ISO 27001 Alignment
Compliance status: The controls described below are implemented in the production codebase. SOC 2 Type I audit engagement is underway — report expected Q3 2026. For NDA-gated security documentation, contact hello@creatorlayer.eu.
Creatorlayer's security controls are designed with ISO/IEC 27001:2022 as a reference framework. Formal certification has not been initiated. This page documents current alignment with the standard's Annex A controls.
Formal ISO 27001 certification has not been initiated. Lender customers requiring current control evidence can request the security documentation package.
Security Controls Scope
The Creatorlayer security controls cover:
- The
creatorlayer-apiproduction environment (Scalingo SAS, France) - All personal data processing activities (GDPR-subject data)
- Development and deployment pipelines (GitHub Actions)
- Third-party sub-processor relationships
Annex A Control Coverage
A.5 — Organizational Controls
| Control | Implementation | Status |
|---|---|---|
| A.5.1 Policies for information security | Security policy documented | Designed (not yet operational) |
| A.5.2 Information security roles | Security and data protection responsibilities are held by the founder | Designed (not yet operational) |
| A.5.9 Inventory of assets | Data classification policy (4 tiers); schema under migration control | Designed (not yet operational) |
| A.5.10 Acceptable use of assets | Enforced via RBAC and API key scoping | Implemented in code |
| A.5.19 Information security in supplier relationships | Sub-processors subject to their standard terms; 30-day change notice | Designed (not yet operational) |
| A.5.23 Information security for cloud services | Scalingo SAS; EU data residency | Designed (not yet operational) |
A.6 — People Controls
| Control | Implementation | Status |
|---|---|---|
| A.6.8 Information security event reporting | Documented incident reporting procedure; 24-hour notification SLA | Designed (not yet operational) |
A.7 — Physical Controls
| Control | Implementation | Status |
|---|---|---|
| A.7.1–A.7.6 Physical security | Delegated to Scalingo SAS (ISO 27001 certified data centre in France) | Implemented in code |
A.8 — Technological Controls
| Control | Implementation | Status |
|---|---|---|
| A.8.2 Privileged access rights | RBAC with three roles (lender, gdpr_admin, admin); least privilege | Implemented in code |
| A.8.3 Information access restriction | API key auth; IP allowlist; per-lender rate limiting | Implemented in code |
| A.8.4 Access to source code | GitHub repository access controls; branch protection | Implemented in code |
| A.8.5 Secure authentication | SHA-256 hashed API keys; magic-link creator auth | Implemented in code |
| A.8.7 Protection against malware | Dependency scanning (npm audit); Semgrep SAST | Implemented in code |
| A.8.8 Management of technical vulnerabilities | Critical CVEs ≤ 7 days; High CVEs ≤ 30 days | Implemented in code |
| A.8.12 Data leakage prevention | 10 KB request limit; CSP headers; no data in logs | Implemented in code |
| A.8.15 Logging | Immutable audit_logs table; 7-year retention | Implemented in code |
| A.8.16 Monitoring activities | Uptime monitoring; abuse detection middleware | Implemented in code |
| A.8.24 Use of cryptography | TLS 1.2+ in transit; AES-256 at rest (Scalingo managed) | Implemented in code |
| A.8.25 Secure development lifecycle | SAST on every PR; TypeScript strict mode; Zod validation | Implemented in code |
| A.8.28 Secure coding | OWASP Top 10 controls; parameterised queries; input validation | Implemented in code |
| A.8.29 Security testing | Penetration testing annually (planned) | Designed (not yet operational) |
| A.8.32 Change management | Pull request review; migration-controlled schema; CI/CD pipeline | Implemented in code |
| A.8.33 Test information | Production data never used in tests; isolated test environment | Implemented in code |
| A.8.34 Protection of information systems during audit testing | Read-only audit access; no production impact | Designed (not yet operational) |
Gap Analysis Summary
The following controls are in progress or planned:
| Control | Gap | Target Completion |
|---|---|---|
| A.5.5 Contact with authorities | Formal procedure for CNIL/ANSSI notification | TBD |
| A.5.6 Contact with special interest groups | ISAC membership | TBD |
| A.8.29 Security testing | Formal annual pen test engagement | TBD |
Certification Roadmap
Formal certification has not been initiated. The following milestones are aspirational and will be updated when an auditor is engaged.
| Milestone | Target |
|---|---|
| Engage certification body | TBD |
| Stage 1 audit (documentation review) | TBD |
| Stage 2 audit (implementation review) | TBD |
| Certificate issuance | TBD |
Requesting Documentation
Lender customers requiring ISO 27001-aligned security documentation for their own supplier due diligence process can request:
- Information Security Policy
- Risk Assessment Summary
- Sub-processor list with DPA references
- Business Continuity Plan summary
- Audit log retention and access policy
Email: hello@satoshiframework.com Subject: ISO 27001 Documentation Request — [Your Company Name]