Trust Center
Compliance
ISO 27001:2022
International Standard for Management of Information Security Systems.
Digital Operational Resilience Act (EU)
EU regulation focusing on ensuring the digital operational resilience of the financial sector.
General Data Protection Regulation (EU)
EU law concerning data privacy and protection for individuals within the EU and the EEA.
Artificial Intelligence Act (EU)
European Union regulation concerning artificial intelligence (AI).
California Consumer Privacy Act (US)
Data Privacy law enacted in California.
SOC 2 Type II (Attestation in progress, Est. Q2 2026)
SOC 2 is a compliance framework used to evaluate an organization’s information security practices.
Data collected
Resources
Subprocessors
Aginion Private Cloud & AI
Public Cloud Services
Public AI Services
Website aginion.com
Controls
Access Management
Network & Infrastructure Security
Operational Resilience
Organizational Governance
AI Governance
Frequently Asked Questions
Where can I find information about Aginion's uptime and downtimes?
We publish information about outages on a dedicated Status Page.
Where are Aginion's servers located?
Aginion’s servers are located exclusively in the country of Luxembourg (EU), at multiple Tier IV datacenter facilities.
Does Aginion store any customer data outside the EU?
For our Private Cloud products, we do not use any subprocessors, inside or outside of the EU. All data is stored in datacenters in Luxembourg.
For other services, data is stored depending on the specific service agreement between Aginion and the customer.
Does Aginion provide DORA contract amendments?
Aginion provides DORA-compliant contract amendments for ICT-services classified as non-critical/not important, as well as critical/important.
Please contact compliance@aginion.com for details.
Does Aginion use customer data to train AI models?
Only if this is specifically agreed with the customer and only for training the customer’s private AI model on their own data.
What is the Recovery Point Objective and Recovery Time Objective for backup of customer data?
Both RPO and RTO, together with other parameters, are subject to individual backup agreements between Aginion and each customer.
Does Aginion conduct penetration tests?
Aginion engages with a trusted penetration testing consulting firms at least annually.
All areas of the Aginion products and Private Cloud infrastructure are in-scope for these assessments, and source code is fully available to the testers in order to maximize the effectiveness and coverage.
How does Aginion handle secrets?
Encryption keys are stored in Hardware Security Modules (HSMs), which prevents direct access by any individuals, including employees of Aginion. The keys stored in HSMs are used for encryption and decryption via the APIs of the Virtualization Platform used by Aginion.
Application secrets are encrypted and stored securely in a software secret manager (Hashicorp Vault), and access to these values is strictly limited.
Can I obtain copies of Aginion's internal policies?
Aginion’s policies and standards are internal confidential information that we share with our customers only on individual request. Our policies and procedures are attested to periodically by multiple independent third party auditors as part of our SOC2 and ISO 27001 audits. For details on specific processes and policies in place, please contact compliance@aginion.com.
Has Aginion experienced any material data breach or cyber security incident in the past 5 years?
There have been no reportable incidents requiring customer notification. If that ever changes, we will notify affected customers without undue delay per contract and law.
Certificates and Reports
ISO/IEC 27001:2022 Certificate
The scope of the ISO/IEC 27001:2022 certification covers all elements of the IT-infrastructure and ICT customer services of the entities Aginion SA and Aginion Luxembourg.
ISO/IEC 27001:2022 Statement of Applicability
The Statement of Applicability lists all controls applicable under Aginion’s ISO/IEC 27001:2022 Information Security Management System (ISMS), indicating their implementation status and justification for inclusion or exclusion.
Penetration Testing Report
The report summarizes the methodology, scope, and results of recent internal and external penetration tests performed on Aginion’s infrastructure and services
SOC 2 Type 2 Report
The latest SOC 2 Type 2 Report will be published here once it becomes available (Q2 2026)
Contract Addendums
Data Processing Addendum
The DPA defines Aginion’s commitments and responsibilities as a data processor under GDPR, outlining data handling, security, and confidentiality measures for customer and end-user information.
DORA Contract Amendments
These amendments address contractual provisions required under the EU Digital Operational Resilience Act (DORA), ensuring that customer agreements reflect Aginion’s obligations regarding ICT risk management, reporting, and resilience.
Policies
Disaster Recovery and Business Continuity Policy
This policy describes Aginion’s approach to maintaining critical operations during disruptive events, including recovery objectives, backup strategies, testing schedules, and roles and responsibilities.
Incident Response Policy
The policy defines how Aginion detects, reports, and responds to security incidents, covering roles, escalation procedures, and post-incident review requirements to ensure timely and effective remediation.
DORA Compliance Policy
This policy outlines Aginion’s framework for compliance with the EU Digital Operational Resilience Act (DORA), detailing governance, risk management, testing, and reporting measures applicable to ICT services.
GDPR Compliance Policy
The policy explains Aginion’s data protection principles and operational controls for compliance with the General Data Protection Regulation (GDPR), including lawful processing, data subject rights, and retention practices.
CCPA Compliance Policy
This policy sets out Aginion’s approach to meeting obligations under the California Consumer Privacy Act (CCPA), describing data categories collected, rights of California residents, and procedures for data requests.
AI Act Compliance Policy
The policy details Aginion’s governance approach to Artificial Intelligence under the EU AI Act, including system classification, risk management, documentation, and transparency requirements for AI-based services.
Our security program is built on a layered approach and based on ISO 27001, DORA and AI Act, combining technical safeguards, organizational governance and operational processes.
Access Management Controls
Role-Based Access Control
Access to systems and data is granted based on job role and verified business need.
Controlled Access Requests
All access requests require documented approval from management before provisioning.
Multi-Factor Authentication (MFA)
Remote access to production systems requires MFA for authorized personnel.
Unique Credentials
All accounts use unique usernames and strong authentication mechanisms, such as hardware tokens or SSH keys.
Production Network Access Restrictions
Privileged access to production networks is limited to authorized users only.
Secure Authentication for Data Access
Production datastore access requires secure, unique authentication methods.
Firewall Access Control
Firewall administration is restricted to authorized personnel with a business need.
Data Center Physical Access
Granted, changed, or revoked based on documented authorization; reviewed quarterly.
Data Protection & Privacy Controls
Data Backups
Regular backups of production data are stored in separate, secure locations.
Real-Time Data Replication
Data is replicated to a secondary data center with automated failure alerts.
Encryption at Rest
Sensitive customer data is encrypted in storage.
Encrypted Remote Access
All remote connections use approved encryption protocols.
Segregation of Production Data
Confidential or sensitive customer data is not used in non-production environments.
Secure Asset Disposal
Electronic media containing confidential data is securely erased or destroyed, with certificates issued.
Third-Party Confidentiality
Vendors, contractors, and employees are bound by confidentiality agreements.
Network & Infrastructure Security Controls
Segregated Virtual Environments
Each customer’s virtual environment is isolated from other tenants and unauthorized users.
Network Segmentation
The network is segmented to restrict access to sensitive data and limit lateral movement.
Infrastructure Monitoring
Continuous monitoring tools track system health, performance, and security thresholds.
Vulnerability Scanning
Network- and Host-based vulnerability scans are conducted daily, with critical issues tracked to remediation.
Patch Management
Systems are regularly patched as part of scheduled maintenance and in response to identified vulnerabilities, ensuring they remain hardened against emerging threats.
Configuration Management
Standardized processes ensure consistent, secure deployment of system configurations.
Capacity Management
System capacity is regularly reviewed and adjusted to meet operational demands.
Operational Resilience Controls
Business Continuity & Disaster Recovery
Documented BC/DR plans are tested quarterly and designed for multi-site failover.
Multi-Availability Zone Deployment
Production environments are hosted across multiple locations for redundancy.
Incident Response Program
Documented policies and procedures guide detection, response, and communication; tested twice annually.
Resilience Testing Program
Annual ICT resilience testing covers network, systems, and critical services, proportionate to operational complexity.
Scenario-Based Testing
Severe but plausible disruption scenarios are tested to validate recovery capabilities.
Third-Party Testing Coordination
Where feasible, resilience testing is coordinated with critical third-party providers.
Defined Recovery Objectives
BC/DR plans specify maximum tolerable downtime (MTD) and recovery time objectives (RTO) for all critical services.
Cross-Border Continuity Planning
Plans account for multi-jurisdictional regulatory requirements where applicable.
Secure Development Lifecycle (SDLC)
A formal methodology governs system development, changes, and maintenance.
Monitoring, Detection and Response Controls
Log Management
Centralized log management is used to capture, retain, and analyze system events that could impact security, with alerts generated for potential threats.
Incident Management
Security and privacy incidents are logged, tracked, and resolved in line with documented incident response procedures, with notifications provided to relevant parties as required.
Incident Classification
Security and privacy incidents are logged, tracked, and resolved in line with documented incident response procedures, with notifications provided to relevant parties as required.
Regulatory Reporting Readiness
Processes ensure major ICT incidents can be reported to regulators within mandated timelines.
Root Cause Analysis
Major incidents undergo formal analysis with tracked remediation actions.
Threat Intelligence Integration
Cyber threat intelligence is actively collected and applied to enhance defenses.
Industry Information Sharing
Participation in trusted industry sharing initiatives to exchange threat and vulnerability data.
Retention of Incident & Test Records
Detailed records of incidents, testing, and remediation are maintained for regulatory review.
Audit Trails
Detailed records of incidents, testing, and remediation are maintained for regulatory review.
Organizational Governance Controls
Security Policies
Information security policies are documented, communicated, and reviewed at least twice annually.
Defined Roles & Responsibilities
Security responsibilities are assigned in job descriptions and policy documents.
Vendor Management
A formal program maintains a vetted inventory of critical vendors, with quarterly reviews and security requirements.
ICT Risk Identification & Assessment
A documented framework identifies, assesses, and monitors ICT risks on an ongoing basis, updated after significant changes.
ICT Risk Appetite & Tolerance
Risk tolerance levels are defined by senior management and reviewed annually.
Management Risk Oversight
The Board and senior leadership review ICT risk reports, incident trends, and test results regularly.
Critical Third-Party Identification
The Board and senior leadership review ICT risk reports, incident trends, and test results regularly.
Exit & Substitution Strategies
Plans are in place for replacing critical providers without service disruption.
Contractual DORA Clauses
Provider contracts include clauses covering security, performance, audit rights, and regulatory cooperation.
Security Awareness Training
Employees complete security training within 14 days of hire and on a continuous basis thereafter.
Cloud Officer (CSSF 25/882)
A Cloud Officer is formally appointed to oversee compliance with CSSF Circular 25/882 and DORA requirements for ICT third-party services.
Background Checks
All new employees undergo background screening prior to hire.
Whistleblower Policy
An anonymous reporting channel supports the safe disclosure of security or compliance concerns.
Service Descriptions
Clear product and service details are available to both internal and external stakeholders.
Support Channels
An external-facing system allows users to report issues, incidents, or concerns to appropriate personnel.
AI Governance & Risk Management
AI System Inventory & Classification
We maintain an up-to-date register of all AI systems, including their risk classification under the EU AI Act.
AI Lifecycle Risk Management
AI systems are subject to continuous risk assessment and mitigation across their full lifecycle, from development to retirement.
AI Quality Management System
A formal quality management system ensures AI systems are developed, tested, and deployed according to documented processes and standards.
AI System Documentation
High-risk and general-purpose AI systems include clear documentation on intended use, limitations, human oversight measures, and data sources.
Data Quality & Bias Mitigation
Training, validation, and testing datasets are reviewed for accuracy, completeness, and bias, with measures in place to address discriminatory outcomes.
Human-in-the-Loop Oversight
High-risk AI systems are designed with mechanisms to allow effective human intervention and control.
System Accuracy & Resilience
AI systems undergo ongoing performance, robustness, and cybersecurity testing to ensure safe and reliable operation.
High-Risk AI Conformity Assessment
Before deployment, high-risk AI systems undergo conformity assessment, are CE marked, and are registered in the EU AI database as required.
Post-Market Monitoring
AI system performance is continuously monitored after deployment, with corrective actions taken where necessary.
Incident Reporting
Serious AI incidents or malfunctions are reported promptly to competent authorities, in line with regulatory requirements.
Code of Practice Participation
For general-purpose AI models, we follow voluntary EU Codes of Practice to enhance transparency, safety-by-design, and responsible data sourcing.
Access & Authentication
How does Aginion manage remote access to data?
We use hardened, encrypted channels (VPN/Zero-Trust), MFA, device posture checks, and least-privilege jump access. Remote support follows GDPR-compliant workflows (customer consent/notification, purpose limitation, session scoping, and, where appropriate, audit logs or recordings).
Does Aginion store any customer data outside the EU?
For our Private Cloud products, we do not use any subprocessors, inside or outside of the EU. All data is stored in datacenters in Luxembourg.
For other services, data is stored depending on the specific service agreement between Aginion and the customer.
Who will have access to the stored data and which access management policies ensure safe access?
Only cleared personnel with a business need. Access is role-based (RBAC), approved via joiner-mover-leaver (JML) workflow, reviewed regularly, and logged. Admin actions require MFA and, for sensitive operations, dual control.
Does Aginion require multi-factor authentication on all enterprise applications and production systems?
Yes. MFA is enforced across enterprise apps, admin interfaces, remote access, and production systems. We prefer phishing-resistant methods wherever feasible.
What is Aginion’s password policy?
Strong unique passphrases, minimum length and complexity, no reuse, password manager use, MFA required. Rotations are risk-based (e.g., on compromise or role change) rather than calendar-based.
How does Aginion manage personnel access to systems?
Through a documented JML process: role-appropriate provisioning on join, privilege adjustments on role change, prompt deprovisioning on exit, and periodic access reviews.
Describe the controls surrounding the logging of access to confidential and/or personally identifiable information.
Access and admin actions are centrally logged with timestamps, user/context, and outcome. Logs are integrity-protected, time-synchronized, retained per policy, and monitored; privileged and PII-access events receive heightened scrutiny and periodic review.
How does Aginion handle secrets?
Encryption keys are stored in Hardware Security Modules (HSMs), which prevents direct access by any individuals, including employees of Aginion. The keys stored in HSMs are used for encryption and decryption via the APIs of the Virtualization Platform used by Aginion.
Application secrets are encrypted and stored securely in a software secret manager (Hashicorp Vault), and access to these values is strictly limited.
Legal, Privacy & Compliance
Where are Aginion's servers located?
Aginion’s servers are located exclusively in the country of Luxembourg (EU), at multiple Tier IV datacenter facilities.
Does Aginion have a process or policy around lawful access requests?
Yes. We require a valid, binding request, review it with counsel, limit scope to the minimum necessary, and — unless legally restricted — notify affected customers before disclosure.
Does Aginion provide DORA contract amendments?
Aginion provides DORA-compliant contract amendments for ICT-services classified as non-critical/not important, as well as critical/important.
Please contact compliance@aginion.com for details.
Does Aginion abide by GDPR and CCPA?
Yes. We operate under GDPR as baseline, map controls to CCPA requirements, execute DPAs/Standard Contractual Clauses where needed, and do not “sell” personal data.
Does Aginion have a Privacy Policy?
Yes. Our Privacy Notice explains what we collect, why, legal bases, rights, retention, and contact points for DSRs.
Will any third parties have access to my data?
Only approved sub-processors necessary to deliver the service (EU/EEA preferred). Each is under a DPA, security due-diligence, and least-privilege access.
Is Aginion a regulated entity?
Aginion itself is not a financial or critical-infrastructure regulated entity. We align our controls to support regulated customers (e.g., DORA, CSSF 22/806) and ISO 27001.
Does Aginion use customer data to train AI models?
Only if this is specifically agreed with the customer and only for training the customer’s private AI model on their own data.
Business Continuity, Backup & Recovery
Where can I find information about Aginion's uptime and downtimes?
We publish information about outages on a dedicated Status Page.
What were the results of Aginion’s most recent Business Continuity Plan test, and did the results impact obligations?
We conduct regular BCP/DR exercises. Our most recent 2025 DR exercise validated failover of virtual workloads to our Disaster Recovery environment; target RTO/RPO were met and there was no impact to customer commitments. Summary reports are available on request.
How does Aginion securely back up all production data?
Encrypted backups and snapshot replication with tiered retention and integrity checks. Backups are isolated from primary credentials and undergo periodic restore tests.
How is data recovered in case of loss?
We follow runbooks: verify incident, choose point-in-time snapshot, restore in production or recover in disaster recovery environment, validate integrity, and execute post-recovery reviews before cut-back.
What is the Recovery Point Objective and Recovery Time Objective for backup of customer data?
Both RPO and RTO, together with other parameters, are subject to individual backup agreements between Aginion and each customer.
Incident Management & Communications
How does Aginion inform customers about security issues?
Through our designated security channels (email advisories and, where applicable, portal/SLA contact). We provide timelines, scope, mitigations, and required customer actions.
How are incidents reported?
Customers can report via the security contact listed in the contract/SLA (email/portal/hotline). We acknowledge, triage, contain, eradicate, recover, and keep you updated per our IR plan.
What is Aginion doing to prevent breaches?
Layered security: least-privilege access, MFA, secure configuration, endpoint protection, patch and vulnerability management, change control, logging/SIEM, threat intelligence, security training, and regular testing (BCP/DR and, as applicable, pen tests).
Does Aginion have an Incident Response Plan?
Yes. We maintain an ISO 27001- and DORA-aligned IR policy and playbooks (detection → triage → containment → eradication → recovery → lessons learned), with defined roles and communication flows.
Is there a point of contact available to customers/clients 24/7/365 to report security incidents?
Managed customers have an on-call contact as defined in their SLA; 24×7 availability is provided where contracted.
Does Aginion maintain an incident report log?
Yes. All incidents are recorded with timeline, impact, actions, and outcomes; we review trends for continual improvement.
Change, Vulnerability & Patch Management
Are all changes approved and documented? Describe Aginion’s change management process.
Yes. We follow an ITIL-style process:
- Standard changes: pre-approved, low-risk catalog.
- Normal changes: risk assessed, documented, and approved (CAB where needed).
- Emergency changes: expedited to restore service, with mandatory post-implementation review.
How often does Aginion scan its environment for vulnerabilities?
Automated continuous monitoring for internet-facing assets; authenticated internal scans at least daily and after material changes; findings are tracked to remediation.
How frequently does patching take place?
Risk-based SLAs: critical patches targeted within hours (often <8), high within 24 hours, others in scheduled maintenance windows; out-of-band patching for actively exploited issues.
Does Aginion conduct penetration tests?
Aginion engages with a trusted penetration testing consulting firms at least annually. Our current preferred penetration testing partner is Desert Sentinel, one of the leading experts in Private Cloud security.
All areas of the Aginion products and Private Cloud infrastructure are in-scope for these assessments, and source code is fully available to the testers in order to maximize the effectiveness and coverage.Yes. We provide full support for both Microsoft 365 and Google Workspace — including setup, migration, user management, licensing, and security.
People, Training & Contracts
Does Aginion provide information security awareness training?
Yes. Mandatory onboarding and recurring training cover safe data handling, password/MFA hygiene, phishing, secure remote work, GDPR basics, and incident reporting.
Do Aginion’s contracts with employees and freelancers obligate them to adhere to Aginion’s policies, including information security policies?
Yes. Employment and contractor agreements require compliance with our security and confidentiality policies.
Are all workers with access to confidential information bound by a confidentiality agreement?
Yes. NDAs/confidentiality obligations apply to employees, contractors, and consultants.
Organization & Governance
Has Aginion designated a Cloud Officer in accordance with CSSF 25/882?
Yes. Aginion has appointed a Cloud Officer responsible for compliance with CSSF 25/882 and DORA, overseeing cloud governance, third-party due diligence, and the register of ICT services. Currently the position of Cloud Officer is held by Benjamin Reiter.
Has a qualified individual been designated as a Chief Information Security Officer (CISO) to oversee cybersecurity?
Yes. Aginion assigns a designated security lead (CISO function/Information Security Manager) accountable for our ISMS, risk management, and cybersecurity program. Currently the position of CISO is held by Vuk Kadija.
Is the ownership structure of Aginion private or public?
Aginion is privately held and controlled by its founder.
How long has the company been in business?
Details regarding our history are outlined here.