Search the documentation...

Compliance

Compliance Certifications

Compliance Certifications

GDPR

Compliant

DORA

Compliant

ISO 27001

Q1 2026

Key security principles at Onesurance

End-to-end encryption for all data in transit and at rest

Multi-factor authentication required for all users

24/7 security monitoring with automated incident detection

Data residency within the EU (Azure West Europe)

ISO 27001 certification in preparation (target Q1 2026)

End-to-end encryption for all data in transit and at rest

Certifications and Standards

Onesurance to the highest security and compliance standards in the financial sector. Below you will find an overview of our current certifications and roadmap.

Certification

Description

Status

TRUST CENTER - COMPLIANCE CERTIFICATIONS

Onesurance & Certifications
Last updated: December 2024

Our Approach to Compliance

At Onesurance , we Onesurance that compliance is not just about obtaining certificates—it is about building robust security and privacy practices into the foundation of our operations. While we are working toward formal external certifications, we have already implemented comprehensive frameworks and controls that meet the requirements of ISO 27001, GDPR, and DORA.

Our compliance journey is transparent, measurable, and verifiable. This page describes our current compliance status, the controls we have implemented, and our certification plan.

Certification Roadmap

ISO 27001 Information Security
• Status: Implementation complete, certification planned for Q1 2026
• Scope: Full ISMS (Information Security Management System)
• Current status:

  • All 114 ISO 27001:2022 controls implemented

  • Risk assessments performed and documented

  • Policy framework fully operational

  • Internal audits conducted regularly

  • Quarterly management reviews
    • Next steps:

  • Q4 2025: Internal audit and gap analysis

  • Q1 2026: External certification audit

  • Certification body: [To be confirmed]
    • Auditor: To be announced Q4 2025

SOC 2 Type II
• Status: Planned for 2026
• Scope: Security, availability, processing integrity
• Timeline: Certification planned for H2 2026
• Preparation: Controls are aligned with ISO 27001 implementation

Legal Compliance (Operational)

GDPR (General Data Protection Regulation)
• Status: ✅ Fully compliant since 2018
• Data Protection Officer: Appointed and active (onesurance)
• Key measures:

  • Register of processing activities (ROPA) maintained

  • Data Protection Impact Assessments (DPIAs) for high-risk processing

  • Processing agreements with all subprocessors

  • Privacy by Design principles in product development

  • Procedures for data subjects' rights (access, rectification, erasure)

  • Data breach reporting procedure within 72 hours

  • Awareness training for all employees
    • Last DPIA performed: [Date]
    • Next privacy audit: [Date]

DORA (Digital Operational Resilience Act)
• Status: ✅ Compliant with applicable requirements for the insurance sector
• Implementation date: January 2025
• Key areas:

  1. ICT Risk Management: Comprehensive framework for identifying and managing ICT risks

  2. Incident Management: Reporting procedures and response plans

  3. Resilience Testing: Annual testing program for business continuity

  4. Third-Party Risk: Due diligence and monitoring of ICT service providers

  5. Information Sharing: Participation in sector-wide threat intelligence
    • ICT incident register maintained
    • Resilience tests: Planned annually
    • Next DORA review: Q2 2025

EU AI Act
• Status: ✅ Monitoring and preparation for implementation (2026)
• Classification: Limited risk / minimal risk systems
• AI Systems in use:

  • Churn prediction (limited risk)

  • Customer Lifetime Value calculation (minimum risk)

  • Next Best Product recommendations (limited risk)

  • Defend Agent (conversational AI - limited risk)
    • Measures:

  • Transparency: Users are aware of AI usage

  • Human oversight: Human-in-the-loop for critical decisions

  • Documentation: AI systems fully documented

  • Bias monitoring: Regular evaluation of model outputs
    • Compliance deadline: December 2026
    • Preparation status: On schedule

Operational Compliance Controls

Information Security Management System (ISMS)
• ISO 27001:2022 framework fully implemented
• 114 controls operational and documented
• Risk assessment methodology: Based on ISO 27005
• Asset management: Complete inventory of information assets
• Access control: Role-Based Access Control (RBAC) on all systems
• Encryption: AES-256 for data at rest, TLS 1.3 for data in transit
• Network security: Firewalls, segmentation, intrusion detection
• Incident response: Dedicated team and 24/7 monitoring
• Business continuity: DR plan with RTO/RPO targets
• Supplier management: Due diligence and ongoing monitoring

Internal Audits & Assessments
• Frequency: Quarterly internal audits
• Scope: All ISMS controls and processes
• Last audit: [Date]
• Findings: [Number] findings, of which [number] resolved
• Next audit: [Date]
• Audit logs: Fully digital and searchable

Risk Assessments
• Frequency: Annually, and in the event of significant changes
• Methodology: ISO 27005-based risk analysis
• Last assessment: [Date]
• Identified risks: [Number]
• Accepted risks: [Number] (with management approval)
• Risk treatment plans: Actively monitored and updated
• Next assessment: [Date]

Security frameworks

In addition to our certification processes, we follow industry best practices:

NIST Cybersecurity Framework
• Implementation: All 5 functions (Identify, Protect, Detect, Respond, Recover)
• Maturity level: Tier 3 (Repeatable, Adaptable)
• Used for: Gap analyses and continuous improvement

CIS Controls
• Implementation: 18 Critical Security Controls
• Focus areas:

  • Asset management and inventory

  • Access control and account management

  • Continuous vulnerability management

  • Secure configuration

  • Logging and monitoring

  • Incident response capabilities

OWASP
• Application security: OWASP Top 10 mitigations implemented
• Secure coding: Training courses and code reviews
• Dependency management: Automated scanning for vulnerable libraries

Penetration Testing & Vulnerability Management

Penetration Testing
• Frequency: Annually by external party
• Scope: Full application and infrastructure
• Last test: [Date]
• Critical findings: All resolved before production release
• Next test: [Date planned]
• Test report: Available to enterprise customers under NDA

Vulnerability Scanning
• Frequency: Weekly automated scans
• Tools: [Vulnerability scanner names]
• Remediation SLA:

  • Kritiek: <48 uur

  • Hoog: <72 uur

  • Gemiddeld: <1 maand

  • Laag: <3 maanden
    • Patch management: Geautomatiseerd proces voor systeem updates

Security Code Reviews
• Static Application Security Testing (SAST): Automated in CI/CD
• Dynamic Application Security Testing (DAST): Monthly
• Software Composition Analysis (SCA): Continuous monitoring of dependencies
• Code review process: Peer reviews for all code changes

Training & Awareness

Security awareness
• Onboarding training: Mandatory for all new employees
• Annual refresher training: Compliance and security best practices
• Phishing simulations: Quarterly tests
• Security champions: Designated in each team
• Privacy training: Specifically for employees who process personal data

Certifications for Employees
• Encouraged: ISO 27001 Lead Implementer, CISSP, CISM
• Training budget: Available for security-related certifications

Evidence & Transparency

What We Can Share
We believe in transparency and are willing to share the following documentation with prospects and customers:
• Statement of Applicability (SoA) - ISO 27001 controls
• Risk assessment summary (non-sensitive parts)
• Policy documents (security, privacy, incident response)
• Penetration test summaries (executive summary)
• Data processing agreements (DPAs)
• Subprocessor list with locations
• Compliance roadmap and timelines

Customer Due Diligence
We support:
• Security questionnaires: Standardized process, response within 5 business days
• Vendor risk assessments: Full documentation available
• On-site audits: Available for enterprise customers
• Third-party assessments: Right-to-audit clauses in contracts
• Regular updates: Proactive communication on compliance status changes

Why This Is Important

Operational Compliance vs. Certificates

Formal certifications are valuable, but they are snapshots in time. Our focus is on continuous, operational compliance:

Real-time monitoring: 24/7 security monitoring and alerting
Continuous improvement: Weekly reviews and updates of controls
Proactive risk management: Not reactive, but forward-looking
Embedded in culture: Security is everyone's responsibility
Auditable: All controls documented and traceable

A certificate confirms that you met the standard at a specific point in time. Operational compliance means that you meet (and often exceed) that standard every day.

For Insurance Sector Customers

As an insurance industry customer, compliance is not optional—it is essential. Our approach offers you:

Regulatory alignment: DORA, GDPR, and sector-specific requirements
Audit support: We help you meet your own compliance obligations
Risk reduction: Our controls reduce your third-party risk
Transparency: Full visibility into our security posture
Partnership: We grow alongside your compliance needs

Contact

For certification and compliance questions:
• Compliance Team: onesurance
• For audit requests: onesurance
• For DPAs and contracts: onesurance

Last updated: December 2024
Onesurance .V. | Breda, Netherlands | Chamber of Commerce: 87521997