Security

    How we protect your data and our platform

    Our Commitment

    Security is at the core of everything we build. Anzen is a platform built for security teams - and we hold ourselves to the same standards we help our customers achieve. We operate under an ISO 27001-aligned information security management system and continuously improve our security posture.

    Infrastructure Security

    • EU-only, self-managed infrastructure - all systems run on infrastructure owned and operated by SCRTY B.V. in European data centres. No reliance on US-based hyperscalers.
    • CIS-hardened systems - every server is hardened to CIS Benchmarks at provisioning, with automated compliance checks flagging any drift.
    • Encryption in transit - all traffic is encrypted with TLS 1.2+ between clients and our services, and between internal components.
    • Encryption at rest - infrastructure secrets and customer file uploads are encrypted at rest with AES-256. File uploads use envelope encryption: each workspace has a unique Data Encryption Key (DEK) that wraps files with AES-256-GCM, and the master Key Encryption Key (KEK) is held on isolated key-management infrastructure and never leaves it.
    • Network segmentation - production systems are isolated from development and management networks with strict firewall rules.
    • SIEM monitoring - all infrastructure and application logs are aggregated in a central SIEM for real-time threat detection, alerting, and incident response.

    Application Security

    • Tenant isolation - each customer workspace is fully isolated with its own data boundary. No data leakage between tenants is possible.
    • Role-based access control - fine-grained RBAC with entity-scoped permissions and hierarchy inheritance.
    • Full audit trail - every create, update, and delete operation is logged with before/after values, user identity, and timestamp.
    • Input validation - all API inputs are validated using strict schemas. SQL injection, XSS, and other OWASP Top 10 risks are mitigated by design.

    Vulnerability & Patch Management

    Security does not stop at the initial build. We operate continuous vulnerability and patch management across the full stack - from the third-party libraries we depend on to the operating systems underneath.

    • SAST in CI/CD - static application security testing runs on every build, so vulnerabilities are caught before code reaches production.
    • SBOM-based dependency tracking - a software bill of materials is generated for every build and continuously matched against CVE feeds, so we are alerted the moment a new vulnerability affects a library we use.
    • Automated dependency updates - non-breaking dependency upgrades are opened as pull requests automatically, each one reviewed and tested in CI before it is merged and rolled out.
    • Severity-based CI gating - builds fail when a high-severity vulnerability is introduced, preventing vulnerable code from reaching production in the first place.
    • OS patching cadence - operating system packages on all servers are patched on a regular cadence, with critical vulnerabilities addressed within 24 hours.
    • CIS-hardened OS baseline - every server is provisioned against CIS Benchmarks for its OS, and automated compliance checks report any deviation from that baseline.

    Access Control & Authentication

    • SSO/OIDC support - customers can integrate with their identity provider (Keycloak, Okta, Azure AD, etc.) for single sign-on.
    • Internal access - all SCRTY employees use SSO with mandatory multi-factor authentication (MFA) to access production systems.
    • Principle of least privilege - access to production infrastructure is restricted to a minimal set of engineers and is logged and reviewed.
    • No standing access - customer data is not accessed by SCRTY personnel unless explicitly requested for support, and all access is logged.

    Standards & Frameworks

    Our security programme is aligned with the following frameworks:

    • ISO 27001 - information security management system alignment.
    • CIS Benchmarks - infrastructure hardening baseline.
    • OWASP Top 10 - application security risk mitigation.
    • GDPR - data protection and privacy by design.
    • NIS2 - network and information security compliance (EU Directive 2022/2555).

    Account Suspension and Termination

    Beyond the routine cancellation flow covered in our Terms of Service, SCRTY B.V. reserves the right to act decisively when a workspace is implicated in illegal activity or behaviour that threatens the integrity of the platform or its other customers. This section sets out what those actions can look like; the full legal language lives in the Terms of Service and Privacy Policy.

    Grounds for action:

    • Violations of law - use of the platform that breaches applicable EU or Dutch law, sanctions regimes, or the laws of any jurisdiction in which the workspace operates.
    • Suspicious activity - patterns that suggest fraud, abuse, credential stuffing, unauthorised data access, or attempts to misuse the platform against other customers or third parties.
    • Material breach of the Terms of Service - including non-payment, misrepresentation during sign-up, or repeated violations of acceptable-use restrictions.

    Actions we may take:

    • Verification hold - we may place a workspace on hold while we verify the account, its operator, or the activity in question. During the hold, the workspace is inaccessible to its users; data is retained but read-only on our side.
    • 30-day retention on hold - workspaces under hold are retained for a maximum of 30 days. If the matter is resolved within that window, the workspace is restored. If the hold is not lifted within 30 days - including when the operator does not respond to our verification requests - the workspace and all its data are permanently deleted.
    • Immediate deletion - in serious cases (illegal content, active abuse of the platform against third parties, explicit instructions from a competent authority) we may delete a workspace and its data without a hold period. Where the law permits, we will notify the operator after the fact.
    • Cooperation with authorities - we will comply with valid legal orders from EU competent authorities and may preserve data beyond the 30-day window where required to do so.

    These powers do not affect the ordinary cancellation path. Customers who cancel their subscription voluntarily follow the timeline set out in the Terms of Service and the Privacy Policy, which includes an export window before deletion.

    Responsible Disclosure

    We value the work of security researchers and welcome responsible disclosure of vulnerabilities in Anzen or our infrastructure. If you have discovered a security issue, please report it to us so we can address it promptly.

    How to report:

    • Email your findings to security@scrty.nl.
    • Include a clear description of the vulnerability and steps to reproduce.
    • If possible, provide a proof of concept.

    Our commitment:

    • We will acknowledge your report within 2 business days.
    • We will keep you informed of our progress and expected resolution timeline.
    • We will not take legal action against researchers who act in good faith and follow this policy.
    • We will credit you (if desired) when the issue is resolved.

    We ask that you:

    • Do not access, modify, or delete data belonging to other users or tenants.
    • Do not perform denial-of-service attacks or degrade platform availability.
    • Do not publicly disclose the vulnerability before we have had reasonable time to address it.
    • Act in good faith and avoid privacy violations.

    We do not currently operate a bug bounty programme. We appreciate every report and will acknowledge your contribution, but no monetary rewards are guaranteed at this time.

    Contact

    For security-related questions or to report a vulnerability, contact us at security@scrty.nl.