ISO/IEC 27001

Daurada Prime – Security Appendix

ISO/IEC 27001

Effective date: December 23, 2025

This Security Appendix describes the information security controls implemented by Daurada Prime in alignment with the principles of ISO/IEC 27001 and ISO/IEC 27002.

Daurada Prime is not currently ISO/IEC 27001 certified, but maintains a security program informed by its requirements and is working toward full ISO/IEC 27001 compliance with a target date of March, 2025.

1. Information Security Governance

(ISO 27001: Clauses 4–7)

  • Information security is managed as an organizational responsibility.

  • Security roles and responsibilities are defined and reviewed periodically.

  • Security risks are identified and assessed as part of product and infrastructure design.

2. Risk Management

(ISO 27001 Clause 6)

  • Security risks are assessed using a qualitative risk-based approach.

  • Controls are selected based on likelihood, impact, and proportionality.

  • Risks related to availability, confidentiality, integrity, and compliance are considered.

3. Asset Management

(ISO 27002 A.5 & A.8)

  • Information assets (systems, data, code, credentials) are inventoried.

  • Customer Data is logically segregated within a multi-tenant architecture.

  • Access to production systems is restricted to authorized personnel.

4. Access Control

(ISO 27002 A.5, A.6, A.8)

  • Role-based access control (RBAC) is enforced.

  • Least-privilege principles are applied.

  • Administrative access requires strong authentication.

  • Access is revoked promptly upon role change or termination.

5. Cryptography and Data Protection

(ISO 27002 A.8 & A.10)

  • Data in transit is protected using industry-standard encryption (e.g., TLS).

  • Sensitive credentials and secrets are stored using managed secret stores.

  • Customer Data is not used for training AI models in identifiable form.

6. Secure Development Lifecycle

(ISO 27002 A.8 & A.14)

  • Security considerations are integrated into system design and development.

  • Code changes are reviewed prior to deployment.

  • Dependencies are tracked and updated as part of routine maintenance.

  • Test, staging, and production environments are logically separated.

7. Infrastructure and Operations Security

(ISO 27002 A.8 & A.12)

  • Production systems are hosted in reputable cloud environments.

  • Network access is restricted and monitored.

  • Logging is enabled for security-relevant events.

  • Backups are performed for critical systems.

8. Incident Management

(ISO 27002 A.5 & A.16)

  • Security incidents are logged, investigated, and remediated.

  • Personal Data Breaches are handled in accordance with the DPA.

  • Lessons learned are incorporated into preventive controls.

9. Business Continuity and Availability

(ISO 27002 A.17)

  • Service availability is addressed through redundancy and monitoring.

  • Backup and recovery procedures are in place for critical data.

  • Availability commitments are defined in the SLA.

10. Supplier and Sub-processor Security

(ISO 27002 A.5 & A.15)

  • Key suppliers and sub-processors are reviewed for security posture.

  • Sub-processors are contractually required to implement appropriate safeguards.

  • Changes to sub-processors are communicated as described in the DPA.

11. Data Privacy and GDPR Alignment

(ISO 27001 + GDPR Articles 25 & 32)

  • Data protection by design and by default is applied.

  • Personal Data is processed only on Customer instructions.

  • Data minimization and purpose limitation principles are followed.

12. AI Security and EU AI Act Forward-Compatibility

(ISO 23894 principles; AI Act readiness)

  • AI-assisted features operate in human-in-the-loop mode.

  • Outputs are advisory and non-binding.

  • No biometric identification, profiling, or social scoring is performed.

  • AI systems are monitored for bias, misuse, and unintended behavior.

  • Training data is anonymized and aggregated where used.

13. Compliance and Continuous Improvement

(ISO 27001 Clause 10)

  • Security controls are reviewed periodically.

  • Customer feedback, incidents, and audits inform improvements.

  • This appendix may evolve as standards and regulations change.

14. Customer Responsibilities

Customer is responsible for:

  • secure configuration of its accounts,

  • appropriate access management of its users,

  • lawful collection and use of Personal Data.

15. No Certification Claim

This Security Appendix:

  • does not represent an ISO/IEC 27001 certification,

  • does not create additional warranties,

  • is provided for transparency purposes only.

16. Precedence

In case of conflict:

  • the DPA governs Personal Data protection,

  • the SLA governs availability,

  • the Terms of Service govern all other matters.