Security

    How we protect your data and our platform

    Our Commitment

    Security is at the core of everything we build. Anzen is a platform built for security teams — and we hold ourselves to the same standards we help our customers achieve. We operate under an ISO 27001-aligned information security management system and continuously improve our security posture.

    Infrastructure Security

    • EU-only, self-managed infrastructure — all systems run on infrastructure owned and operated by SCRTY B.V. in European data centres. No reliance on US-based hyperscalers.
    • CIS-hardened systems — all servers are hardened according to CIS Benchmarks with automated compliance checks.
    • Encryption in transit — all traffic is encrypted with TLS 1.2+ between clients and our services, and between internal components.
    • Encryption at rest — all data at rest is encrypted using AES-256.
    • Network segmentation — production systems are isolated from development and management networks with strict firewall rules.
    • Automated patching — operating systems and dependencies are patched on a regular cadence, with critical vulnerabilities addressed within 24 hours.
    • SIEM monitoring — all infrastructure and application logs are aggregated in a central SIEM for real-time threat detection, alerting, and incident response.

    Application Security

    • Tenant isolation — each customer workspace is fully isolated with its own data boundary. No data leakage between tenants is possible.
    • Role-based access control — fine-grained RBAC with entity-scoped permissions and hierarchy inheritance.
    • Full audit trail — every create, update, and delete operation is logged with before/after values, user identity, and timestamp.
    • SAST in CI/CD — static application security testing is integrated into our build pipeline to catch vulnerabilities before code reaches production.
    • Input validation — all API inputs are validated using strict schemas. SQL injection, XSS, and other OWASP Top 10 risks are mitigated by design.
    • Dependency scanning — automated vulnerability scanning of all third-party dependencies.

    Access Control & Authentication

    • SSO/OIDC support — customers can integrate with their identity provider (Keycloak, Okta, Azure AD, etc.) for single sign-on.
    • Internal access — all SCRTY employees use SSO with mandatory multi-factor authentication (MFA) to access production systems.
    • Principle of least privilege — access to production infrastructure is restricted to a minimal set of engineers and is logged and reviewed.
    • No standing access — customer data is not accessed by SCRTY personnel unless explicitly requested for support, and all access is logged.

    Standards & Frameworks

    Our security programme is aligned with the following frameworks:

    • ISO 27001 — information security management system alignment.
    • CIS Benchmarks — infrastructure hardening baseline.
    • OWASP Top 10 — application security risk mitigation.
    • GDPR — data protection and privacy by design.
    • NIS2 — network and information security compliance (EU Directive 2022/2555).

    Responsible Disclosure

    We value the work of security researchers and welcome responsible disclosure of vulnerabilities in Anzen or our infrastructure. If you have discovered a security issue, please report it to us so we can address it promptly.

    How to report:

    • Email your findings to security@scrty.nl.
    • Include a clear description of the vulnerability and steps to reproduce.
    • If possible, provide a proof of concept.

    Our commitment:

    • We will acknowledge your report within 2 business days.
    • We will keep you informed of our progress and expected resolution timeline.
    • We will not take legal action against researchers who act in good faith and follow this policy.
    • We will credit you (if desired) when the issue is resolved.

    We ask that you:

    • Do not access, modify, or delete data belonging to other users or tenants.
    • Do not perform denial-of-service attacks or degrade platform availability.
    • Do not publicly disclose the vulnerability before we have had reasonable time to address it.
    • Act in good faith and avoid privacy violations.

    Contact

    For security-related questions or to report a vulnerability, contact us at security@scrty.nl.