Security

    How we protect your data and our platform

    Our Commitment

    Security is at the core of everything we build. Anzen is a platform built for security teams - and we hold ourselves to the same standards we help our customers achieve. We operate under an ISO 27001-aligned information security management system and continuously improve our security posture.

    Infrastructure Security

    • EU-only, self-managed infrastructure - all systems run on infrastructure owned and operated by SCRTY B.V. in European data centres. No reliance on US-based hyperscalers.
    • CIS-hardened systems - all servers are hardened according to CIS Benchmarks with automated compliance checks.
    • Encryption in transit - all traffic is encrypted with TLS 1.2+ between clients and our services, and between internal components.
    • Encryption at rest - all data at rest is encrypted using AES-256.
    • Network segmentation - production systems are isolated from development and management networks with strict firewall rules.
    • Automated patching - operating systems and dependencies are patched on a regular cadence, with critical vulnerabilities addressed within 24 hours.
    • SIEM monitoring - all infrastructure and application logs are aggregated in a central SIEM for real-time threat detection, alerting, and incident response.

    Application Security

    • Tenant isolation - each customer workspace is fully isolated with its own data boundary. No data leakage between tenants is possible.
    • Role-based access control - fine-grained RBAC with entity-scoped permissions and hierarchy inheritance.
    • Full audit trail - every create, update, and delete operation is logged with before/after values, user identity, and timestamp.
    • SAST in CI/CD - static application security testing is integrated into our build pipeline to catch vulnerabilities before code reaches production.
    • Input validation - all API inputs are validated using strict schemas. SQL injection, XSS, and other OWASP Top 10 risks are mitigated by design.
    • Dependency scanning - automated vulnerability scanning of all third-party dependencies.

    Access Control & Authentication

    • SSO/OIDC support - customers can integrate with their identity provider (Keycloak, Okta, Azure AD, etc.) for single sign-on.
    • Internal access - all SCRTY employees use SSO with mandatory multi-factor authentication (MFA) to access production systems.
    • Principle of least privilege - access to production infrastructure is restricted to a minimal set of engineers and is logged and reviewed.
    • No standing access - customer data is not accessed by SCRTY personnel unless explicitly requested for support, and all access is logged.

    Standards & Frameworks

    Our security programme is aligned with the following frameworks:

    • ISO 27001 - information security management system alignment.
    • CIS Benchmarks - infrastructure hardening baseline.
    • OWASP Top 10 - application security risk mitigation.
    • GDPR - data protection and privacy by design.
    • NIS2 - network and information security compliance (EU Directive 2022/2555).

    Responsible Disclosure

    We value the work of security researchers and welcome responsible disclosure of vulnerabilities in Anzen or our infrastructure. If you have discovered a security issue, please report it to us so we can address it promptly.

    How to report:

    • Email your findings to security@scrty.nl.
    • Include a clear description of the vulnerability and steps to reproduce.
    • If possible, provide a proof of concept.

    Our commitment:

    • We will acknowledge your report within 2 business days.
    • We will keep you informed of our progress and expected resolution timeline.
    • We will not take legal action against researchers who act in good faith and follow this policy.
    • We will credit you (if desired) when the issue is resolved.

    We ask that you:

    • Do not access, modify, or delete data belonging to other users or tenants.
    • Do not perform denial-of-service attacks or degrade platform availability.
    • Do not publicly disclose the vulnerability before we have had reasonable time to address it.
    • Act in good faith and avoid privacy violations.

    We do not currently operate a bug bounty programme. We appreciate every report and will acknowledge your contribution, but no monetary rewards are guaranteed at this time.

    Contact

    For security-related questions or to report a vulnerability, contact us at security@scrty.nl.