Compliance
ISO 27001 Alignment
Version 1.1 · Effective: 2026-06-13 · Last updated: 2026-06-13
AuthDeep aligns product controls with ISO/IEC 27001 themes to support customer ISMS work. AuthDeep is not currently ISO 27001 certified.
1. Scope and certification status
ISO/IEC 27001 defines requirements for an information security management system. This mapping supports scoping and supplier assessment; it is not a certificate, and AuthDeep does not currently claim ISO 27001 certification.
2. Access control
Tenant-scoped role-based access, least-privilege administration, custom roles on qualifying plans, MFA policy, passwordless options, and immediate session revocation support identity and access control themes in Annex A.
3. Cryptography and communications
TLS is required on all connections, including databases and caches. Session identifiers are cryptographically random, secret comparisons are timing-safe, and gateway-side credential injection prevents downstream secrets from reaching browser code.
4. Logging and operations security
Structured logs cover authentication rejections, request-protection failures, and administrator actions. Audit retention ranges from 1 to 90 days by plan, with exports and Prometheus-compatible metrics available on qualifying plans.
5. Network and application controls
IP and GeoIP restrictions, rate limiting, policy-driven gateway enforcement, and Security Intelligence checks for TLS, HTTP headers, DNS, and DNSSEC support preventive and detective controls.
6. Supplier and deployment boundary
Self-hosted AuthDeep runs inside the customer's control boundary and does not receive platform data. Customers must include the software, infrastructure, administrators, and their own suppliers in ISMS risk assessment.
7. Incident management and evidence
Audit records support investigation, security fixes are documented in release notes, and verified vulnerabilities can be reported through the security channel. Enterprise support can assist with questionnaires and control mapping.