EthicsPortal publishes pre-filled answers to the questions procurement teams most often ask. The questionnaire is structured against the Cloud Security Alliance’s CAIQ v4
domain taxonomy — the framework most EU enterprise procurement teams use — so an evaluator can map this page directly into their existing assessment template.
This is a vendor-authored answer set, not an attestation by the CSA. The substance is what an external auditor would evaluate; the structure makes it easy to compare against vendors who have been audited.
A downloadable CSV is published at caiq-ethicsportal.csvfor ingestion into procurement tools.
EthicsPortal’s restatement of the question in the CAIQ domain
Answer
Yes, No, or N/A, with qualifiers where the substance is more useful than a binary — for example No (in treatment) when a control is on the operator’s roadmap, Yes (inherited) when a sub-processor’s certification carries the control, Yes (negative) when the affirmative answer to a “does the Service do X?” question is “no, by design”, or a specific value (24 hours, 99.5% monthly, Nuremberg) where one applies
Evidence
Link to the page or document that contains the substantive answer
Where a question’s answer is operationally sensitive (privileged-access mechanics, incident-response escalation contacts, infrastructure detail beyond what is on /security/
), the answer here is Available under NDA and is shared during procurement review. This mirrors the posture published on /trust/
.
Encrypted database dumps stored in Hetzner Object Storage; application-layer field encryption persists through the backup (Security#backups-and-restore
)
BCR-03
Are backup restores tested?
Yes
Quarterly restore drill into a disposable environment. Last drill date published on Security#backups-and-restore
Reporter passcodes bcrypt-hashed and non-recoverable; handler/admin authentication via magic-link plus TOTP, no plaintext password storage
CEK-05
Is encryption key management documented?
Yes
Key management follows the established Rails ActiveRecord Encryption lifecycle; keys are processor-managed and isolated from sub-processors (Security#data-encryption
)
Core application data, database, and file storage in Germany. One named non-EU sub-processor (Cloudflare, marketing-site CDN only) listed on Subprocessors
EthicsPortal has no employees or contractors. Personnel controls below are answered N/A with the compensating arrangements — privileged-access summary available during procurement review, operator self-directed security awareness via subscribed feeds — documented on /trust/
and in ISO 27001 control map A.6
.
ID
Question
Answer
Evidence
HRS-01
Are background checks performed on personnel with access to customer data?
N/A
No employees. Operator screening is verifiable through published registry information (Trust#contracting-party
)
HRS-02
Is security awareness training provided to personnel?
N/A
No employees. Operator self-directed via Rails security mailing list, CVE feeds, advisory subscriptions
HRS-03
Are confidentiality agreements in place for personnel?
N/A
No employees. Customer-side confidentiality is in DPA §6.2
HRS-04
Is there a documented offboarding procedure for personnel with system access?
N/A
No employees. Customer offboarding is governed by DPA §6.8
Multi-tenant at the application layer; isolation enforced by Pundit policies and per-organization scoping at every controller action (Security#access-control
)
IVS-02
Is network segmentation in place?
Yes
Production isolated from operator workstation by network boundary; non-production environments hold no production personal data (Security#secure-development-lifecycle
)
IVS-03
Is malware protection in place for uploaded content?
The following operational topics are not in this public questionnaire because they contain infrastructure and response detail that is more appropriate for controlled disclosure. They are shared on request during procurement review: