The exact mapping. Pick a standard, find the control, copy the evidence into your audit. We've done the cross-referencing so you don't have to.
Standards covered
Last reviewed: May 1, 2026
The international standard for information security management systems. Covers organisational, people, physical, and technological controls. Recognised by virtually every regulated EU buyer as the baseline for "this vendor takes security seriously."
The Dutch healthcare information-security standard. Built on the same ISO 27002 control catalogue as ISO 27001, with healthcare-specific additions covering patient data, BSN handling, and consent. The de-facto standard for any system processing Dutch medical records.
A signed data processing agreement is part of standard onboarding. Your legal basis for processing under the GDPR is formally established from day one.
Your data is stored in Amsterdam, with European provider Scaleway. Out of reach of the US Cloud Act, fully within European jurisdiction.
Databeamer provides substantive compliance on most pillars of NTA7516. Our hybrid post-quantum encryption delivers a level of protection that exceeds current NTA7516 baseline requirements. We actively monitor the development of the new NEN7531/32 standard.
Process personal data in accordance with the law — and be able to prove it. Databeamer automatically logs every step, enforces retention periods, and manages purpose limitation per case.
Stricter cybersecurity requirements for essential and important entities. Databeamer supports your obligations around access control, incident logging, and secure supply chain communication.
Digital operational resilience for financial institutions. Databeamer supports your third-party risk management, audit logging, and fully traceable data exchange in line with DORA.
Databeamer is used across various applications to follow prescribed processes — from a reporting channel under the Whistleblower Protection Act to a closed communication channel under the Works Councils Act.
Once written, always preserved. Databeamer enforces the WORM principle (Write Once, Read Many) at case level: files and messages cannot be modified or deleted while the retention period is active. This means you can always produce the original, unaltered version during an audit or subject access request.
6 of 6 controls
The organisation shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws, regulations, and contractual requirements.
All personally identifiable information is encrypted on the user's device with ChaCha20-Poly1305 before reaching Databeamer's infrastructure. Encryption keys are split via 2-of-3 secret sharing across the device, the user's recovery share, and the server share, Databeamer never holds a complete key. Server-side, only ciphertext is stored. See /technology for the full key custody model.
Processes for the acquisition, use, management, and exit from cloud services shall be established in accordance with the organisation's information security requirements.
Databeamer is hosted exclusively on EU infrastructure (Scaleway, Netherlands). No data, metadata, or backups leave the EU. Identity and authentication run on Zitadel (EU-hosted). On exit, customers can export all encrypted blobs and re-encrypt at their end; because Databeamer never held the keys, there is no copy to retain after termination.
Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.
Symmetric encryption uses ChaCha20-Poly1305 AEAD with per-block deterministic nonces and AAD bound to file id and block position. Key encapsulation is hybrid X25519 + ML-KEM-768 (post-quantum). Signatures are hybrid Ed25519 + ML-DSA-65. Keys are derived via HKDF-SHA512 + Argon2id from a master secret split via 2-of-3 Pedersen VSS. Full primitive citations on the technology page.
Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.
Authentication is delegated to Zitadel (OIDC), supporting MFA, social login, and enterprise SSO (SAML, OIDC). Magic-link flows for external collaborators use scoped opaque tokens with limited TTL. All access is brokered through a Cerbos PDP that enforces fine-grained, role-aware authorisation policies on every request.
Information stored in information systems, devices, or in any other storage media shall be deleted when no longer required.
Databeamer enforces WORM-compliant retention windows configured per workspace, case, or category. Once a window expires, the encrypted blob is destroyed and key material is rotated, making recovery cryptographically infeasible. The customer remains responsible for setting retention policies appropriate to their regulatory obligations (e.g. NEN 7510 §15-year retention for medical records).
Customer must configure retention policies per their sector's requirements; Databeamer provides the technical enforcement.
Data leakage prevention measures shall be applied to systems, networks, and any other devices that process, store, or transmit sensitive information.
The zero-knowledge architecture eliminates the most common leakage vector: a server-side breach yields only ciphertext, which is unreadable without keys Databeamer does not possess. Encrypted blobs include AAD-bound metadata, preventing block-substitution attacks. Client-signed audit entries detect any tampering. There is no shadow database, no AI-training pipeline, and no telemetry that exfiltrates plaintext content.