Decos Trust Center

“Trust but verify” a famous statement by former US President Ronald Reagan that has taught us that is important to verify that all the agreements made also have been implemented. In our Decos Trust Center you can read which measures Decos has implemented to assure you that we will handle your data safely and in compliance with privacy and legal requirements.


Decos is no stranger to complying with national and international and sector-specific standards and/or agreements.

For instance, we have long been certified for the international standard ISO/IEC 27001:2022. This standard is a globally recognised standard in the field of information security. Our current ISO27001:2022 certificate can be found here. The corresponding declaration of applicability is available on request. Decos is of course also familiar with the Baseline Information Security Government (BIO).

In addition to ISO27001, we are also certified for ISO9001:2015 (quality management) and ISO20000-1:2018 (IT service management). Since we as Decos incur costs to obtain these certifications, we charge a fee to view the ISO20000 certificate.

The ISO standard ISO 16175-1:2020 applies to our JOIN Case and Document product. This product is also certified for (the now withdrawn) standard NEN 2082:2008.

We also comply with the SOC2 category of the Service Organisation Controls (SOC) framework. A SOC2 audit measures the effectiveness of a Cloud Service Provider (CSP) based on the American Institute of Certified Public Accountants (AICPA) Trust Service Principles and Criteria. This first produces a SOC2 type1 report (set-up/existence) and after a fixed agreed period (often 3, 6 or 12 months) a SOC2 type2 report (operation).

Decos has an ISAE3000 - SOC2 type 2 report covering the period 1 January 2022 to 30 June 2022. You can request a personalised report from your account manager. There is a charge for this. We expect a new report covering the period 1 July 2022 to 30 September 2023 by the end of 2023.

For our products for which we offer a DigiD connection (identification for residents in the Netherlands), we also comply with the standard set by Logius. Decos is audited for this by an accredited auditor associated with Norea. A current assurance report of this audit is available to our (future) DigiD customers.

Another example of standards we follow is the 'Comply or Explain' obligation of the Dutch Standardisation Forum (Forum Standarisatie). Not everything on this list applies to Decos.


Decos manages data and systems for various local and regional government authorities and businesses. Our principles and practices are based on the need of our customers that they want their data and systems protected using the most up-to-date techniques and standards.  

Due to the various requirements in the General Data Protection Regulation (GDPR), Decos has chosen to keep all systems and data within the European Economic Area (EEA). We use the Microsoft and Amazon datacenters in Western and Northern Europe for this purpose. The physical Microsoft datacenters are located in the Netherlands and Ireland, respectively. The Amazon datacenter is located in Ireland. 

Microsoft itself is certified according to many standards that are required or needed in different industries. You can find them for Microsoft here and for Amazon you can find it here

Decos' management objectives and measures are based, among other things, on the aforementioned industry standard ISO27001:2017 and the OWASP Top10.

Backup & disaster recovery

We take data availability in our cloud solutions very seriously. We use different methods to back-up your data for restore purposes, for example point-in-time-restore (PITR), snapshots and differential backups. For every resource we have configured a retention policy. If you want more information on the retention policy contact Decos Security.

To secure your data, we can store the data either redundant within a zone in a datacenter (LRS), or at multiple zones within a datacenter within the EEA (ZRS), or in multiple datacenters (sometimes in multiple countries) within the EEA (GRS). Contact your account manager for more information about this or check the website of Microsoft: Data redundancy - Azure Storage.

Organizational security

In order to be able to offer safe and secure products, our own organization needs to be the same. This means that all our employees: 

  • Are made aware of information security from the moment they start at Decos.  
  • Are continuously educated on information security. 
  • Will have to provide a “Verklaring omtrent gedrag” (VOG) besides the regular screening. 
  • Will have to use 2FA to access our systems. 
  • Have an NDA clause in their contract.

All our employees are forced to adopt Multi-Factor Authentication (MFA/2FA) to access our systems. We are even further migrating to a Zero-Trust policy for system access. We apply strict Role-Based Access (RBAC) and assign privileges only based on need. Events and logs related to failed or successful authentication are aggregated for monitoring and triage.

Furthermore, Decos adopts a "cloud-first" policy. This means that the infrastructure in our offices is minimal. We do, of course, use personal access capabilities, CCTV and alarm systems. Employees are also only granted access to regular areas such as the shop floor by default.

Secure software development

Applications developed by Decos are designed with the OWASP Top 10 Framework, among others, in mind.All code goes through a quality assurance process before it is released to the production environment.This includes testing for performance, functionality and security. In addition, our applications are periodically tested internally and externally.

As regards the encryption of data, Decos has an encryption policy.Decos encrypts the data in "transit" and "at rest":

  • All traffic is encrypted using TLS 1.2 (or higher).
  • Data "at rest" is encrypted using AES-256 or better.
  • A modern hash function that "hashed" and "salted" the data is used to store login data.

Responsible disclosure

Decos uses a Responsible disclosure policy. This ensures that security experts from around the world can report to us if a problem is found.