Skip to content
Infosistema, a Joyn company

Trust

Security & compliance, audited.

Infosistema is certified to ISO/IEC 27001 (information security) and ISO 9001 (quality management). Both certifications cover the design, development, operation, and support of every Infosistema product, and are audited annually by independent certification bodies.

Active certifications

ISO/IEC 27001 — Information Security ManagementISO 9001 — Quality Management

Independent verification

Certifications

Audited annually by independent certification bodies. Certificate copies and full scope statements are available on request. Email privacy@infosistema.com.

ISO/IEC 27001 certification mark

ISO/IEC 27001

Information Security Management

Body
BSI
Cadence
Annual audit
Coverage
Design, development, operation, and support of all Infosistema products and services, including DMM Infinity, DocDigitizer, BizAPIs, BizSupply, and Arena.
Extensions
ISO/IEC 27017 (cloud-security controls) and ISO/IEC 27018 (protection of personal data in cloud).
ISO 9001 certification mark

ISO 9001

Quality Management

Body
IQNET
Cadence
Annual audit
Coverage
Design, development, operation, and support of all Infosistema products and services, audited end-to-end, from project intake to ongoing maintenance.
Additional frameworks
GDPR·Data protection (EU)
CCPA·Data protection (California)
OWASP·Application security
NIS 2·Network & information security (EU)

Operating principles

How the certifications hold up in practice.

The certifications describe an audit. These are the principles that make the audit pass every year.

Customer data stays where it belongs

Each product is designed so customer data lives in tenant-scoped storage. We do not use Customer Data to train models or for any purpose outside service delivery.

Encryption in transit and at rest

All data in transit is protected by TLS 1.2+. Data at rest is encrypted using AES-256. Encryption keys are managed per-tenant and rotated on a defined schedule.

Region-pinned infrastructure

EU customers stay in EU regions (europe-west1); US customers stay in US regions (us-central1). Region pinning is contractual, not best-effort.

Least-privilege access, time-bound

No standing admin credentials in production. Privileged access is per-environment, audited, and expires. Access reviews are conducted quarterly.

Continuous auditing & monitoring

Infrastructure and application logs are centralised and retained. Anomaly detection runs continuously; on-call engineers respond to alerts 24/7.

Incident response: documented and rehearsed

Runbooks for credential rotation, breach notification (72 hours per GDPR), and post-incident review live in the same repository as the code they protect.

Need a certificate copy or security review?

Procurement teams and security reviewers can request ISO certificate copies, full scope statements, and our standard Data Processing Agreement (DPA). For privacy enquiries, see the Privacy Policy.