PortalPilot ← Back to Security

EU Cloud Code of Conduct — Self-Attestation

What this document is. PortalPilot's structured self-assessment of how the PortalPilot SaaS service, operated by NordScope, maps to the publicly-published EU Cloud Code of Conduct framework (five Code sections plus the Annex A Controls Catalogue; EDPB-approved May 2021 via Belgian Data Protection Authority decision n° 05/2021; official framework text). The narrative below is anchored in published artefacts at portalpilot.io (Privacy Policy, Data Processing Agreement, Security page, Terms of Service) and in the operational practices that produce them.

What this document is not. A monitoring-body-validated declaration. PortalPilot has not submitted to SCOPE Europe (the Code's appointed Monitoring Body), is not listed on the public EU Cloud CoC register, and is not "declared" or "adherent" in the formal sense those terms carry under the Code's monitoring procedures. NordScope's roadmap to a Declaration of Adherence is documented as Phase 2 of this compliance programme, contingent on enterprise-customer demand and an annual cost-vs-benefit reassessment; the substantive content of this self-attestation is the same evidence base on which a Phase 2 submission would draw.

§3 Scope

What this self-attestation declares. The PortalPilot SaaS service operated by NordScope, a Finnish sole trader (toiminimi) registered with PRH (Patentti- ja rekisterihallitus, the Finnish Patent and Registration Office); Y-tunnus 3148476-5, registered office Finland; owner-operator Peter Sterkenburg. Single-service scope, aligned with the ISMS scope statement. This self-attestation does not cover NordScope as a whole, auxiliary marketing infrastructure, or NordScope's other product surfaces.

Service description. PortalPilot is a B2B SaaS that connects to a customer's HubSpot CRM portal via OAuth, performs read-mostly diagnostics on portal metadata and aggregate statistics, and surfaces recommendations to improve CRM data quality and operational health. The service runs on a single self-hosted Hetzner Cloud server in Finland (EU); all customer-personal-data processing occurs within the EU data plane. The service is delivered as Software-as-a-Service (SaaS) — the relevant Cloud Service category in the Code's terminology (cite Code §2 Terminology and §4 Scope).

Roles. PortalPilot is a Processor; PortalPilot's Customers are Controllers of the personal data they entrust to the service via their HubSpot portals. NordScope (operating as the legal entity behind the service) is the Data Controller for the personal data that account holders provide directly to the PortalPilot service (account email addresses, payment transaction records). See Privacy Policy §1 (data controller) and DPA §1 (definitions) and §2 (roles). As a sole trader, NordScope's owner-operator is personally accountable for the obligations under this attestation — there is no corporate veil to defer to.

Personal data categories. The categories of Customer Personal Data processed within the scope of this self-attestation are enumerated in DPA Annex I:

The categories of data subjects are: Customer users (account holders), Team members (collaborators), and — incidentally — HubSpot portal contacts whose metadata (counts, property definitions, not individual records) is processed during analysis (cite DPA Annex I, Categories of data subjects).

Sub-processor chain. PortalPilot is the sole contracting entity towards Customers (Code §4 Scope). Sub-processors used to deliver the service are listed in DPA §4.1 with a clause permitting Customers 30 days advance notice of changes and a 14-day objection window.

This self-attestation is service-scoped to PortalPilot SaaS; the framework's section §4 (Scope) establishes the perimeter of the assessment.

§4 Internal Governance

This section addresses the CSP's organisational requirements (per Code §8 in the framework PDF — "Internal Governance"): roles, responsibilities, training, change management, and internal compliance posture.

NordScope as the CSP entity. NordScope is a Finnish sole trader (toiminimi), Y-tunnus 3148476-5, registered with PRH. Owner-operator: Peter Sterkenburg. Because NordScope is a sole trader rather than a corporation, there is no board of directors, no separate management layer, and no corporate veil. The owner-operator is the entity, both legally and operationally. This is a deliberate choice for a small B2B SaaS — it minimises governance overhead and concentrates accountability — but it also imposes unlimited personal liability on the owner, a fact disclosed transparently to procurement reviewers.

Roles & responsibilities. PortalPilot is founder-operated; no third-party contractors or external personnel have access to production systems or customer data (cite Security page). Operationally, the founder fulfils all roles defined in the ISMS scope: information-security owner, data-protection point of contact (per Code §5.9), incident response lead, and change-approval authority. Where occasional support contractors are engaged (e.g., one-off design/copy contracts), they operate exclusively on non-production assets. Access to production follows the principle of least privilege (cite Security page, DPA §6 "Access control").

Training & awareness. Security awareness practices are maintained by the owner-operator through ongoing self-directed training, currency-monitoring on EU regulatory updates (GDPR, NIS2, AI Act), and review of supplier security advisories (Hetzner, Mistral, Mollie, Lettermint, HubSpot). Confidentiality obligations apply to any personnel with data access (cite DPA Annex II "Personnel").

Change management. All non-trivial code and configuration changes flow through a structured workflow with documented requirements, design review, test-case authoring, and an implementation plan before any code lands. Every push runs through a quality gate covering type-checking, full test-suite execution, build verification, design-system linting, an audit pass, code review, and an AI-assisted second-opinion review. Database migrations and schema changes pass through a tiered safety review with explicit checklists for destructive operations. This change-management discipline is the operational equivalent of an ISMS change-control procedure (cross-mapped in the planned ISO 27001 alignment pack).

Internal compliance posture. This self-attestation is itself one element of NordScope's structured compliance posture. It is reviewed at least annually by the owner-operator (next review trigger documented in §7 Monitoring & Compliance). The wider posture comprises: (1) an ISO 27001:2022 Annex A control alignment pack (planned) covering the 93 Annex A controls; (2) a public Trust Center surface (planned) exposing this attestation and related artefacts; (3) a SIG-Lite procurement Q&A pre-fill (planned); (4) an automated cross-artefact compliance-consistency check preventing drift across compliance documents. The shipped portions of the posture are operative today; the planned elements will follow.

Business continuity for a sole-trader structure (transparency). A sole trader has no co-directors and no automatic succession in the corporate sense. Procurement reviewers should be aware of the resulting concentration risk and the concrete mitigations currently in place: (a) automated database backups every 6 hours, GPG-encrypted with AES-256, synced to off-server storage at a separate provider; (b) infrastructure-account credentials (Hetzner, Coolify, domain registrar, Supabase, Mollie, Lettermint, Mistral) recoverable via the registered business contact and PRH records; (c) a documented runbook for emergency takeover by a successor or transition partner is a known gap and is on the Phase-2 roadmap (annual review will track its status). The honest framing here matters more than a fictional plan: NordScope discloses the concentration risk transparently rather than papering over it.

§5 Data Protection

This section maps the substantive data-protection rights and obligations of NordScope as Processor under the framework Code §5, with cross-references to the existing Privacy Notice (Privacy Policy), Data Processing Addendum (DPA), and Terms (Terms of Service). It is the section procurement reviewers spend the most time in; the content here is therefore narrative rather than aspirational and is anchored in artefacts already shipped to portalpilot.io.

Lawful processing (GDPR Art. 6). PortalPilot processes Customer Personal Data on the following lawful bases (cite Privacy Policy §3 "Legal basis for processing"): Contract — Art. 6(1)(b) — for the analysis services delivered under the Cloud Services Agreement; Consent — Art. 6(1)(a) — for email marketing and optional analytics; Legitimate interest — Art. 6(1)(f) — for service improvement, security monitoring, and fraud prevention; Legal obligation — Art. 6(1)(c) — for tax and financial record-keeping. Processing is restricted to documented Customer instructions per GDPR Art. 28(3)(a), reflected in DPA §2 (Roles and responsibilities).

Data-subject rights (GDPR Art. 15–22). PortalPilot supports the full set of data-subject rights enumerated in GDPR Art. 15–22: access, rectification, erasure, restriction, portability, objection (cite Privacy Policy §7 "Your rights (GDPR)"). For Customer-initiated requests where NordScope acts as Processor, the DPA assistance SLA is 5 business days (cite DPA §6 "Data subject rights"). For requests where NordScope is the Controller (account-holder data), the request flow is published in the Privacy Notice with a contact at privacy@portalpilot.io. A self-service deletion path exists in the dashboard (account closure, portal disconnection).

Sub-processor management. PortalPilot's authorised sub-processors are listed in DPA §4.1: Hetzner Online GmbH (Germany; data processing in their Finland data centre), Mollie B.V. (payment processing, Netherlands), Mistral AI (AI-powered suggestions, France), Lettermint B.V. (transactional email delivery, Netherlands). All four are EU-headquartered legal entities; all data-plane processing occurs within the EEA. NordScope notifies Customers of any intended changes to sub-processors at least 30 days in advance (cite DPA §4.2), and Customers may object in writing within 14 days. If the objection cannot be accommodated, the Customer may terminate the service. HubSpot is not a sub-processor: PortalPilot accesses the Customer's own HubSpot portal via OAuth as the Customer's authorised integration on the Customer's instruction (cite DPA §4.3). PortalPilot does not determine the purposes or means of processing for the Customer's HubSpot data; the access is strictly governed by the OAuth scope chosen by the Customer at install time and by the documented instructions in the Cloud Services Agreement / DPA, in line with GDPR Art. 28(3)(a).

Personal data breach notification (GDPR Art. 33). In the event of a Personal Data breach affecting Customer data, NordScope notifies the Customer without undue delay and in any case within 72 hours of becoming aware (cite DPA §7, Security page "Incident response" section, Terms of Service §7 "Data processing agreement"). The notification includes the nature of the breach, affected data categories, likely consequences, and remedial measures. Internal procedures are documented in DPA Annex II "Incident management".

Data retention and deletion (GDPR Art. 5(1)(e), Art. 28(3)(g)). Default retention for Customer Personal Data is Duration of service + 30 days (cite DPA §9, Privacy Policy §5 "Data retention"). Backup copies within 90 days are deleted on schedule. Upon termination, all Personal Data is deleted within 30 days; Customers may request a certificate of deletion. Self-service deletion is available via dashboard, portal disconnection, or email to privacy@portalpilot.io.

Cross-border transfers (GDPR Art. 44–46). PortalPilot operates an EU-only data plane: Hetzner data centre in Finland for hosting and storage (sub-processor entity Hetzner Online GmbH, Germany), Mistral AI (Paris) for LLM inference, Mollie (Amsterdam) for payments, Lettermint (Zwolle) for email. No US infrastructure is in the data plane. Where the Customer's HubSpot portal is configured to use HubSpot's EU data hosting, API traffic between PortalPilot and the portal also stays within the EEA. For Customers whose HubSpot portal is US-hosted, the Customer's own portal API access is covered by the EU-US Data Privacy Framework as documented in Privacy Policy §11; PortalPilot does not perform additional transfers beyond the Customer-instructed API access, and does not independently verify the Customer's portal enrollment in the DPF — this remains the Customer's responsibility as Controller.

Supervisory authority (GDPR Art. 77). Customers and data subjects may lodge complaints with their local data protection authority. NordScope's lead supervisory authority is the Office of the Data Protection Ombudsman (Finland — tietosuoja.fi) (cite Privacy Policy, Security page).

HubSpot privacy-deletion propagation. PortalPilot honours HubSpot's contact.privacyDeletion webhook — when a Customer's HubSpot contact is privacy-deleted in the source portal, downstream PortalPilot data referencing that contact is purged. This implements the GDPR-aligned deletion propagation that procurement reviewers expect for any HubSpot integration.

Governing law. The Cloud Services Agreement is governed by Finnish law (cite Terms of Service). Disputes are resolved in Finnish courts, without prejudice to mandatory consumer-protection provisions in the data subject's country of residence.

§6 Security

This section maps to GDPR Art. 32 technical and organisational measures (TOMs) and to Code §6 (Security Requirements). The 13 security objectives in Code §6.2 align directly with ISO 27001:2022 Annex A control domains; cross-mapping for procurement reviewers will land in the ISO 27001 alignment pack (planned) (this attestation is one of its inputs). Detailed per-control narrative belongs in the Controls Catalogue self-attestation below.

Encryption. OAuth tokens used to access Customer HubSpot portals are encrypted at rest with AES-256-GCM, using PBKDF2 key derivation with 100,000 iterations and a random 16-byte salt per encryption operation. A legacy static-salt encryption path was fully retired in March 2026 with zero remaining tokens at retirement. Data in transit uses TLS 1.2 or higher. Database storage uses filesystem-level encryption. Database backups are GPG-encrypted (AES-256) before being synced off-server.

Access control. All edge functions enforce JWT-based authentication. 35 edge functions additionally verify portal ownership through a shared authorisation check in the edge-function authentication middleware, ensuring an authenticated user can only access portals they own or have been granted team access to. Multi-factor authentication is available to account holders today at AAL1 (TOTP / authenticator-app, optional). AAL2 enforcement on privileged endpoints is implemented and ready for rollout but not yet wired into any privileged endpoint at the time of this attestation; the phased rollout (privileged-write endpoints first) is on the security roadmap. Until AAL2 enforcement lands, privileged operations are mitigated by: (a) JWT auth on every request, (b) portal-ownership verification, (c) token-bucket rate limiting across 7 operation classes, (d) 90-day audit logging on all writes, and (e) idempotency-key reuse detection. Role-based access control within the application layer is documented on the Security page ("Authentication and access control").

Network security. A Hetzner Cloud-level firewall restricts ingress to ports 80/443 (frontend), 22 (SSH key-only authentication, IP-allowlisted from administrative networks), and the Coolify admin plane on a non-standard port. Docker network isolation separates Supabase services from the frontend Nginx container. DDoS protection is provided at the Hetzner network edge. A CORS allowlist plus strict CSP and HSTS headers are enforced at the edge-function tier.

Application security. Write operations to HubSpot portals are protected by an idempotency manager that prevents duplicate effects under client retries. Rate limiting is implemented as a token-bucket per (user, portal, operation type) tuple, sized for the expected workload across 7 operation classes (write, batch-write, analysis, read, etc.). All HubSpot writes are audit-logged to a 90-day-retention audit table. AI inputs are passed through a narrow multi-word prompt-injection blocklist plus a 2000-character truncation before submission to Mistral.

Logging & monitoring. Audit logs are retained for 90 days (cite Security page). Personal data appearing in logs is masked at write time. Authentication events, API rate-limit triggers, and idempotency-key reuse attempts are logged for security event monitoring. A public status page surfacing availability and incident timelines is planned at status.portalpilot.io.

Incident response. PortalPilot's incident response procedure is documented in DPA Annex II "Incident management". For Personal Data breaches, controllers are notified within 72 hours per GDPR Art. 33 (cross-reference §5 Data Protection above). Internal incident phases mirror the framework Code §5.13: detection → assessment → notification → containment → remediation → lessons-learned.

CI security pipelines. A continuous-integration quality workflow validates the codebase on every push: TypeScript type-check, full test suite, ESLint, design-system lint, edge-function safety assertions (no blocklisted Deno APIs), Docker-script allowlist enforcement, migration-RLS verification (every migration with CREATE TABLE must enable RLS), and the cross-artefact compliance-consistency check shipped with this workstream. A dedicated CI security workflow (additional dependency-scanning, secrets scanning, and SAST checks) is planned.

Business continuity. Automated database backups are taken at 6-hour intervals, GPG-encrypted with AES-256, and synced to off-server storage at a separate provider. Restore procedures are documented and tested.

Personnel. PortalPilot is founder-operated; no third-party contractors or external personnel have access to production systems or customer data (cite Security page). All personnel with data access are bound by confidentiality obligations and follow security-awareness practices (cite DPA Annex II "Personnel"). Access follows the principle of least privilege; database access is restricted to scoped service roles.

AI-coding-tool risk management. The development environment uses AI-assisted coding tools with extensive integrations into development services. Recognising the resulting supply-chain and prompt-injection risk surface, NordScope operates a documented multi-layer defence: (1) tightened tool-execution permissions, with no blanket pre-approvals for shell commands such as outbound network access, SSH sessions, or recursive deletes; (2) command-execution policy hooks that block sensitive operations including credential-file reads, destructive version-control operations, and unauthorised network egress; (3) canary files in restricted directories that detect prompt-injection-driven credential exfiltration attempts; (4) application-layer Row-Level Security, authentication, and CORS at the database and edge-function tiers. This layered approach treats the AI-coding toolchain as part of the supply-chain attack surface rather than a trusted development primitive.

§7 Monitoring & Compliance

This section addresses how compliance with the framework is monitored, kept current, and made resistant to drift. Code §7 in the framework PDF describes the external monitoring-body procedures; in the Phase-1 self-attestation context, the equivalent obligations fall on NordScope as the owner-operator. The mechanisms below are operative today.

Internal compliance review cadence. This self-attestation is reviewed at least annually by the owner-operator. The trigger is the earlier of (a) the anniversary of the most recent founder sign-off (see "Founder sign-off" section below), or (b) any material change in PortalPilot's processing scope, sub-processor list, or technical architecture. The dated revision history of this document is the auditable record of when each section was last touched.

Cross-artefact consistency enforcement. An automated check enforces that six canonical fact phrases — sub-processor advance-notice SLA, sub-processor objection window, breach-notification SLA, personal-data retention, backup retention, and supervisory authority — appear verbatim across Privacy Policy, DPA, Security page, Terms of Service, and this attestation. Any drift between an artefact and the canonical phrase blocks release. This is the structural defence against the most common compliance-document failure mode: silent paraphrase across artefacts that gradually accumulates contradictions.

Status integrity. Phase-2 vocabulary that would inaccurately elevate this document from "self-attestation" to "declaration" — terms such as adherent to, EU Cloud CoC declared, declared at Level 1, listed on the public register, submitted to SCOPE Europe, or EU Cloud CoC adherence in process — is automatically blocked from appearing in the body except where it is being explicitly negated (as in the Status & Disclaimer at the top of this document). This is the structural defence against well-meaning copy edits accidentally promoting the document beyond its actual posture.

Continuous evidence updates. Several sections of this attestation reference initiatives marked "(planned)" because they are on the compliance roadmap but not yet shipped. As each one ships, the corresponding marker is removed and the reference updated to point at the live artefact.

Phase 2 path (Declaration of Adherence). Phase 1 is intentionally a self-attestation against the publicly-published framework. Moving to a Declaration of Adherence requires submission to SCOPE Europe — the Code's appointed Monitoring Body — together with an annual fee and a Q&A round with the monitoring body. NordScope has scheduled this step for Phase 2 of the compliance programme. The triggers that would activate Phase 2 include: a procurement requirement explicitly demanding the formal monitoring-body declaration rather than self-attestation; sustained enterprise-customer demand crossing the threshold at which the annual cost is justified; the monitoring body publishing an updated framework version that materially changes scope; or a strategic decision to upgrade NordScope's trust posture in advance of these. NordScope reviews Phase 2 readiness annually as part of the compliance review cadence stated above.

Controls Catalogue self-attestation

Control IDs reference the EU Cloud Code of Conduct Annex A — Controls Catalogue v2.11 (December 2020), EDPB-approved May 2021. Headings below are PortalPilot's paraphrase of each control's intent, not verbatim Annex A text — the binding original is obtainable via the Request the EU Cloud Code of Conduct form at https://eucoc.cloud. The substantive narrative against the framework lives in §5 Data Protection and §6 Security above; per-control entries here cross-reference and provide the granular index procurement reviewers expect for Annex A traceability.

Annex A only contains a Controls Catalogue for Code Sections 5 (Data Protection) and 6 (Security). Code Sections 3 (Scope), 4 (Internal Governance), and 7 (Monitoring & Compliance) are textual requirements in the Code body and are discharged by the corresponding narrative sections of this attestation; no per-control table is presented for those sections because none exists in the framework.

§5 Controls

Control 5.1.A — Cloud Services Agreement is in place between CSP and Customer, incorporating GDPR data-protection obligations

Implemented via the PortalPilot Data Processing Addendum at DPA, which is incorporated by reference into the Terms of Service (Terms of Service) and forms part of the Cloud Services Agreement between NordScope (Processor) and each Customer (Controller). The DPA enumerates GDPR Art. 28 obligations as the contractual minimum.

Control 5.1.B — Cloud Services Agreement provides substantially similar data-protection obligations between CSP and any subprocessors

Discharged by the flow-down clause in DPA §4.2: NordScope contracts with each named sub-processor (Hetzner, Mollie, Mistral AI, Lettermint) under terms providing data-protection obligations no less protective than those owed to Customers. The named subprocessor list is published in DPA §4.1 with the framework-aligned advance-notice and objection mechanism.

Control 5.1.C — Responsibilities of CSP and Customer for security measures are defined, documented, and assigned

Reflected in DPA §2 (Roles and responsibilities) and Annex II (Technical and Organisational Measures), and the role separation in Security page "Access controls". The shared-responsibility split between Processor (PortalPilot) and Controller (Customer) is explicit: PortalPilot operates the platform-level controls; the Customer governs HubSpot portal configuration, user provisioning, and the lawful basis for the personal data they entrust.

Control 5.1.D — Documented procedures ensure CSP personnel are aware of Code adherence and can respond to inquiries, complaints, and disputes

See DPA Annex II "Personnel" (confidentiality, awareness) and the customer-facing inquiry channels published in Privacy Policy §17 (privacy@portalpilot.io for data-protection contact, supervisory-authority lodging path). NordScope is founder-operated; the owner-operator is the single accountable point for adherence inquiries, complaints, and disputes.

Control 5.1.E — CSP transparently communicates Code adherence to Customers

Implemented via the public surfacing of this self-attestation document at /compliance/eu-cloud-coc-self-attestation (Chunk 4 build pipeline (planned)) and a "Standards & frameworks" entry on Security page. The Customer-facing point of contact for Code-related questions is the data-protection address in Privacy Policy §17.

Control 5.1.F — Cloud Services Agreement specifies the terms under which CSP processes Customer Personal Data on behalf of Customer

Discharged by DPA §2 (Roles and responsibilities), §3 (Scope of processing), and Annex I (Processing details — categories, purpose, lawful basis, duration). Processing terms cover security, confidentiality, processing integrity, availability, and data protection per GDPR Art. 28(2)–(4).

Control 5.1.G — Cloud Services Agreement specifies the terms under which CSP can engage subprocessors

See DPA §4.2: subprocessors are engaged only under written Customer authorisation (general authorisation granted at acceptance of the DPA, with the right to object to specific changes). The clause cross-references Code §5.3 controls.

Control 5.1.H — Cloud Services Agreement defines the processing activities of CSP and any subprocessors

Reflected in DPA §4.1 (sub-processor list with processing purpose for each: Hetzner — hosting/storage, Mollie — payment processing, Mistral AI — AI suggestion generation, Lettermint — transactional email) and Annex I (categories of data and data subjects per processing activity).

Control 5.2.A — CSP assists Customer with GDPR Art. 28 obligations, taking nature of processing and information available to CSP into account

See DPA §6 (Data subject rights), which commits NordScope to assisting Customers in responding to data-subject requests with a 5-business-day SLA. The "nature of processing" qualifier is honoured by scoping assistance to PortalPilot-side data only — for personal data inside the Customer's HubSpot portal, the Customer's own HubSpot tooling is the primary access path and PortalPilot directs the Customer there.

Control 5.2.B — Documented procedures enable Customer to access information needed to comply with GDPR obligations

Discharged by the combination of DPA §6 (Customer assistance with data-subject rights), Privacy Policy §7 (Controller-side transparency for end-data-subjects), and the in-product self-service paths (account export, portal disconnection, audit-log review). The Records of Processing data necessary for Customer Art. 30 compliance is provided on request via privacy@portalpilot.io.

Control 5.2.C — CSP communicates mechanisms to the Customer for accessing the information referred to in 5.2.B

Reflected in Privacy Policy §17 (data-protection contact published at privacy@portalpilot.io), DPA §16 (Contact) and §6 (Data subject rights — assistance channel), and the Customer-facing public Trust Center surface (planned) that aggregates these mechanisms in one place.

Control 5.2.D — CSP processes Customer Personal Data only according to Customer's documented Instructions

See DPA §2 (Roles and responsibilities): NordScope acts strictly as Processor on behalf of the Customer-Controller, with the scope of Instructions defined by the Cloud Services Agreement (the Terms of Service plus the DPA itself). Any processing outside documented Instructions — e.g., for NordScope's own purposes — is contractually prohibited. The single exception, processing required by Union or Member State law (GDPR Art. 28(3)(a)), is handled per the same clause.

Control 5.2.E — CSP establishes operational mechanisms for data retention policies and schedules

Implemented via the retention table in Privacy Policy §5 and DPA §9, which together define a default Customer Personal Data retention of "Duration of service + 30 days" with backup tail-off within 90 days. Operational enforcement uses scheduled deletion routines and the HubSpot privacy-deletion webhook for downstream propagation.

Control 5.2.F — CSP trains personnel on retention policies and schedules, with oversight and monitoring

Discharged by DPA Annex II "Personnel" (confidentiality, awareness, training obligations) combined with the founder-operated structure: NordScope has a single owner-operator who acts as both retention-policy author and operator, removing the cascade of training-and-monitoring overhead a multi-person organisation would face. Where occasional support contractors are engaged, they operate exclusively on non-production assets per Security page.

Control 5.2.G — CSP communicates standard retention policies and schedules to Customers

Reflected in the Privacy Policy retention table (public, customer-readable) and DPA §9 (DPA-incorporated retention commitment). Both surfaces are kept consistent via an automated cross-artefact consistency check that enforces the canonical "personal-data retention" phrase verbatim across artefacts.

Control 5.3.A — CSP obtains written authorisation of the Customer prior to engaging subprocessors

Discharged by the general written authorisation Customers grant when accepting the DPA (DPA §4.2 — "Customer hereby grants NordScope general authorisation to engage the sub-processors listed in §4.1"). New sub-processors are added only after the advance-notification + objection mechanism completes; no silent additions.

Control 5.3.B — CSP follows agreed procedures and provides alternatives if Customer rejects a subprocessor

See DPA §4.2: where a Customer objects in writing within 14 days of an advance notification, NordScope's options are (a) propose an alternative sub-processor of equivalent capability, or (b) where no alternative is feasible, allow the Customer to exercise termination rights with pro-rata refund. The objection-and-resolution path is documented as part of the DPA, not delegated to ad-hoc negotiation.

Control 5.3.C — Documented procedures ensure only sub-processors providing sufficient GDPR-compliance guarantees are engaged

Implemented via NordScope's sub-processor selection criteria, codified in DPA §4.1 (entity, EEA jurisdiction, processing purpose) and the EU-only data-plane policy stated in §5 Data Protection above. All four current sub-processors (Hetzner — Germany, Mollie — Netherlands, Mistral AI — France, Lettermint — Netherlands) are EU-headquartered with their own GDPR Art. 28-aligned DPAs publicly published.

Control 5.3.D — Documented procedures flow down equivalent data-protection obligations through the full subprocessing chain

Reflected in the DPA's flow-down clause at DPA §4.2 and addressed individually for each sub-processor's downstream contracts (e.g., Hetzner's own data-protection terms with their network and physical-infrastructure subcontractors are publicly published and reviewed at sub-processor onboarding). NordScope does not itself engage downstream sub-sub-processors directly; the chain depth is bounded.

Control 5.3.E — General information about existing sub-processors and jurisdictions is made available before the Customer enters the Agreement

Implemented via the public sub-processor list in DPA §4.1 (no NDA required), enumerating each sub-processor entity name, jurisdiction, and processing purpose. The list is accessible from the public Privacy and DPA pages before sign-up; no Customer enters the Cloud Services Agreement without the opportunity to review.

Control 5.3.F — Mechanism notifies Customer of subprocessor additions or replacements under general authorisation

Implemented per DPA §4.2: NordScope notifies Customers of any intended changes to sub-processors at least 30 days in advance via the Customer's account email plus the in-product notification surface. The 30-day window plus 14-day objection period is enforced as a canonical phrase across Privacy Policy, DPA, Security page, Terms of Service, and this attestation.

Control 5.3.G — Mechanism notifies Customer of jurisdictional changes affecting sub-processors

Discharged by the same advance-notification mechanism in DPA §4.2. Where a sub-processor changes its applicable jurisdiction (e.g., a sub-processor moves a hosted region or restructures legal entity), NordScope treats this as a sub-processor change and triggers the same 30-day advance notice + 14-day objection flow. The current EU-only data-plane scope means cross-border-transfer-relevant jurisdictional changes would trigger Code §5.4 review in addition to §5.3.F notification.

Control 5.4.A — CSP uses Chapter V GDPR mechanisms to ensure security of data transfers

Discharged by the EU-only data plane: hosting (Hetzner — Germany, Finland data centre), payment processing (Mollie — Netherlands), AI inference (Mistral — France), and transactional email (Lettermint — Netherlands) are all EEA-internal and therefore not subject to Chapter V transfer mechanisms. The narrative is published in §5 Data Protection of this attestation and Privacy Policy §11. Where a Customer's HubSpot portal is US-hosted, the Customer's own portal access (not a NordScope-instructed transfer) is governed by the Customer's HubSpot DPA, which references the EU-US Data Privacy Framework.

Control 5.4.B — CSP transfers to third countries outside the EEA only if agreed in the Cloud Service Agreement

Reflected in DPA §10.1 (EU-based infrastructure — the EEA-only data plane is contractually committed) and Privacy Policy §11. NordScope does not initiate transfers of Customer Personal Data to non-EEA third countries on its own initiative; the only outbound flow involving non-EEA infrastructure is Customer-instructed HubSpot API access where the Customer has chosen US-hosted HubSpot, and that is the Customer's controllership decision.

Control 5.4.C — Transfers outside the EEA on behalf of Customer meet GDPR Chapter V requirements

See above (5.4.A): there are no NordScope-initiated transfers outside the EEA. Where Customer-instructed HubSpot API access traverses to US-hosted HubSpot infrastructure, the Customer remains the Controller of that transfer instruction and the Customer's DPF/SCC arrangements with HubSpot govern. NordScope does not warrant the Customer's DPF posture — that remains the Customer's Controller obligation per GDPR Art. 28(3)(a) and the corresponding clauses in DPA §2 (Roles) and §10.2 (HubSpot API access).

Control 5.4.D — CSP continues to assess and monitor adequacy-decision status of destination countries

Operationally addressed by the founder-operator's currency-monitoring on EU regulatory updates (per §4 Internal Governance Training & awareness paragraph). Because PortalPilot's data plane is EU-only, this monitoring focuses on the Customer-side HubSpot transfer scenario — specifically the EU-US Data Privacy Framework status — to advise Customers proactively if the framework is invalidated. The European Commission's adequacy-decision page is the canonical reference.

Control 5.4.E — Documented safeguards under Chapter V; no transfer without appropriate safeguards

Documented in Privacy Policy §11 and reinforced by the operational EU-only-data-plane invariant. The "no transfer without safeguards" rule is enforced by infrastructure choice (sub-processor allow-list at DPA §4.1 — all EEA), not by per-request review. New sub-processor candidates undergo Chapter V review before engagement; the EU-only scope means no Standard Contractual Clauses are currently active in NordScope's Processor-side processing chain.

Control 5.4.F — Non-EU CSPs in scope of GDPR Art. 3.2 designate an Art. 27 representative

Not applicable: NordScope (Finnish sole trader, Y-tunnus 3148476-5) is established in Finland — a Member State of the European Union. The Article 27 representative requirement applies only to controllers and processors not established in the Union. NordScope's establishment in Finland is the registered business address per PRH (Patentti- ja rekisterihallitus) and is published in Privacy Policy §1 and DPA §1.

Control 5.5.A — CSP provides Customer with executive summary of independent third-party audits and Code/GDPR compliance certifications, where available

Currently, the available executive summary is this self-attestation document itself, plus the public surfaces it cross-references (Privacy Policy, DPA, Security page). NordScope holds no formal third-party audit certification at Phase 1; the ISO 27001:2022 Annex A control alignment pack (planned) will provide the next layer of structured evidence. Independent monitoring-body verification is a Phase 2 deferral (D2 — submission to the Code's Monitoring Body).

Control 5.5.B — CSP provides Customer with certificates, attestations, or reports from accredited third-party audits relating to security or personal-data protection

No accredited third-party audit reports exist yet for PortalPilot at Phase 1. NordScope's compliance roadmap to populate this evidence includes ISO 27001 alignment work, a Cyber Essentials Plus assessment, and the Phase 2 path to a SCOPE Europe-verified declaration of adherence. Where Customers require audit evidence today, NordScope provides the substantive narrative in this attestation under NDA on request.

Control 5.5.C — CSP's procedures regarding Customer-requested audits are defined, documented, and transparently communicated

Discharged by DPA §8 (Audit rights), which sets out the Customer's right to audit (30 days' notice, business hours, max once per 12 months unless a breach has occurred), the requested-evidence channel via privacy@portalpilot.io, and reasonable scoping for a small-scale CSP. The procedure scopes scope, frequency, advance notice, and confidentiality preservation.

Control 5.5.D — Customer means to request additional evidence of Code/GDPR compliance not provided by other means

Implemented via privacy@portalpilot.io (published in Privacy Policy §17 and DPA §16) as the canonical channel for additional evidence requests, complementing the audit-rights path at DPA §8. NordScope responds within commercially reasonable time, providing source artefacts (configuration, code references, log evidence) where the request scope permits without compromising security or confidentiality of other Customers.

Control 5.5.E — Customer audit costs (where Customer bears them) must not be prohibitive or excessive

Reflected in DPA §8 (Audit rights): where a Customer requires audit support beyond standard cooperation (e.g., dedicated personnel time, specialised testing environments), reasonable cost recovery may apply but is bounded by NordScope's documented hourly time-and-materials rate. NordScope's posture is that audit cooperation is a baseline obligation; cost recovery only applies to the incremental burden of bespoke audit programmes.

Control 5.5.F — Either Customer Audit Provisions in the Cloud Service Agreement, or documented procedures to draft them on need

Implemented via DPA §8 (standing Customer Audit Provisions in the DPA itself) plus the bespoke-audit-procedure path in §4 Internal Governance of this attestation. Where a Customer's audit programme requires terms beyond the standing provisions, NordScope drafts them per Customer with the discipline that every claim must be verifiable against the live artefact at the moment of audit.

Control 5.6.A — CSP complies with this section of the Code in case of disputes with Customers

Reflected in Terms of Service (governing law: Finland; dispute resolution: amicable channel first, then Helsinki District Court) and Privacy Policy §17 (supervisory authority: Office of the Data Protection Ombudsman, Finland). NordScope's small scale concentrates dispute response in the owner-operator; there is no escalation chain that can dilute accountability. Disputes touching Code adherence specifically are escalated to the Code's complaints procedure as a secondary path.

Control 5.7.A — Documented procedures assist Customer in fulfilling data-subject access requests

Discharged by DPA §6 (Data subject rights — assistance scope and 5-business-day SLA), Privacy Policy §7 (Your rights — GDPR Art. 15–22 enumeration), and the in-product self-service tooling that lets Customers retrieve their account data, audit logs, and retention metadata directly. Where the request reaches data inside a Customer's HubSpot portal (Customer-Controlled), PortalPilot directs the requester to the Customer's HubSpot tooling — that is the right path under the Processor / Controller split.

Control 5.7.B — Procedures or measures support Customer to fully address data-subject rights requests in a timely manner

Implemented via the same DPA assistance commitment in DPA §6 (Data subject rights), with the 5-business-day response SLA. NordScope's stance on "timely" matches the GDPR Art. 12(3) one-month requirement Customer-side: NordScope responds to assistance requests fast enough that the Customer's own one-month clock is not jeopardised.

Control 5.7.C — Communication channels are made available to Customer for data-protection questions and requests

privacy@portalpilot.io is the canonical address (Privacy Policy §17, DPA §16 Contact, with data-protection-specific intake at §6 Data subject rights). Additional channels: in-product feedback widget, public Trust Center surface (planned), and the documented incident-response path described in §6 Security above.

Control 5.7.D — Documented procedures assist Customer with Data Protection Impact Assessment

PortalPilot publishes the inputs a Customer needs for their DPIA at Privacy Policy (data categories, lawful basis, retention), DPA Annex I (data subjects, processing operations) and Annex II (Technical and Organisational Measures), and Security page. The PII inventory and data-flow document (planned) will further consolidate this material into a single DPIA-ready artefact. Customers requesting DPIA assistance receive the public packet plus targeted clarifications via privacy@portalpilot.io.

Control 5.7.E — Procedures safeguard that DPIA-assistance information does not itself create security risk

Reflected in NordScope's posture of providing public-by-default DPIA inputs (which carry no incremental security risk) and gating sensitive details (e.g., specific infrastructure topology, operational secrets) behind NDAs scoped to the requesting Customer. Where a Customer's DPIA needs information that cannot be safely disclosed, NordScope explains the constraint rather than masking the gap.

Control 5.7.F — CSP communicates information about data formats, processes, technical requirements, and timeframes for data retrieval

Documented in DPA §12 (Termination — JSON export available within 30 days of termination on request) and the in-product account-export feature. Retrieval procedures and timeframes are published in advance so Customers can plan exits without commercial pressure; the export format is documented as machine-readable and versioned.

Control 5.8.A — CSP maintains up-to-date and accurate Records of Processing per GDPR Art. 30.2

Maintained internally by NordScope and made available on request via privacy@portalpilot.io. The records cover Customer name, processing categories, sub-processor list, transfer documentation, retention schedule, and TOMs — the GDPR Art. 30.2 minimum set. The dated revision history of DPA, Privacy Policy, and this self-attestation provides the auditable timestamp record.

Control 5.8.B — Procedures enable Customer to provide CSP with information needed for CSP's RoPA

Implemented via the in-product account configuration (Customer entity name, billing/legal contact, controller-side details captured at sign-up) plus the assisted-update path via privacy@portalpilot.io (DPA §16 Contact). Where a Customer's controllership details change (name, address, supervisory authority), the change is reflected in NordScope's RoPA at the next quarterly review or immediately on Customer request.

Control 5.9.A — CSP designates Data Protection Point of Contact per GDPR Chapter IV §4

The Data Protection Point of Contact is the owner-operator of NordScope (Peter Sterkenburg), reachable at privacy@portalpilot.io. Because NordScope is a Finnish sole trader processing personal data of moderate scale and not on a "large scale" or as a "core activity" within the meaning of GDPR Art. 37(1), a formal Data Protection Officer is not required by law; the Data Protection Point of Contact role discharges the Code's contact obligation.

Control 5.9.B — Contact data of Data Protection Point of Contact is communicated and available to Customer

Published in Privacy Policy §17 and DPA §16 (Contact). The address is privacy@portalpilot.io and the postal contact is the registered NordScope business address per PRH (Patentti- ja rekisterihallitus). Both channels are accessible to Customers and supervisory authorities and (on request) to data subjects.

Control 5.10.A — Documented procedures address data subjects' requests

Implemented at Privacy Policy §7 (rights-by-Article enumeration), §17 (intake channel), with the operational backstop of GDPR's one-month response window. For requests where NordScope is the Controller (account-holder data), the request flows directly through privacy@portalpilot.io. For Processor-role requests forwarded by Customers, the path is the DPA assistance procedure at DPA §6 (Data subject rights).

Control 5.10.B — Documented procedures assist Customer for data-subject requests, taking nature of processing into account

The "nature of the processing" qualifier is significant for PortalPilot: the data subjects whose personal data passes through PortalPilot are predominantly the Customer's own end-data-subjects (HubSpot contacts), where PortalPilot processes only metadata aggregates and does not retain individual contact records. Accordingly, the assistance procedures at DPA §6 (Data subject rights) emphasise referral-to-Customer-HubSpot-tooling as the dominant path, with NordScope-side data extraction reserved for the small subset of cases where a HubSpot contact is referenced in a PortalPilot audit log entry.

Control 5.11.A — Policies and procedures enable Customer to respond to supervisory-authority requests

Reflected in DPA §6 (assistance scope, which covers supervisory-authority engagement as part of GDPR Art. 28 assistance) and the documented audit-evidence channel at DPA §8 (Audit rights). Where a Customer's supervisory authority requests information about the Customer's processing (which may involve PortalPilot processing), NordScope provides Customer with the substantive evidence pack within commercially reasonable time and at no incremental fee.

Control 5.11.B — Documented procedures respond to supervisory-authority requests in due time and appropriate quality

NordScope responds to supervisory-authority requests addressed directly to it via privacy@portalpilot.io and documents each engagement in the internal compliance log. The "due time" standard matches the supervisory authority's own deadline; the "appropriate quality" standard matches the level of detail necessary to enable the authority's decision (typically: scope of processing, sub-processors, technical and organisational measures, breach record if any).

Control 5.11.C — Documented procedures notify Customer when supervisory authority requests Customer Personal Data, if permitted by law

Implemented via the assistance scope at DPA §6: where NordScope receives a supervisory-authority request relating specifically to a named Customer's Personal Data, NordScope notifies the Customer promptly unless prohibited by law (e.g., under a confidentiality order). The notification path is the Customer's account-on-file email plus the legal/billing contact captured at onboarding.

Control 5.12.A — Personnel and contractors are subject to confidentiality obligations prior to data-processing engagement

Reflected in DPA Annex II "Personnel". NordScope is founder-operated; the owner-operator's confidentiality obligation is implicit in the legal-entity structure (sole trader + GDPR Art. 28(3)(b) commitment built into the DPA itself). Where occasional contractors are engaged for non-production work, written NDAs precede any data access.

Control 5.12.B — Organisational policies and procedures ensure personnel awareness of confidentiality obligations

Discharged by the founder-operated structure plus DPA Annex II "Personnel" (awareness, training). The single-operator scope of NordScope means there is no cascade of awareness to maintain across teams; the operator is the policy author and the policy follower.

Control 5.12.C — Policies ensure Personal Data is processed only per Customer Instructions

Reflected in DPA §2 (Roles and responsibilities — Processor strictly per Instructions) and the compliance-discipline rule that any out-of-scope processing requires explicit written Customer authorisation. Operationally, this is enforced by the founder-operator's discipline (no incentive structures pulling against the Instruction-only rule, no engineering team that might make a "useful but unauthorised" data-use shortcut).

Control 5.12.D — Confidentiality obligations continue after end of employment or contractor agreement

Reflected in DPA Annex II "Personnel" (post-termination confidentiality survival) and the contractor NDA template that explicitly states confidentiality obligations survive termination. The personal liability of a sole trader makes the post-termination obligation operationally tighter than in a corporate structure: the owner-operator personally guarantees performance with no corporate-veil to retreat behind.

Control 5.12.E — Personnel receive adequate training in organisational policies and procedures

The training programme is the owner-operator's own ongoing self-directed practice: regular review of GDPR/EDPB guidance, subscription to the Finnish Data Protection Ombudsman's bulletins, and review of supplier security advisories (Hetzner, Mistral, Mollie, Lettermint, HubSpot). Reflected in the Training & awareness paragraph of §4 Internal Governance above.

Control 5.12.F — Training and awareness are subject to timely reviews

Discharged by the annual review cadence stated in §7 Monitoring & Compliance above. Material regulatory changes (e.g., a new EDPB guidance, a new Finnish DPA decision touching cloud processors) trigger an out-of-cycle review immediately.

Control 5.12.G — Documented procedures communicate TOMs for Special Categories of Personal Data

PortalPilot is not designed to process Special Categories of Personal Data per GDPR Art. 9. The expected processing scope (HubSpot contact metadata, account-holder email, payment transaction records, audit logs) does not include health, racial/ethnic origin, religious belief, or biometric data. The Cloud Services Agreement at Terms of Service §3 (Acceptable use) and the data-categories scope at DPA §3 (Scope of processing) bound Customers from instructing NordScope to process Special Categories without prior written authorisation; where a Customer's HubSpot portal contains Special Categories incidentally, PortalPilot's metadata-only processing avoids touching the underlying records.

Control 5.13.A — Procedures ensure data-breach reporting to Customer through appropriate channels without undue delay

Implemented per DPA §7, Security page "Incident response" section, and Terms of Service (DPA reference). Notification is via the Customer's account-on-file email plus the legal/billing contact captured at onboarding; backup channels include in-product banners for service-affecting events. The 72-hour breach-notification SLA is enforced as a canonical phrase across artefacts by the cross-artefact consistency check.

Control 5.13.B — CSP specifies breach-notification obligations and TOMs to detect/mitigate/report breaches in the Cloud Service Agreement

Discharged by DPA §7 (notification obligation, content, timing), DPA Annex II "Incident management" (detection and mitigation TOMs), and §6 Security of this attestation (Logging & incident response paragraph). The combination is contractually binding via the DPA's incorporation into the Terms of Service.

Control 5.14.A — CSP provides Customer the capability to retrieve Customer Personal Data promptly and without hindrance

Implemented via the in-product account-export feature plus on-request export via privacy@portalpilot.io. Promptness is bounded by NordScope's documented commitment in DPA §12 (Termination — JSON copy provided on request within 30 days of termination); "without hindrance" means no commercial barrier (no additional fee for the export itself), no technical lock-in (open formats per Control 5.14.C), and no contractual blocker.

Control 5.14.B — CSP provides retrieval capability at end of Cloud Services provision

Reflected in DPA §12 (Termination — JSON export within 30 days of termination on request): Customers may export their data within the wind-down window (default Duration of service + 30 days) before scheduled deletion. The export channel is the same in-product feature plus the on-request path, with no incremental fee for export at end-of-service.

Control 5.14.C — Personal Data is provided in a machine-readable, commonly used, structured format

Documented in DPA §12 (Termination): JSON is the standing export format, with field-level documentation provided alongside on request. The format choice is "commonly used" in the GDPR Art. 20 sense and avoids vendor-specific encodings.

Control 5.14.D — On request, CSP describes the format and mechanisms to provide Customer Personal Data

Discharged by the format documentation accompanying any export plus on-request schema clarification via privacy@portalpilot.io. The export schema is versioned and stable; format deprecations would be communicated 30 days in advance via the same advance-notice channel used for sub-processor changes.

Control 5.14.E — CSP deletes all copies of Customer Personal Data within the timescale in the Cloud Services Agreement

Implemented per the retention table in Privacy Policy §5 and DPA §9: Default Customer Personal Data deletion is "Duration of service + 30 days" with backup tail-off within 90 days. The HubSpot privacy-deletion webhook propagates Customer-side contact deletions on the same schedule. Legal-retention exceptions (financial records per Finnish bookkeeping law) are scoped narrowly and documented in the Privacy Policy retention table.

Control 5.14.F — Storage media securely overwritten or sanitised before re-use or disposal

Implemented at the sub-processor level: Hetzner's NIST-aligned media sanitisation policies govern physical-media disposal in the Finland data centre, and the Coolify-orchestrated container layer plus the encrypted-at-rest volume scheme (cite §6 Security Encryption paragraph) means that even pre-sanitisation media residue is protected by AES-256-GCM. NordScope does not directly handle physical storage media; the obligation flows down through the Hetzner sub-processor contract.

§6 Controls

Control 6.1.A — Information security measures appropriate to sensitivity of Customer Personal Data, with dedicated data-protection assessment perspective

Reflected in DPA Annex II (Technical and Organisational Measures) and §6 Security of this attestation: the chosen TOMs (encryption at rest, encryption in transit, access controls with portal-ownership verification, audit logging) are scoped to the data sensitivity expected — primarily Customer business contact metadata and authentication tokens, both warranting strong protection.

Control 6.1.B — Risks generally associated with Customer Personal Data are considered when assessing TOM appropriateness

Discharged by the data-categorisation work in DPA Annex I and an internal threat model that explicitly identifies prompt injection, credential exfiltration, and supply-chain compromise as the classes of risk most relevant to a self-hosted EU SaaS processing OAuth tokens.

Control 6.1.C — CSP establishes, maintains, and continually improves an ISMS per ISO 27001 or equivalent

The planned ISO 27001:2022 Annex A control alignment pack will be the structured statement of NordScope's ISMS scope and controls. Until that pack ships, the operative ISMS-equivalent is the combination of §4 Internal Governance, §6 Security, and §7 Monitoring & Compliance of this attestation, plus the codified compliance-discipline rules carried in NordScope's internal documentation. NordScope's small scale concentrates ISMS authority in a single owner-operator; "continual improvement" runs as the annual review cadence stated in §7.

Control 6.1.D — Process determines boundaries and applicability of ISMS

Discharged by §3 Scope of this attestation: single-service scope (PortalPilot SaaS) with the boundary explicitly drawn at the PortalPilot processing perimeter and excluding NordScope's marketing infrastructure and other product surfaces. Where specific Controls fall outside the ISMS scope, the rationale is documented inline in this attestation.

Control 6.2.A — Implement controls equivalent to ISO 27001 A.5 (Information security policies)

The information-security policy is materialised across §6 Security of this attestation, the public Security page, and the planned ISO 27001 alignment pack. Policy authority is the owner-operator; review cadence is annual per §7 Monitoring & Compliance.

Control 6.2.B — Implement controls equivalent to ISO 27001 A.6 (Organisation of information security)

Reflected in §4 Internal Governance of this attestation: roles are consolidated in the owner-operator, with documented separation between non-production support contractors and production data access. The change-management procedure runs through a structured workflow with mandatory quality gates before any production push.

Control 6.2.C — Implement controls equivalent to ISO 27001 A.7 (Human resources security)

Discharged by DPA Annex II "Personnel" (confidentiality obligations, awareness training, post-termination obligations) and the founder-operated structure that obviates the cascade of HR controls a multi-person organisation needs. Where contractors are engaged, they sign written NDAs scoped to the work and operate exclusively on non-production assets per Security page.

Control 6.2.D — Implement controls equivalent to ISO 27001 A.8 (Asset management)

Implemented via the documented infrastructure inventory (Hetzner Cloud server with documented configuration), the codified service catalogue in repository documentation, and audit logging on asset-touching events. The PII inventory and data-flow document (planned) will be the structured statement of personal-data assets, classification, and ownership.

Control 6.2.E — Implement controls equivalent to ISO 27001 A.11.2 (Equipment)

Discharged at the sub-processor level: Hetzner is the equipment custodian for production hosting in their Finland data centre, with their own ISO 27001 certification covering equipment security, secure disposal, and equipment maintenance. NordScope's developer endpoints are governed by the founder-operator's documented endpoint-security practices (full-disk encryption, OS security updates, no shared credentials).

Control 6.2.F — Implement controls equivalent to ISO 27001 A.9 (Access control)

Implemented via the edge-function authentication tier (JWT authentication, portal-ownership verification, AAL2-enforcement helper ready for rollout), Supabase Row-Level Security policies on every table touching personal data, and the principle of least privilege applied to administrative access. AAL2 enforcement on privileged endpoints is the next planned layer; a token-rotation visibility surface is also planned to complement the credential lifecycle.

Control 6.2.G — Implement controls equivalent to ISO 27001 A.10 (Cryptography)

Implemented via AES-256-GCM token encryption with a random per-operation salt, TLS 1.3 enforced on all transport, and a documented encryption-key rotation procedure with backwards-compatible re-encryption.

Control 6.2.H — Cryptography appropriate for transmission of Customer Personal Data over public networks

Reflected in the edge-function security headers (HSTS, CSP, CORS) and the Hetzner-managed network layer with TLS 1.3 termination. Inbound traffic to the API Gateway and edge functions is TLS-only; HSTS is enforced with a one-year max-age and includeSubDomains; HTTP-only fallback is disabled.

Control 6.2.I — Strong and trusted encryption techniques, considering state of the art

Documented in the §6 Security "Encryption" paragraph above. AES-256-GCM (chosen for authenticated encryption) is currently state-of-the-art for symmetric encryption; the annual review cadence in §7 Monitoring & Compliance includes evaluation of cryptographic primitives against current EDPB and BSI guidance.

Control 6.2.J — Implement controls equivalent to ISO 27001 A.11 (Physical and environmental security)

Discharged at the sub-processor level: Hetzner's Finland data centre is ISO 27001-certified and applies physical access controls, environmental monitoring, fire suppression, and equipment-disposal procedures appropriate for a Tier-3 data centre. NordScope does not maintain any physical infrastructure of its own that processes Customer Personal Data; the production environment is wholly cloud-hosted.

Control 6.2.K — Implement controls equivalent to ISO 27001 A.12 (Operations security)

Implemented across token-bucket rate limiting, a write-idempotency layer that prevents duplicate operations under retry, HubSpot-write audit logging, and a planned dedicated CI security workflow. Logging covers authentication events, authorisation decisions, and write operations to HubSpot; logs are retained per the policy in §6 Security and reviewed at the annual cadence.

Control 6.2.L — Implement controls equivalent to ISO 27001 A.13 (Communications security)

Discharged by edge-function security headers (CSP, HSTS, CORS allowlist), TLS 1.3 throughout the data plane, and network segmentation at the Hetzner level (production hosts isolated from non-production). A planned public status page and uptime probe will provide external visibility into availability — itself a communications-security indicator.

Control 6.2.M — Implement controls equivalent to ISO 27001 A.14 (System acquisition, development, and maintenance)

Implemented via a codified change-management workflow with mandatory quality gates (verification, audit, code review, second-opinion review) and a tiered safety review for database migrations and schema changes. Migrations and schema changes pass through explicit destructive-operation checklists; code review is mandatory for all production changes.

Control 6.2.N — Implement controls equivalent to ISO 27001 A.15 (Supplier relationships)

Reflected in DPA §4 (sub-processor list, advance-notification mechanism, flow-down obligations) and the supplier security advisory subscription mentioned in §4 Internal Governance Training & awareness paragraph. Each named sub-processor's security posture is reviewed at sub-processor onboarding and at the annual review cadence in §7 Monitoring & Compliance.

Control 6.2.O — Implement controls equivalent to ISO 27001 A.16 (Information security incident management)

Implemented per DPA Annex II "Incident management" (detection, response, communication, recordkeeping, post-incident review) and Security page "Incident response" section. The breach-notification SLA is enforced as a canonical phrase across artefacts by the cross-artefact consistency check; the incident-response runbook is the operational backstop.

Control 6.2.P — Documented procedures determine whether a security breach resulted in a Data Breach

Reflected in DPA Annex II "Incident management" (breach assessment and classification step) plus §6 Security of this attestation (Logging & incident response paragraph). The classification decision (security incident vs. notifiable Data Breach per GDPR Art. 4(12)) is the owner-operator's accountability, with EDPB guidance and the Finnish Data Protection Ombudsman's recent decisions as the authoritative reference.

Control 6.2.Q — Implement controls equivalent to ISO 27001 A.17 (Information security in business continuity)

Discharged by automated database backups every 6 hours, GPG-encrypted with AES-256 and synced to off-server storage at a separate provider, plus documented recovery procedures and the sole-trader-business-continuity disclosure in §4 Internal Governance (concentration risk acknowledged transparently rather than papered over). The "Backup copies within 90 days" retention is enforced as a canonical phrase by the cross-artefact consistency check.

Control 6.3.A — CSP provides transparent information in accordance with the demonstration keys of Code §6.3

This document is the discharge of Control 6.3.A. The combination of structured narrative in §3 Scope through §7 Monitoring & Compliance, the per-control entries in this Controls Catalogue section, and the cross-references to Privacy Policy, DPA, Security page, and Terms of Service constitute the transparent information procurement reviewers need to demonstrate Code §6.3 compliance.

Founder sign-off

This self-attestation is signed off by the legal representative of NordScope (the entity operating the PortalPilot SaaS service) as the authoritative record of NordScope's compliance posture against the EU Cloud Code of Conduct framework as at the date below. Subsequent revisions are tracked in the document's revision history and supersede this sign-off only after the next dated sign-off is appended.

Signed:

/s/ Peter Sterkenburg Founder, NordScope Date: 2026-04-30