This document describes the technical and organisational security measures implemented by Ontos B.V. (operating as Doc2iXBRL, the "Provider") to protect Personal Data and ensure the ongoing confidentiality, integrity, and availability of the Services. More detail is available on request and via the Provider's Trust Center. The Provider reserves the right to revise these measures from time to time, without notice, provided that no such revision shall materially reduce or weaken the protection provided for Personal Data that the Provider processes in the course of providing the Services.

1. How Doc2iXBRL Works

The Services comprise a cloud-based software-as-a-service platform, accessible via a web interface, for converting financial reporting documents to iXBRL and related machine-readable formats, with AI-assisted taxonomy tagging and validation. The platform is used by accounting firms, audit firms, corporate finance teams, and their clients to prepare and submit iXBRL reports.

2. Sub-processors

The Provider engages carefully vetted sub-processors for defined purposes. For the current list, see the DPA (Annex B) and the Trust Center.

3. Business Continuity Management

Automated daily database backups are performed via Supabase, with point-in-time recovery in accordance with Supabase's platform capabilities. Source code is backed up on at least a weekly basis. Backups are encrypted in transit and at rest. Documented recovery procedures are in place and reviewed periodically.

4. Supplier Relationship Management

The Provider selects sub-processors based on their technical and organisational measures, and binds them by written agreement to confidentiality and data-protection obligations materially equivalent to those in the Provider's Data Processing Agreement. The Provider periodically reviews its sub-processors' continued compliance.

5. Information Security Management

The Provider maintains documented information-security policies and procedures, and reviews them periodically. The underlying cloud infrastructure (Supabase on AWS) is certified to recognised standards, including ISO/IEC 27001 and SOC 2, at the infrastructure level.

6. System Access Control

Provider personnel are granted access on a role-based, least-privilege basis; access is limited to what is necessary to fulfil their job responsibilities. Access rights are promptly revoked upon termination of employment or engagement.

7. Physical Access Control

Processing takes place in data centres operated by the Provider's infrastructure providers (Supabase on AWS, EU region). These data centres maintain industry-standard physical security controls, including 24/7 monitoring and controlled access by authorised personnel only.

8. Data Access Control

Users authenticate via the Provider's authentication layer (Supabase Auth); passwords are stored hashed and salted in accordance with industry best practice. Customer data is isolated at the database level via row-level security, so that each User can access only the data belonging to their own account and workspace.

9. Transmission Access Control

Data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256 (or an algorithm of equivalent strength). In addition, source files uploaded by the Customer are encrypted at the application layer before being written to storage, such that the raw file is unreadable without application-level decryption keys, which are applied only when the file is processed for a specific conversion job.

10. Entry Control

Application and database activity relevant to security is logged, with log entries traceable to individual authenticated users. Logs are retained for a period appropriate to detect and investigate security incidents.

11. Availability Control

The Provider applies security patches in a timely manner, with expedited patching in response to disclosed critical vulnerabilities. Customer environments are logically separated through row-level security and workspace scoping; Customers cannot access data belonging to other Customers.

12. Separation Control

Development, staging, and production environments are logically separated. Customer data resides only in the production environment.

13. Risk Management

The Provider periodically reviews its security posture, including the effectiveness of the measures set out in this document, and updates its policies and procedures accordingly.

14. Operations Security

The Provider monitors software dependencies for known vulnerabilities using standard tooling and installs security updates in a timely manner. Provider personnel use enterprise-grade email and collaboration tools with standard anti-malware and anti-phishing protections.

15. Security Regarding Personnel

Provider personnel are bound by written confidentiality obligations and are informed of their obligations under the GDPR and UAVG and of the Provider's internal security policies.

16. Incident Response

The Provider maintains a documented procedure for detecting, containing, and notifying on security incidents. The procedure is aligned with Article 33 of the GDPR and the 72-hour notification obligation set out in the Provider's Data Processing Agreement.

17. Retention of Personal Data

During the term of the Data Processing Agreement, Personal Data processed by the Provider is subject to the retention instructions issued from time to time by the Customer. Upon termination or expiration of the Data Processing Agreement, Clause 11 of the Data Processing Agreement applies.

Ontos B.V.

E-mail: contact@doc2ixbrl.com

Beveiligingsmaatregelen