Dokuflex applies the most demanding technical and organisational measures in the European market. EU data residency, end-to-end encryption and full traceability. For teams that cannot afford to fail.
Our controls are verified by accredited independent auditors. Reports are shared under non-disclosure agreement.
| Framework | Scope | Status | Last renewal |
|---|---|---|---|
| ISO/IEC 27001 | ISMS covering the Dokuflex platform and corporate processes | Certified | 2025-11 |
| ENS Medium | Spanish National Security Scheme — HIGH category | Certified | 2026-01 |
| GDPR / LOPDGDD | Controller and processor operations | Compliant | 2026-02 |
| eIDAS | Advanced and qualified electronic signature (QES) | Compliant | 2025-10 |
| SOC 2 Type II | Confidentiality, integrity, availability and privacy | In progress | Q4 2026 |
| ISO/IEC 27701 | Privacy Information Management System (PIMS) | In progress | Q2 2026 |
Official certificates and audit reports are available under NDA to customers and qualified prospects.
Hosted exclusively in the European Union, encryption by default, tenant segregation.
Frankfurt (DE), Madrid (ES) and Ireland. Data does not leave the EEA unless the customer explicitly requests it under SCC.
TLS 1.3 in transit, AES-256 at rest. Keys managed with FIPS 140-2 Level 3 HSM and scheduled rotation.
Encrypted daily copies, replication across 2 availability zones, configurable retention (30-3650 days) and immutability (WORM).
Multi-tenant with strict logical segregation. Single-tenant option on private cloud or on-premise for regulated sectors.
24/7 SIEM, ML-based threat detection, managed WAF and layer 3/4/7 DDoS protection.
CIS Level 2 baseline, signed containers, SLSA provenance, continuous vulnerability scanning and <72h patching.
Robust authentication, granular authorisation and least-privilege across the platform.
We design every processing activity with privacy by default and by design, in line with GDPR and LOPDGDD.
Data processing agreement ready to sign under art. 28 GDPR. Includes sub-processor list, technical measures and audit procedure.
Request signed DPA →Impact assessment available for special category processing or automated decisions, using AEPD methodology.
See DPIA template →By default, data does not leave the EEA. If required, we apply EU Commission Standard Contractual Clauses (2021/914) and a Transfer Impact Assessment.
Internal Data Protection Officer, registered with the Spanish DPA. Direct channel for data subjects and customers.
dpo@dokuflex.com →Every action on data, configurations or processes is logged immutably. Auditors receive evidence ready for their report.
{
"event": "document.signed",
"ts": "2026-04-20T14:32:07Z",
"user": "mary.smith@customer.com",
"ip": "185.x.x.12",
"tenant": "customer-prod",
"resource": "doc/8e2c-...-4f11",
"cert_serial": "0xA2F...",
"hash": "sha256:ef3a...",
"result": "ok"
}Dedicated team, proven procedures and measurable agreements.
Annual penetration test performed by a CREST/OSSTMM accredited third party. Executive summary available under NDA.
Bounty programme for researchers with legal safe harbor. Report to security@dokuflex.com.
Response team with playbooks, customer communication in <24h on incident and supervisor notification in <72h.
Continuity and DRP plan tested twice a year. 99.95% uptime SLA with financial compensation.
Supporting documentation for your due diligence. Sensitive documents are delivered after NDA.
Architecture, ISO 27001 controls, threat model and cryptographic measures. PDF · 32 pages.
Request PDF →Data processing agreement ready to sign under art. 28 GDPR. Editable docx.
Download template →Executive report of the latest external audit cycle, without sensitive details. PDF · 12 pages.
Request PDF →Statement of applicability and controls for the Spanish National Security Scheme. PDF.
Request PDF →How to report vulnerabilities, our response-time commitments and safe harbor.
Read policy →Legal notice, privacy policy and cookie policy kept up to date.
View documents →We share the full documentation under NDA and schedule a session with our security and engineering team.