Security

    How we protect your data and our platform

    Our Commitment

    Security is at the core of everything we build. Anzen is a platform built for security teams - and we hold ourselves to the same standards we help our customers achieve. We operate under an ISO 27001-aligned information security management system and continuously improve our security posture.

    Infrastructure Security

    • EU-only, self-managed infrastructure - all systems run on infrastructure owned and operated by SCRTY B.V. in European data centres. No reliance on US-based hyperscalers.
    • CIS-hardened systems - every server is hardened to CIS Benchmarks at provisioning, with automated compliance checks flagging any drift.
    • Encryption in transit - all traffic is encrypted with TLS 1.2+ between clients and our services, and between internal components.
    • Encryption at rest - infrastructure secrets and customer file uploads are encrypted at rest with AES-256. File uploads use envelope encryption: each workspace has a unique Data Encryption Key (DEK) that wraps files with AES-256-GCM, and the master Key Encryption Key (KEK) is held on isolated key-management infrastructure and never leaves it.
    • Network segmentation - production systems are isolated from development and management networks with strict firewall rules.
    • SIEM monitoring - all infrastructure and application logs are aggregated in a central SIEM for real-time threat detection, alerting, and incident response.

    Application Security

    • Tenant isolation - each customer workspace is fully isolated with its own data boundary. No data leakage between tenants is possible.
    • Role-based access control - fine-grained RBAC with entity-scoped permissions and hierarchy inheritance.
    • Full audit trail - every create, update, and delete operation is logged with before/after values, user identity, and timestamp.
    • Input validation - all API inputs are validated using strict schemas. SQL injection, XSS, and other OWASP Top 10 risks are mitigated by design.

    Vulnerability & Patch Management

    Security does not stop at the initial build. We operate continuous vulnerability and patch management across the full stack - from the third-party libraries we depend on to the operating systems underneath.

    • SAST in CI/CD - static application security testing runs on every build, so vulnerabilities are caught before code reaches production.
    • SBOM-based dependency tracking - a software bill of materials is generated for every build and continuously matched against CVE feeds, so we are alerted the moment a new vulnerability affects a library we use.
    • Automated dependency updates - non-breaking dependency upgrades are opened as pull requests automatically, each one reviewed and tested in CI before it is merged and rolled out.
    • Severity-based CI gating - builds fail when a high-severity vulnerability is introduced, preventing vulnerable code from reaching production in the first place.
    • OS patching cadence - operating system packages on all servers are patched on a regular cadence, with critical vulnerabilities addressed within 24 hours.
    • CIS-hardened OS baseline - every server is provisioned against CIS Benchmarks for its OS, and automated compliance checks report any deviation from that baseline.

    Access Control & Authentication

    • SSO/OIDC support - customers can integrate with their identity provider (Keycloak, Okta, Azure AD, etc.) for single sign-on.
    • Internal access - all SCRTY employees use SSO with mandatory multi-factor authentication (MFA) to access production systems.
    • Principle of least privilege - access to production infrastructure is restricted to a minimal set of engineers and is logged and reviewed.
    • No standing access - customer data is not accessed by SCRTY personnel unless explicitly requested for support, and all access is logged.

    Standards & Frameworks

    Our security programme is aligned with the following frameworks:

    • ISO 27001 - information security management system alignment.
    • CIS Benchmarks - infrastructure hardening baseline.
    • OWASP Top 10 - application security risk mitigation.
    • GDPR - data protection and privacy by design.
    • NIS2 - network and information security compliance (EU Directive 2022/2555).

    Responsible Disclosure

    We value the work of security researchers and welcome responsible disclosure of vulnerabilities in Anzen or our infrastructure. If you have discovered a security issue, please report it to us so we can address it promptly.

    How to report:

    • Email your findings to security@scrty.nl.
    • Include a clear description of the vulnerability and steps to reproduce.
    • If possible, provide a proof of concept.

    Our commitment:

    • We will acknowledge your report within 2 business days.
    • We will keep you informed of our progress and expected resolution timeline.
    • We will not take legal action against researchers who act in good faith and follow this policy.
    • We will credit you (if desired) when the issue is resolved.

    We ask that you:

    • Do not access, modify, or delete data belonging to other users or tenants.
    • Do not perform denial-of-service attacks or degrade platform availability.
    • Do not publicly disclose the vulnerability before we have had reasonable time to address it.
    • Act in good faith and avoid privacy violations.

    We do not currently operate a bug bounty programme. We appreciate every report and will acknowledge your contribution, but no monetary rewards are guaranteed at this time.

    Contact

    For security-related questions or to report a vulnerability, contact us at security@scrty.nl.