IESolution Trust · Trust

Trust Center — IESolution security & compliance

Public documentation on security processes, certifications, status page, security whitepaper, CISO contacts. For insurer and auditor due diligence.

ReferenceInternal — public disclosure In forceoperativo dal 2024
Talk to a compliance engineer Back to compliance hub

Trust Center: what we publish and what's available on request

The Trust Center is the single entry point for CISOs, security officers and auditors doing due diligence on IESolution as a vendor. It replaces the classic vendor-security questionnaire sent by email with a repository of already-published evidence (certifications, status page, security whitepaper, incident post-mortems) or quickly available under NDA (SOC 2 Type II, ISO SoA, penetration test report). The goal is to reduce the security review phase from weeks to days in the contractual onboarding process. All documents are dated, versioned, and we publish the history for retrospective audit.

IESolution facts

IESolution security in numbers

ISO 27001:2023Certification2023 edition · Accredia
SOC 2 Type IIAvailable under NDA12-month retrospective audit
2 DCIT data centersActive-active, ISO 27001 certified
99.9%Contractual SLAPenalties on miss
≤ 15minRPORecovery Point Objective
≤ 1hRTORecovery Time Objective
24hData breach notificationMore stringent than GDPR 72h
1/yearPenetration testReport shareable under NDA
Available documents

What you can get from the Trust Center

Public

ISO 27001:2023 certificate

Publicly available, verifiable with Accredia. Scope: full NewPicass 14.Net software lifecycle.

Public

Status page status.iesolution.it

Real-time service status, 90-day history, RSS/email alert subscription.

Public

Sub-processors list

Up-to-date sub-processors.json + 30-day notification before any change.

Under NDA

SoA (ISO Statement of Applicability)

Complete document of the 93 applied Annex A controls with justification.

Under NDA

SOC 2 Type II report

Annual retrospective audit on the 5 Trust Services Criteria.

Under NDA

Annual penetration test report

Conducted by CREST-certified third party. Executive summary + technical findings + remediation status.

Under NDA

Security Whitepaper

Security architecture, threat model, controls, data flow. Updated annually.

Under NDA

Annual DR Test Report

Live disaster-recovery exercise with post-test sign-off and remediation plan.

Modules & personas affected
Module 01

Surety bond back-office

Full surety bond lifecycle: issuance, renewal, endorsements, release, with immutable audit trail.

Open module Persona 05

Insurance companies — back-office, network supervision, compliance

Core system for surety insurers: multi-line portfolio management, coverholder-network supervision, claims, reinsurance, IVASS-ready audit trail, two-DC failover.

Open persona
FAQ

Frequently asked questions on the Trust Center

How do I run quick due diligence on your Trust Center?

Three steps. (1) Verify the public ISO 27001:2023 certificate on the Accredia portal. (2) Request under NDA the annual SOC 2 Type II report + penetration test summary + SoA (ISO Statement of Applicability). (3) Schedule a 60-minute call with our CISO or Head of Security for specific deep-dives (e.g. health-data controls, DORA requirements, third-party management). The first two steps cover 80% of typical vendor-security questionnaires.

Do you have a public status page?

Yes. status.iesolution.it exposes real-time NewPicass 14.Net service status (app, API, database, signing, BDX delivery) + last 90 days history of incidents and scheduled maintenance. Automatic updates during ongoing incidents. Email or RSS subscription available.

How often is the Security Whitepaper updated?

At least annually, or when significant changes occur (e.g. new certification, critical sub-processor change, cloud architecture change). The whitepaper covers: security architecture, threat model, applied controls, incident management, business continuity, sub-processors, data flow. Current version dated and versioned. Available under NDA to qualified customers and prospects.

Do you publish post-mortems after significant incidents?

Yes. For every "major" classified incident (impact >1h or multi-customer data involvement) we publish a post-mortem on the status page within 5 business days: timeline, root cause, impact, immediate mitigation, long-term remediation. Regulated customers also receive a detailed technical report for their own DORA regulatory submissions.

Can I directly contact your CISO?

Yes for significant issues. Email [email protected] is monitored by the security team with 24h response SLA. For security emergencies (suspected data breach, vulnerability disclosure) there's a published PGP key + direct phone number of the Security Lead in 12h window (Mon-Fri 9-21 CET, weekends best-effort). Coordinated disclosure welcome — we have an informal bug bounty.

How many critical sub-processors do you have?

Contained and transparent number: primary IT data center, secondary IT data center, encrypted cloud storage (customer-configurable), TSP for qualified signature (Actalis primary, others secondary), transactional email (TurboSMTP/AWS SES as backup), telemetry and monitoring (self-hostable provider). Complete list in public sub-processors.json in Trust Center + written notification 30 days before any change.

Contact security

Got specific security questions?

Email [email protected] for coordinated disclosure, due diligence requests, scheduled audits. 24h response SLA from the Security team. For emergencies (suspected data breach, ongoing security incident) the PGP key and Security Lead direct phone number are published in the Trust Center.

Email security team General contacts