Legal · Enterprise

Security Addendum

The technical and organisational measures GovLens commits to maintain throughout the Subscription Term.

Effective date: 2026-05-10 · Version: 1.0

This Security Addendum forms part of the Master Subscription Agreement between Trelvio Technology OÜ ("GovLens") and Customer.

GovLens commits to maintaining, throughout the Subscription Term, the technical and organisational measures described below. GovLens may modify specific controls from time to time, provided the overall security posture of the Services is not materially diminished.

1. Information Security Programme

GovLens operates an information-security management system ("ISMS") aligned with internationally recognised frameworks, including ISO/IEC 27001 and the SOC 2 Trust Services Criteria. GovLens's roadmap is to achieve SOC 2 Type II attestation within 18 months of an Enterprise Order Form taking effect, and ISO/IEC 27001 certification within 36 months, subject to commercially reasonable efforts.

The ISMS is owned by a designated Head of Security, reviewed at least annually, and approved by GovLens's management board.

2. Risk Management

GovLens performs documented risk assessments at least annually and after any material change to the Services or threat landscape. Identified risks are tracked in a risk register with assigned owners and target remediation dates.

3. Encryption

  • In transit (public networks): TLS 1.2 or higher with strong cipher suites; HSTS enabled.
  • At rest (databases): AES-256-GCM for sensitive identifiers (e.g., user emails); volume-level encryption for primary database storage.
  • At rest (object storage): Provider-managed AES-256.
  • Backups: Encrypted at rest using AES-256 with separately managed keys.
  • Key management: Keys held in a managed KMS; rotated at least annually; access logged and reviewed.

User passwords are never stored; bcrypt-hashed credential digests are stored instead. Webhook secrets and other application-layer secrets are encrypted at rest with separate keys from user data.

4. Access Control

  • Authentication: Multi-factor authentication is mandatory for all GovLens personnel access to production systems and the source-code repository.
  • Authorisation: Role-based access control on the principle of least privilege; access reviewed at least quarterly.
  • Privileged access: Privileged operations are logged with user attribution and access via just-in-time elevation where supported.
  • Joiner / mover / leaver: Documented onboarding and offboarding procedures; access revoked within 1 business day of role change or termination.
  • Customer access: Authorised Users authenticate via password + optional 2FA or via supported OAuth providers; session tokens are HttpOnly, Secure, SameSite=Lax, with configurable expiry.

5. Network and Infrastructure Security

  • Production systems are hosted with reputable providers in EU regions (primary: Railway EU, Cloudflare EU, IBM Cloud Frankfurt).
  • Network segmentation isolates production from non-production environments; production secrets are never used in non-production.
  • Web application firewall (WAF) and DDoS protection are provided through Cloudflare.
  • Bot mitigation via Cloudflare Turnstile is applied to authentication and high-risk endpoints.
  • Inbound traffic to backend services is restricted to the application layer; databases are not exposed to the public internet.
  • Egress traffic to third-party services is limited to documented destinations.

6. Vulnerability and Patch Management

  • Automated dependency scanning is performed on every commit; critical findings block release.
  • Operating-system and platform patches are applied through managed-platform updates, with critical security patches installed within 14 days of vendor release.
  • Static application security testing (SAST) is integrated into the build pipeline.
  • An external penetration test is conducted at least annually by a qualified independent provider; an executive summary is available to Enterprise Customers under NDA.
  • A coordinated vulnerability-disclosure programme is published at security@trelvio.eu.

7. Application Security

  • All code changes are peer-reviewed before merge.
  • Common web-application vulnerabilities (OWASP Top 10) are addressed through framework-provided protections, parameterised queries, output encoding, anti-CSRF tokens, content-security-policy headers, and rate limiting.
  • Secrets are managed via the platform secrets store; never committed to source control.
  • Service-to-service communication uses authenticated API keys or short-lived tokens.

8. Logging and Monitoring

  • Centralised security and audit logs are retained for at least 12 months.
  • Logs include authentication events, privileged operations, configuration changes, and security-relevant errors.
  • Real-time alerting is in place for indicators of compromise, anomalous authentication, and rate-limit breaches.
  • Security events are reviewed during business hours and escalated 24×7 for high-severity alerts.

9. Incident Response

  • Documented incident-response plan with defined roles, severity classifications, and communication paths.
  • Tabletop exercises are conducted at least annually.
  • Personal Data breach notification: GovLens will notify Customer without undue delay and in any event within 48 hours of confirming a breach affecting Customer Data, in accordance with §9 of the DPA.
  • Post-incident reviews are conducted for all P1 incidents and shared with affected Customers.

10. Personnel Security

  • All personnel and contractors with access to Customer Data are subject to background screening to the extent permitted by law.
  • Confidentiality and intellectual-property assignment agreements are signed before access is granted.
  • Annual security-awareness training is mandatory; completion is tracked.
  • Phishing-simulation campaigns are conducted at least twice per year.

11. Physical Security

GovLens does not operate its own data centres. Physical security is provided by the underlying cloud infrastructure providers, which maintain SOC 2, ISO 27001, and (where applicable) FedRAMP-compliant facilities. Office access is limited to authorised personnel.

12. Sub-processors

Sub-processors are engaged in accordance with §7 of the DPA. The current list, including processing location and purpose, is published in the Privacy Policy. New sub-processors are notified at least 30 days in advance with a Customer right to object on reasonable data-protection grounds.

13. Data Segregation and Multi-tenancy

Customer Data is logically segregated through tenant-scoped identifiers and access controls enforced at the application layer. GovLens does not commingle Customer Data with that of other Customers in shared records.

14. Backup and Disaster Recovery

  • Encrypted daily database backups retained for 30 days.
  • Backups are tested quarterly through documented restore exercises.
  • Multi-availability-zone deployment in the EU region.
  • Recovery Time Objective (RTO): 4 hours; Recovery Point Objective (RPO): 1 hour.
  • DR runbook reviewed and exercised at least annually.

15. Business Continuity

GovLens maintains a business-continuity plan covering personnel unavailability, supplier failure, and prolonged infrastructure outage, with annual review and exercise.

16. Data Deletion

On expiry or termination of an Order Form, Customer Data is returned or deleted in accordance with §5.5 of the MSA and §10 of the DPA. Deletion from primary systems occurs within 30 days; deletion from backups occurs as backup rotation completes (not exceeding 90 days).

17. Privacy by Design

  • Email addresses of registered users are stored using AES-256-GCM encryption with a deterministic lookup hash for indexing.
  • Phone numbers used for two-factor authentication are stored as HMAC-SHA256 hashes only.
  • Webhook shared secrets are encrypted at rest.

18. Audit and Compliance Reporting

GovLens makes the following available to Enterprise Customers under NDA on reasonable request:

  • annual penetration-test executive summary;
  • ISMS policy summary;
  • sub-processor list and processing-location matrix;
  • once available, SOC 2 Type II report;
  • once available, ISO/IEC 27001 certificate.

Where Customer's regulator requires direct audit rights, the Parties will discuss reasonable on-site or remote audit arrangements in accordance with §8 of the MSA.

19. AI / Model-provider Controls

For AI-generated content (e.g., legislative summaries):

  • Only public legislative documents are sent to model providers; no Customer personal data is transmitted to LLM providers.
  • Model providers are bound by GovLens's data-processing terms; outputs are not used by providers to train their general-purpose models, where the provider offers that election.
  • All AI-generated content is clearly labelled and is not treated as legal advice.

20. Changes

GovLens may update this Security Addendum from time to time. Material reductions in security commitments during a Subscription Term require Customer's written consent.

21. Contact

See also: Master Subscription Agreement · SLA · DPA