Built for Regulatory Compliance
Attensus is designed from the ground up to support the compliance obligations of regulated industries operating under EU and international frameworks — from NIS2 and DORA to ISO 28000 and SOC 2.
Regulatory framework alignment
How Attensus maps to the compliance obligations your organization faces.
NIS2 Directive
EU Network and Information SecurityDesign-AlignedThe NIS2 Directive (Directive (EU) 2022/2555) expands the scope of the original NIS Directive, requiring operators of essential services and important entities to implement robust supply chain security measures, establish incident response processes, and maintain documentation sufficient for competent authority review.
How Attensus supports NIS2 compliance:
- Structured supplier risk assessments with documented rationale, supporting Article 21 security measures
- Incident logging with response timeline, action owner, and resolution evidence for Article 23 incident reporting
- Multi-tier dependency mapping to identify and document supply chain attack surface
- Exportable evidence packages formatted for regulatory submissions and authority reviews
- Audit trail of all risk management decisions — timestamped and immutable
DORA
Digital Operational Resilience ActDesign-AlignedDORA (Regulation (EU) 2022/2554), applicable from January 2025, mandates that financial entities maintain a comprehensive ICT third-party risk register, conduct concentration risk assessments, perform scenario-based resilience testing, and document contractual arrangements with ICT third-party service providers.
How Attensus supports DORA compliance:
- ICT third-party risk register with structured fields for each supplier relationship — directly maps to DORA Article 28 requirements
- Concentration risk analysis automatically flags single-source dependencies and geographic clustering — core DORA Chapter V obligations
- Operational continuity planning tools: document backup suppliers, capacity percentages, and activation triggers
- Scenario-based impact assessments: simulate supplier failure to quantify downstream exposure
- Contractual arrangement tracking: record SLAs, notice periods, exit strategies per supplier
ISO 28000:2022
Supply Chain Security Management SystemsDesign-AlignedISO 28000:2022 specifies requirements for a security management system specific to the supply chain. It follows the ISO High Level Structure, aligning with ISO 9001 and ISO 14001, and requires organizations to establish, implement, maintain, and continually improve a supply chain security management system.
How Attensus supports ISO 28000 implementation:
- Multi-tier dependency mapping provides the foundational network context required for ISO 28000 threat and risk assessments
- Structured risk identification and evaluation workflow per supplier and node — supports Clause 6 risk assessment requirements
- Documented incident management with corrective action tracking — supports Clause 10 improvement obligations
- Coverage matrix demonstrates the organization's current security posture across the supply chain
- Export capability supports internal audit evidence requirements and management review documentation
ISO 31000:2018
Risk ManagementDesign-AlignedISO 31000:2018 provides principles, a framework, and a process for managing risk. It is applicable to any organization regardless of type, size, activity, or sector, and defines a continuous risk management cycle: establish context, identify, analyze, evaluate, treat, monitor, and review.
How Attensus operationalizes ISO 31000:
- Risk identification: automatic detection of single-source dependencies, geographic concentrations, and supplier health signals
- Risk analysis: downstream impact assessment shows consequence of each identified risk materializing
- Risk evaluation: coverage matrix provides structured risk prioritization across the portfolio
- Risk treatment: action tracking with owner assignment, due dates, and progress monitoring
- Monitoring and review: continuous supplier risk signals and trend reporting over time
SOC 2 Type II Roadmap
In Progress — Target Q4 2026We are committed to achieving SOC 2 Type II certification. Below is our transparent roadmap. We are not claiming certification — we are showing our path to it.
Controls documentation
CompleteAll security controls across the five Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy) have been identified, documented, and assigned control owners.
Controls implementation
CompleteTechnical controls are implemented: access management, encryption at rest and in transit, audit logging, incident response procedures, change management, and vulnerability management.
Internal audit and gap assessment
In ProgressInternal review of controls effectiveness against SOC 2 criteria. Identifying and remediating any gaps prior to third-party assessment.
Readiness assessment by third-party firm
Planned — Q2 2026Engagement of a qualified CPA firm for a pre-audit readiness review. Results will inform any final remediation before the formal audit period begins.
SOC 2 Type II audit period
Planned — Q3 2026Six-month observation period during which the auditor reviews evidence of controls operating effectively. The observation window covers all five Trust Services Criteria.
SOC 2 Type II report issued
Target — Q4 2026Upon successful completion of the audit, the SOC 2 Type II report will be issued by our third-party CPA firm and made available to customers under NDA upon request.
GDPR Compliance
ActiveAttensus processes personal data in accordance with the General Data Protection Regulation (EU) 2016/679. Our commitments to data subjects and controllers are described below.
Data residency
When deployed on an EU Supabase project, all customer data remains within EU data center regions. We do not transfer personal data outside the EU/EEA without appropriate safeguards in place. Enterprise customers can request confirmation of their data region in writing.
Data processing agreements
We execute Data Processing Agreements (DPAs) with all enterprise customers. Our DPA covers the obligations of Attensus as a data processor under GDPR Article 28, including processing purpose, data categories, sub-processor lists, and security obligations.
Right to erasure
A right-to-erasure endpoint exists in our API. Customers can submit deletion requests for their organization data, which are processed within 30 days. Anonymized aggregate analytics data may be retained per our retention policy.
Retention and deletion
Customer data is retained for the duration of the subscription plus a 30-day grace period. Backups are purged within 90 days of account deletion. Enterprise customers can negotiate custom retention periods.
Sub-processor disclosure
We maintain a current list of sub-processors including Vercel (hosting/CDN), Supabase (database and auth), and Resend (transactional email). Customers are notified of material sub-processor changes with 30 days notice.
Breach notification
In the event of a personal data breach, we will notify affected customers within 72 hours of becoming aware of the breach as required by GDPR Article 33, including the nature of the breach, likely consequences, and measures taken.
Data residency
Where your data lives — and how to ensure it stays in your preferred region.
Attensus is built on Supabase, which offers project deployment in multiple regions including EU-West (Ireland) and EU-Central (Frankfurt). When your organization is provisioned on an EU Supabase project, all database content — supplier records, risk assessments, incident logs, user data — is stored exclusively in that EU region.
The Attensus application layer is deployed on Vercel, which uses a global CDN for static assets. Dynamic API routes are deployed in the region closest to your Supabase database for performance. Enterprise customers requiring strict data residency can request regional API routing configuration as part of their onboarding.
Penetration testing
Independent validation of our security controls.
Attensus commissions annual penetration tests conducted by an independent third-party security firm. These tests cover the application layer (web application penetration test), the API surface, and authentication and authorization controls.
Executive summaries of penetration test results are available to enterprise customers under NDA upon request. Identified findings are tracked to remediation, and re-testing is conducted to verify fixes.
The current penetration test report covers the 2025 assessment. The 2026 test is scheduled for Q2 2026. Contact security@attensus.com to request a copy of the executive summary.
Export controls
Attensus technology and data handling in the context of export control regulations.
Attensus is a supply chain risk management SaaS platform. The software itself is classified as EAR99 under US Export Administration Regulations and is not subject to export licensing requirements for most destinations. We do not process or store controlled technical data (ITAR/EAR controlled) as part of our standard service.
Enterprise customers operating in defense, aerospace, or other export-controlled industries should review their own obligations regarding controlled technical data before uploading supplier information to any cloud platform. We recommend customers in these sectors contact security@attensus.com to discuss deployment options, including private deployment configurations.
Attensus does not knowingly provide services to entities on OFAC Specially Designated Nationals lists, the BIS Entity List, or equivalent EU restrictive measures lists. New enterprise accounts include a sanctions screening step.
Need a compliance package for your procurement team?
Our security whitepaper, DPA template, and compliance mapping document are available to enterprise teams on request. Talk to our team to get started.
The security whitepaper is provided as a PDF on request via security@attensus.com.