds with clear communication to data subjects.
  • Data subject rights — Fully implemented procedures for access, rectification, erasure, restriction, portability and objection.
  • Consent management — Granular consent with the ability to withdraw. Full audit trail.
  • Privacy by Design & Default — Data protection embedded in all systems and processes from the design stage.
  • Security of processing — Appropriate technical and organisational measures to protect personal data.
  • Data breach notification — Procedure for notifying the supervisory authority within 48 hours and informing data subjects where required.
  • Record of processing activities — Fully maintained register in accordance with Article 30 GDPR.
  • Data Protection Officer — Appointed DPO who oversees compliance and advises on data protection matters.

Evidence & Documentation

Privacy statement Data Processing Agreements (DPA) Record of processing activities Data Protection Impact Assessment (DPIA)
Q2 2026

ISO 27001 — Information Security Management System

Our ISMS is fully operational and structured in accordance with ISO 27001:2022. The certification audit is scheduled for Q2 2026. All Annex A controls have been implemented and are periodically audited.

Annex A Controls

  • Organisational controls — Information security policy, risk management, compliance management, asset management and supplier relationships.
  • People controls — Screening, security awareness, training, disciplinary processes and post-employment responsibilities.
  • Physical controls — Physical security via Azure data centres (SOC 2 certified), clean desk policy and device management.
  • Technological controls — Encryption, network segmentation, access control, vulnerability management, logging and monitoring.

Internal Audits

We conduct internal audits semi-annually or upon significant changes across all ISMS processes. Findings are tracked to closure and reported to the management team.

Compliant

Digital Operational Resilience Act

As a service provider for the insurance sector, Onesurance is fully compliant with DORA requirements. All five pillars have been implemented and are continuously monitored.

The 5 Pillars of DORA

  • ICT Risk Management — Systematic identification, assessment and mitigation of ICT risks with a documented risk framework.
  • Incident Management — Standardised process for detection, classification, escalation and reporting of ICT-related incidents.
  • Digital Operational Resilience Testing — Regular penetration tests, vulnerability assessments and scenario-based testing to validate operational resilience.
  • Third-Party Risk Management — Due diligence, contractual safeguards and continuous monitoring of all ICT service providers.
  • Information Sharing — Participation in relevant information-sharing networks for cyber threats and vulnerabilities.
Monitoring

EU AI Act

Onesurance classifies its AI applications as Limited Risk under the EU AI Act. We actively monitor regulatory developments and have taken proactive measures.

Measures

  • Risk assessment — Classification of all AI systems by risk level in accordance with the EU AI Act taxonomy.
  • Transparency — Users are clearly informed when they are interacting with AI systems.
  • Human oversight — All AI decisions are subject to human review and override.
  • Data governance — Quality controls on training data, bias monitoring and data minimisation.
  • Technical documentation — Comprehensive documentation of AI models, training processes, performance metrics and limitations.
Monitoring

NIST Cybersecurity Framework

Onesurance uses the NIST Cybersecurity Framework as a guiding principle for our security approach. The five core functions are integrated into our operational processes.

Identify

Asset management, risk assessment, governance and business environment mapped to understand cybersecurity risks.

Protect

Access control, security awareness, data protection and maintenance to safeguard critical services.

Detect

Continuous monitoring, anomaly detection and security events to identify threats in a timely manner.

Respond

Response planning, communication, analysis, mitigation and improvements during security incidents.

Recover

Recovery planning, improvements and communication to restore operations promptly after security incidents.

Monitoring

CIS Controls

Onesurance implements the CIS Critical Security Controls as a supplementary framework for practical security measures. The top 10 controls are active.

Top 10 Controls

  • 1. Inventory of enterprise assets — Active management of all hardware and software assets on the network.
  • 2. Inventory of software assets — Only authorised software runs on enterprise systems.
  • 3. Data protection — Classification, encryption and protection of sensitive data.
  • 4. Secure configuration — Standardised hardening of servers, endpoints and network devices.
  • 5. Account management — Lifecycle management of accounts with least privilege and regular reviews.
  • 6. Access control — Role-based access with MFA and continuous authentication monitoring.
  • 7. Vulnerability management — Continuous vulnerability scanning and timely patching of systems.
  • 8. Audit log management — Central collection, protection and analysis of audit logs.
  • 9. Email and web browser protection — Filtering of malicious content and restriction of unauthorised plugins.
  • 10. Malware defence — Endpoint protection, anti-malware and behavioural analysis on all systems.

Questions about Compliance?

Our Data Protection Officer is happy to assist with questions about compliance, certifications or regulatory matters.

General Support: support@onesurance.ai
DPO Email: dpo@onesurance.ai (DPO — Menno Kooistra)
Phone: +31 6 13 27 01 44 (Onesurance Support)
Contact Our DPO →