Search in Trust Center…

Back to overview

Compliance Certifications

Onesurance with all relevant EU regulations and is aiming for ISO 27001 certification in Q1 2026. This page provides an overview of our compliance status, key controls, and certification planning.

Certifications Overview

ISO 27001:2022 - Information Security Management

Status: Certification planned for Q1 2026
Controls: 114 controls fully implemented
Scope: Full ISMS operational since 2024

✓ Risk assessments performed and documented
✓ Quarterly internal audits
✓ Active management reviews
→ External certification audit: Q1 2026

GDPR - Data protection

Status: ✓ Fully compliant since 2023
DPO: onesurance

Key measures:

  • Register of processing activities (ROPA)

  • Data Protection Impact Assessments (DPIAs)

  • Processing agreements with all subprocessors

  • Privacy by Design in product development

  • Data breach reporting procedure within 72 hours

  • Awareness training for all employees

Last DPIA: November 2024 | Next audit: July 2026

DORA - Digital Operational Resilience

Status: ✓ Compliant since January 2025
Scope: ICT risk management for the insurance sector

Compliance areas:

  • ICT risk management framework

  • Incident management & reporting

  • Annual resilience testing program

  • Third-party risk management

  • Sector threat intelligence sharing

Resilience tests: Scheduled annually | Next review: Q2 2026

EU AI Act

Status: Monitoring and preparation (deadline December 2026)
Classification: Limited/minimal risk systems

AI Systems:

  • Churn prediction (limited risk)

  • CLV calculation (minimum risk)

  • Next Best Product recommendations (limited risk)

  • Defend Agent conversational AI (limited risk)

Measures: Transparency, human oversight, bias monitoring, full documentation

Security & Audit Program

Audits & Testing

Type

Frequency

Status

Internal audits

Every six months

Q2 2025 completed

Penetration testing

Annually

Planned for 2025

Risk assessments

Annually

Planned for 2025

Vulnerability scans

Weekly

Continuously active

Remediation SLAs:

  • Kritiek: <48 uur

  • Hoog: <72 uur

  • Gemiddeld: <1 maand

  • Laag: <3 maanden

Key Security Controls

Data Encryption:

  • AES-256 for data at rest

  • TLS 1.3 for data in transit

  • Full backup encryption

Access control:

  • Multi-Factor Authentication (MFA) required

  • Role-Based Access Control (RBAC)

  • Single Sign-On (SSO) via SAML 2.0

  • IP whitelisting available

Monitoring:

  • 24/7 security operations center (SOC)

  • Real-time alerts

  • Incident response <1 uur

  • Full audit logging

Location:

  • Data residency: EU (Azure West Europe)

  • Backup location: EU geo-redundant

  • No data transfer outside the EU

Training & Awareness

Staff program:

  • Onboarding security training (mandatory)

  • Annual compliance refresher training

  • Quarterly phishing simulations

  • Privacy training for all data handlers

Current figures:

  • Training completion rate: 100%

  • Phishing simulation success: <5% klikken

Due Diligence Support

Available Documentation

We can share the following documentation with customers and prospects:

Policies & Procedures:

  • Statement of Applicability (SoA)

  • Security & Privacy Policies

  • Incident Response Plan

  • Business Continuity Plan

Assessment Reports:

  • Risk assessment summary

  • Penetration test executive summaries

  • Internal audit reports (summary)

Contractual:

  • Data Processing Agreements (DPA)

  • Subprocessor list of locations

  • Right-to-audit clauses

Response time: Security questionnaires within 5 business days

More Information

Compliance inquiries:
→ Email: onesurance

Due diligence:
→ Detailed documentation available upon request
→ On-site audits possible for enterprise customers