Compliance Status & Frameworks
Praxis Security Labs aligns its security practices with established industry frameworks. This page provides our current status and roadmap. We believe in transparency about where we are today, not just where we aim to be.
GDPR
Praxis Security Labs processes personal data on behalf of our customers as a Data Processor under the General Data Protection Regulation (EU) 2016/679.
| Element | Detail |
|---|---|
| Role | Data Processor (customer is the Data Controller) |
| Legal basis | Processing is performed under a Data Processing Agreement between Praxis and the customer, as outlined in GDPR Article 28 |
| Data Processing Agreement | Available on request. See our Resources page to request a copy. |
| Data residency | EU data residency supported. See Data Handling for available regions |
| Data subject rights | We support customers in fulfilling data subject access, rectification, and deletion requests. Contact us |
| Data Protection Officer | Contact us |
| Breach notification | Customers will be notified of a confirmed data breach within 72 hours, in line with GDPR Article 33 |
| Subprocessors | Listed at trust.praxisnavigator.io/subprocessors. Customers are notified of changes at least 30 days in advance. |
SOC 2
Praxis Security Labs has documented its internal controls against the SOC 2 Trust Service Criteria (Security, Availability, Confidentiality). Our controls cover:
- Access control and identity management
- Data encryption (at rest and in transit)
- Incident detection and response
- Change management
- Vendor and subprocessor management
Our controls are documented and implemented against the SOC 2 framework. Formal audit is on our compliance roadmap. A summary of our documented controls is available on our Resources page.
ISO 27001
Praxis Security Labs has established an Information Security Management System (ISMS) documented against ISO 27001:2022. This includes:
- Information security policies and procedures
- Risk assessment and treatment methodology
- Asset management and classification
- Access control policies
- Operational security procedures
- Supplier relationship security
Statement of Applicability completed. Formal certification is on our compliance roadmap. Our Statement of Applicability is available on our Resources page.
NIS2 & DORA
NIS2 and DORA are regulatory frameworks that apply to our customers, not directly to Praxis Security Labs as a software vendor. However, Praxis Navigator is designed to help customers meet their obligations under these frameworks.
How Praxis Navigator supports NIS2 compliance
NIS2 (Directive (EU) 2022/2555) requires organizations in essential and important sectors to implement measures for human risk management, incident reporting, and supply chain security. Praxis Navigator supports this by:
- Article 21(2)(g) — Human resource security: Continuous monitoring of employee security behaviors provides evidence that human risk is being actively managed.
- Article 21(2)(a) — Risk analysis and policies: Behavioral baselines and trend data support ongoing risk assessment related to human factors.
- Article 23 — Reporting obligations: Historic evidence trails and audit-ready documentation support incident context and post-incident reporting.
How Praxis Navigator supports DORA compliance
DORA (Regulation (EU) 2022/2554) applies to financial sector entities and their ICT service providers. Praxis Navigator can support DORA requirements related to ICT risk management and human factor monitoring. A detailed DORA article mapping is on our roadmap. Contact us if you need DORA-specific documentation for your evaluation.
Compliance Roadmap
| Milestone | Target | Status |
|---|---|---|
| GDPR documentation (DPA, data residency processes) | Published | ✅ |
| SOC 2 controls documented | Complete | ✅ Done |
| ISO 27001 ISMS documented | Complete | ✅ Done |
| GDPR documentation published on Trust Center | Q1 2026 | ✅ |
| SOC 2 Type I audit | On roadmap | 🔜 Planned |
| ISO 27001 certification audit | On roadmap | 🔜 Planned |
Questions
For compliance inquiries or to request specific documentation, contact us.
Detailed documentation including our DPA, SOC 2 control descriptions, and ISO 27001 Statement of Applicability is available on our Resources page.