Skip to content

Security Appendix (Technical & Organizational Measures)

This Security Appendix defines controls applicable to services provided by Lawkraft/Sanker-Office. Controls are risk-based and aligned with industry frameworks (e.g., ISO/IEC 27001/27002, NIST) in a pragmatic manner.

1) Governance & Risk

  • Security policy approved and reviewed annually; roles and responsibilities defined.
  • Risk assessment conducted periodically; treatment plans tracked.

2) Asset & Data Management

  • Asset inventory maintained; data classified (Public / Internal / Confidential / Restricted).
  • Data minimization by default; no PII unless explicitly required and approved.

3) Access Control

  • Least privilege; role-based access; MFA for privileged access.
  • Joiner/mover/leaver processes with timely revocation.

4) Cryptography

  • Encryption in transit (TLS) and at rest where applicable.
  • Key management with rotation; secrets stored in vaults (no secrets in source/docs).

5) Secure Development & Change

  • Code review; dependency scanning; CI with signed artifacts where feasible.
  • Changes tracked and approved; rollback procedures defined.

6) Logging, Monitoring & Audit

  • Event logging for security-relevant systems; retention per policy.
  • Content-addressed (CID) logs may be used for provenance and tamper-evidence when enabled by policy.

7) Vulnerability & Patch Management

  • Routine patching cadence; critical patches expedited.
  • Vulnerability intake via Responsible Disclosure; triage within defined SLAs.

8) Incident Response & Business Continuity

  • Incident response plan with defined roles, severity, and communication paths.
  • Backups and restoration tested periodically; continuity procedures documented.

9) Third-Party & Sub-processor Management

  • Security evaluation proportional to risk; DPAs and SCCs where required.
  • Contractual obligations flow down to sub-processors.

10) Data Retention & Deletion

  • Retention by policy only; secure deletion on request/termination unless legally required otherwise.

11) Physical & Environmental

  • Data center controls via reputable providers; access logged and restricted.

12) Compliance & Audit

  • Support for Customer audits no more than annually, on notice, minimizing operational disruption.

Schedules (complete where applicable)

  • Data Locations/Regions: (EU/EEA unless agreed otherwise)
  • Backup Frequency & Retention: (e.g., daily, 30 days)
  • Key Rotation Interval: (e.g., 90 days)
  • Personnel Screening: (e.g., background checks where lawful)
  • Security Contacts: security@sanker-office.eu