kantoor pand office Decos-1


“Trust but verify” a famous statement by former US President Ronald Reagan that has taught us that is important to verify that all the agreements made also have been implemented. In our Decos Trust Center you can read which measures Decos has implemented to assure you that we will handle your data safely and in compliance with privacy and legal requirements. 


Decos is no stranger to complying with national and international and sector-specific standards and/or agreements. 

For instance, we have long been certified according to the international ISO/IEC 27001:2017 which is a globally recognised standard in the field of information security. Also, we adhere to ISO 16175 (previously NEN 2082) governing archiving standards. In addition, we are familiar with the Dutch Government Information Security Baseline (BIO). The BIO describes the interpretation of the NEN-ISO/IEC 27001:2017 and NEN-ISO/IEC 27002:2017 standards for the government. 

Our current ISO27001:2017 certificate and accompanying statement of applicability can be found here. 

Another example of standards that we follow is the 'comply or explain' obligation of the Standardization Forum. Not everything on this list applies to Decos. This list contains a number of parts that we receive a lot of questions about. We will briefly describe how Decos meets / wants to comply with this:

  • DNSSEC: Per our policy this is implemented by default for our public services. In order for DNSSEC to work fully, all components involved must support this. Currently, Microsoft Azure (Azure) does not (yet) support DNSSEC in their environment. That is why a 100% DNSSEC check is not possible with some of our products. It is good to know that the root of our DNS records are correctly registered with our provider True. As soon as Azure starts supporting DNSSEC, we will do the same;
  • IPv6: Per our policy this is implemented by default for our public services. We use Microsoft Azure (Azure) to offer these services. A solution to offer IPv6 connectivity within Azure is the use of Azure Front Door (AFD). However, the use of AFD can cause the DNSSEC check to no longer be 100%;
  • DDoS protection: Services running on Azure are inherently protected by standard infrastructure-level DDoS protection. Do note that this is not the Azure DDoS Protection Standard protection which is also available.

We are also in the process of implementing the SOC2 category of the Service Organisation Controls (SOC) framework. A SOC2 audit measures the effectiveness of a Cloud Service Provider (CSP) based on the American Institute of Certified Public Accountants (AICPA) Trust Service Principles and Criteria. At the end of the process, this first results in a SOC2 type 1 report (design/existence) and, after a fixed agreed period, (often 3, 6 or 12 months) an SOC2 type 2 report (operation).

Decos has an ISAE3000 - SOC2 type 1 report. This report can be requested via your account manager. There will be a fee charged in order to receive this report. We expect the first SOC2-type2 report at the beginning of Q3 2022.

For our products for which we offer a DigiD connection, we also meet the standard set by Logius. Decos is here for audited by an approved auditor associated with Norea. An up-to-date assurance report of this audit is available to our (future) DigiD customers. 


Decos manages data and systems for various local and regional government authorities and businesses. Our principles and practices are based on the need of our customers that they want their data and systems protected using the most up-to-date techniques and standards.  

Due to the various requirements in the General Data Protection Regulation (GDPR), Decos has chosen to keep all systems and data within the European Economic Area (EEA). We use the Microsoft and Amazon datacenters in Western and Northern Europe for this purpose. The physical Microsoft datacenters are located in the Netherlands and Ireland, respectively. The Amazon datacenter is located in Ireland. 

Microsoft itself is certified according to many standards that are required or needed in different industries. You can find them for Microsoft here and for Amazon you can find it here. 

Decos' own management objectives and measures are based, among other things, on the aforementioned industry standard ISO27001:2017 and the OWASP Top10.

Application security 

Decos uses a security-oriented design based on multiple layers. One of those layers is the application layer. The applications developed by Decos are designed and continuously verified against the OWASP Top 10 Framework. All code is peer-reviewed before being released to the production environment.  
We also make use of vulnerability scans, end-to-end tests and unit tests through external certified agencies testing our applications.  


Data encryption 

Decos encrypts the data “in transit” and “at rest”: 

  • All traffic is encrypted using TLS 1.2 (or higher). 
  • Data “at rest” is encrypted using AES-256 or better. 
  • To store login details, a modern hash function is used that “hashes” the data and applies “salt”. 

Responsible disclosure 

Decos has been using a “Responsible disclosure” policy for some time now. This ensures that security experts from all over the world can report to us if a problem is found. Over the years Decos has build an active community of ethical hackers that test our applications. 


Physical security 

Decos applies a “cloud-first” policy. This means that the infrastructure in our offices is minimal. We do, of course, use personal access systems, CCTV and alarm systems. By default, employees only have access to the regular areas such as the work floor.  


Organizational security 

In order to be able to offer safe and secure products, our own organization needs to be the same. This means that all our employees: 

  • Are made aware of information security from the moment they start at Decos.  
  • Are continuously educated on information security. 
  • Will have to provide a “Verklaring omtrent gedrag” (VOG) besides the regular screening. 
  • Will have to use 2FA to access our systems. 
  • Have an NDA clause in their contract. 

We are planning to implement a SIEM platform to aggregate the logs from various sources, apply monitoring rules to those aggregated logs, and then flag any suspicious activity. We are already gathering these logs currently. Our internal processes when SIEM will be implemented will define how these alerts are triaged, investigated further, and escalated appropriately. Key system logs are by then forwarded from each system where logs are read-only. The security team will create alerts on our security analytics platform and monitors for indicators of compromise.  

Identity Management 

All our employees are enforced to apply Multi-Factor Authentication (MFA/2FA) to access our systems. We are even migrating further towards a Zero-Trust policy for system access. We apply strict role-based-access (RBAC) and grand privileges only on need basis.  

Events and logs related to failed or successful authentication are aggregated for monitoring and triage. 


Backups and disaster recovery 

We take data availability and governance serious as a daily automated process. Our database backup policies run backups every 5 minutes to secure your data. This is combined with daily full and differential backups. All other resources follow a daily full backup and where possible we utilize snap-shot technology. 

Backups are stored in at least two different racks in one of the EU cloud data center locations. This allows us to restore your data and services without data loss and with minimal impact. Our standard point in time restore (PITR) backup retention period is 30 days. For 2 months after this 30 day period we make a monthly backup (LTR) as well