| CC1.1 Integrity & ethical values |
Documented values, code of conduct |
Single-founder operation under Finnish business law; no formal code-of-conduct document |
A.5.1, A.5.4 |
ISMS scope statement §6 |
No formal employee code of conduct |
Sole trader with no employees — code of conduct deferred until first hire |
| CC1.2 Board oversight |
Board independence, oversight |
Sole-trader entity; no board structure |
A.5.2, A.5.3 |
ISMS scope statement §1 |
No board |
Sole-trader form is recognised under Finnish company law; founder accountability sits with regulator (Tietosuojavaltuutettu) |
| CC1.3 Organisational structure |
Defined org structure, reporting lines |
Single-operator structure; all roles documented |
A.5.2 |
ISMS scope statement §6 |
None — sole-trader form is fully self-contained |
n/a |
| CC1.4 Commitment to competence |
Hiring, training, retention controls |
Founder is the sole technical operator; LLM-driven static review (Mistral AI) supplements code review |
A.6.1–A.6.4 |
portalpilot.io/dpa Annex II §5 |
No employee training programme |
No employees; founder maintains skills via continuous practice + adversarial sweep cadence |
| CC1.5 Accountability |
Performance evaluations, disciplinary action |
Sole-trader entity; quarterly internal audit holds founder operationally accountable |
A.5.4, A.6.4 |
ISMS scope statement §7 |
No external accountability mechanism |
Annual founder review + quarterly Claude-Code adversarial sweep + customer-facing DPA breach-notification commitments (72 h) |
| CC2.1 Information needed for control |
Quality, timely, accurate info |
Audit logging in production database; security audit log on the agent plane |
A.5.32, A.8.15, A.8.16 |
portalpilot.io/security §6 |
None |
n/a |
| CC2.2 Internal communication |
Roles, responsibilities communicated |
Sole-trader entity; all roles in ISMS scope statement §6 |
A.5.4, A.6.3 |
ISMS scope statement §6 |
None |
n/a |
| CC2.3 External communication |
Customer/sub-processor communication |
Public DPA with breach-notification clause; sub-processor list reconciliation |
A.5.14, A.5.34 |
portalpilot.io/dpa §7 |
None |
n/a |
| CC3.1 Risk identification |
Identifies risks; specifies relevant objectives |
Risk register documents identified risks cross-referenced to Annex A controls |
A.5.7, A.5.8 |
Risk register (available under NDA on request) |
None |
n/a |
| CC3.2 Risk analysis & response |
Likelihood/impact assessment |
H/M/L qualitative scoring per the risk register; founder-attested under NordScope's single-operator structure |
A.5.7 |
Risk register (available under NDA on request) |
Qualitative scoring only (vs NIST 800-30 5×5 quantitative) |
Qualitative scoring is appropriate for a sole-trader scope; quantitative scoring deferred to Phase 2 alongside the third-party attestation |
| CC3.3 Fraud risk |
Fraud risk assessment |
Customer self-DoS / billing-abuse risks identified in the risk register; payment-fraud detection delegated to Mollie |
A.5.7 |
Risk register (available under NDA on request) |
No NordScope-side fraud-prevention model |
Mitigated by Mollie's PCI-DSS-graded fraud detection + the encryption-key compromise row of the risk register |
| CC4.1 Internal monitoring |
Ongoing/periodic evaluations |
Quarterly internal audit (clause 9.2) + automated CI drift checks |
A.5.36, A.8.16 |
ISMS scope statement §7 + Q2 internal audit report |
None |
n/a |
| CC4.2 Deficiencies & remediation |
Communicate, remediate, follow-up |
Findings register in each internal audit; status tracked in GitHub Issues |
A.5.36 |
Q2 internal audit report |
Remediation not third-party-verified |
External attestation deferred to Phase 2 |
| CC5.1 Selects/develops control activities |
Selects controls aligned to risk |
This document; ISO/IEC 27001:2022 Annex A register |
A.5.32, A.8.32 |
Annex A control register (planned — see Trust Center evidence library) |
None |
n/a |
| CC5.2 Selects/develops technology controls |
Technology-specific control selection |
RLS, JWT, OAuth, AES-256-GCM, two-layer firewall, four-layer agent-security model |
A.8.2–A.8.5, A.8.24 |
ISMS scope statement §4–§5 |
None |
n/a |
| CC5.3 Policies/procedures |
Policies + monitoring of policy adherence |
Public Privacy/DPA/Security pages; ADR architecture documents; internal runbooks |
A.5.1 |
portalpilot.io/privacy, /dpa, /security |
No formal policy review board |
Sole-trader entity; founder approves all policies; quarterly review cadence in §7 of the scope statement |
| CC6.1 Logical & physical access controls |
Restricts logical access; enforces least privilege |
Two-layer firewall + Traefik reverse proxy + Supabase Auth + JWT + per-edge-function ownership verification + RLS on every customer table |
A.5.15, A.5.18, A.8.2, A.8.3, A.8.5 |
ISMS scope statement §4 |
None |
n/a |
| CC6.2 Authorisation & registration |
Provisioning, modifying access |
OAuth 2.0 for HubSpot integration; Supabase Auth for customer accounts; founder TOTP for orchestration plane |
A.5.16, A.5.17, A.5.18 |
portalpilot.io/security §3 (Authentication) |
None |
n/a |
| CC6.3 Removal of access |
Timely removal on termination/change |
Account-delete cascade in customer Postgres; OAuth token revocation on portal disconnect |
A.5.18, A.8.10 |
portalpilot.io/privacy §5 |
No employee offboarding (no employees) |
n/a |
| CC6.4 Physical access |
Datacenter physical controls |
Fully transferred to Hetzner under their ISO 27001 / 27017 / 27018 certifications |
A.7.1–A.7.14 |
Hetzner certifications |
None |
n/a |
| CC6.5 System hardening |
OS hardening, vulnerability management |
Hetzner-managed Ubuntu LTS; UFW default-deny; sshd key-only auth; Coolify-managed container updates |
A.8.7, A.8.8, A.8.9 |
ISMS scope statement §4 |
No formal vulnerability scanning programme |
Dependabot for npm + GitHub Actions; Hetzner-managed kernel; Coolify-managed images |
| CC6.6 Restrictions on portable devices |
Mobile/laptop encryption |
Founder's laptop is FileVault-encrypted (Apple Silicon); production secrets are not loaded onto the laptop |
A.7.10, A.8.1 |
ISMS scope statement §3 |
No MDM |
Single-laptop entity; founder is the only operator; FileVault + auto-lock |
| CC6.7 Restrictions on data transmission |
Encrypted data transmission |
TLS 1.3 enforced at Traefik; HTTP redirected to HTTPS; HSTS in production browser response |
A.5.14, A.8.20, A.8.24 |
portalpilot.io/security §1 (Encryption) |
None |
n/a |
| CC6.8 Prevents/detects malicious software |
Malware prevention |
Container images sourced only from official registries; CI scans for known-vulnerable npm dependencies |
A.8.7 |
GitHub Actions CI workflow |
No EDR on the production VM |
Container-based deployment + read-only container filesystems where supported + immutable infrastructure |
| CC7.1 System monitoring |
Detect anomalies, security events |
Application audit log (Postgres) + agent-security audit log + Coolify deployment log + Plausible analytics |
A.8.15, A.8.16 |
portalpilot.io/security §6 |
No 24/7 SOC |
Quarterly Claude-Code adversarial sweep + automated CI checks; founder has 24/7 mobile alerting via Coolify health webhooks |
| CC7.2 Anomaly response |
Respond to security events |
Incident-responder role documented in scope statement §6 |
A.5.24, A.5.25, A.5.26, A.5.27 |
ISMS scope statement §6 |
No formal IR playbook for non-founder responders |
Sole-trader entity; founder is the only responder; all responsibilities documented |
| CC7.3 Communicates incidents |
Communicate to affected parties |
72-hour breach notification per the public DPA |
A.5.24, A.5.25 |
portalpilot.io/dpa §7 |
None |
n/a |
| CC7.4 Recovery from incidents |
Recover from security incidents |
Daily Hetzner snapshot backups; documented restore procedure |
A.5.30, A.8.13, A.8.14 |
Available under NDA on request |
No annual DR exercise |
Backup restoration procedure documented; manual restore tested during the March 2026 internal audit |
| CC7.5 System development life-cycle |
SDLC controls |
Git + GitHub Pull Requests + automated CI + Mistral chunk review + Claude Code review |
A.8.25, A.8.27–A.8.29, A.8.32 |
GitHub repository + CI workflow |
None |
n/a |
| CC8.1 Change management |
Authorise, develop, document changes |
Plan-driven workflow with chunk-level pull requests; squash-merge to main; deploy on merge |
A.8.32 |
GitHub repository (PR history) |
None |
n/a |
| CC9.1 Risk mitigation — business continuity |
Mitigate risks from business disruption |
Daily snapshots; documented restore procedure; sub-processor redundancy where the supplier offers it |
A.5.29, A.5.30 |
Available under NDA on request |
Single-server topology — no active-active redundancy |
Acknowledged in risk register; mitigated by Hetzner's snapshot mechanism + restore-time-objective ≤4 h |
| CC9.2 Risk mitigation — vendor management |
Vendor risk programme |
Public DPA with sub-processor list + 30-day prior-notice for changes |
A.5.19–A.5.23 |
portalpilot.io/dpa §4.1 |
No formal vendor-risk-assessment programme |
All current sub-processors are EU-based and bound by DPAs at-least-equivalent to the customer-facing DPA |