🏛️ A Foundation for Customer Security

Our services, including managed Kubernetes, are built on a mature security baseline refined over many years. This provides our customers with a robust foundation of technical controls, significantly accelerating their own journey towards compliance and a higher security posture. By building on our groundwork, customers can achieve security outcomes in months that would typically take years to develop from scratch.

📜 Formal Certifications

All services offered by OSSO are within the scope of our certifications, which are audited annually by third parties.

ISO/IEC 27001:2022 (Information Security Management)

We have been continuously certified for ISO 27001 since 2017. This certification confirms we operate a comprehensive Information Security Management System (ISMS) to systematically manage and protect our information assets. Our ISMS is subject to regular internal and external audits to ensure its ongoing effectiveness.

NEN 7510-1:2017 + A1:2020 (Information Security in Healthcare)

NEN 7510 builds upon the ISO 27001 framework by adding a set of specific, mandatory controls for organizations within the Dutch healthcare supply chain. Our certification, held continuously since 2017, confirms our compliance with these additional requirements for the secure processing of personal health information.

Downloads & Verification

We believe in transparency. You can download our current certificates and Statements of Applicability, and verify the certificates' status directly with our certification body, DNV.

• ISO/IEC 27001 Certificate: Download PDF - Verify at DNV
• NEN 7510 Certificate: Download PDF - Verify at DNV
• ISO/IEC 27001 Statement of Applicability (VvT): Download PDF
• NEN 7510 Statement of Applicability (VvT): Download PDF

⚖️ Implemented Standards, Directives & Regulations

Beyond formal certifications, we adhere to other critical security frameworks.

PCI-DSS (Payment Card Industry Data Security Standard)

We have implemented the necessary controls and processes required by PCI-DSS across our multi-tenant infrastructure. This initiative was driven by a customer’s formal certification process and has significantly raised our overall security baseline. While we are not formally certified for PCI-DSS ourselves, our environment is built to meet its demanding security requirements.

NIS2 (Network and Information Systems Directive)

NIS2 is a European directive aimed at enhancing cybersecurity across critical sectors. As it is not a certifiable standard, we demonstrate compliance through our actions. Our internal processes and security measures are aligned with NIS2 requirements, providing a compliant foundation for customers who are legally obligated to conform to this directive.

GDPR (General Data Protection Regulation)

We are fully compliant with the GDPR. As a data processor, we provide strong assurances for data sovereignty and privacy:

• All customer data is stored exclusively within data centers in the Netherlands.
• We do not use any subcontractors for the processing of customer data.

Data Protection Officer (Functionaris Gegevensbescherming)

If you need to report a data leak or have questions about the data we store, please contact our DPO, Walter Doekes, at <fg[at]osso.nl> or +31 (0)50 210 4525.

🌍 Jurisdiction and Data Residency

OSSO is a privately owned Dutch company without foreign ownership or external participation. All of our infrastructure resides in data centers within the Netherlands, ensuring that customer data is processed and stored exclusively under Dutch jurisdiction.

🔒 Reporting Security Issues

As mentioned in /.well-known/security.txt we take security issues seriously — no matter which channel you use to contact us. For highly confidential information, feel free to use our PGP key provided at https://download.osso.pub/security@osso.nl.pgp.txt when sending mail to <security[at]osso.nl>.