Security and compliance certifications are not treated as an external layer added to the product. They are considered as properties that must emerge from the architecture itself.

This approach relies on three principles: regulatory controls are translated into verifiable technical requirements at design time, traceability and auditability are native — logs are not reconstructed after the fact, automated tests continuously verify that expected properties are preserved through every evolution.

This discipline avoids the classic situation where compliance is obtained at the price of stacking manual, fragile, and costly controls.

SOC 2 Type I is an independent evaluation of security and availability controls at a given point in time. It certifies that controls are designed appropriately to meet the selected criteria.

The criteria covered by CaliaLabs' initiative include: security (protection against unauthorised access), availability (resilience and continuity), confidentiality (protection of sensitive data), processing integrity (accuracy and completeness), privacy (GDPR compliant).

The evaluation is entrusted to an independent audit firm registered with the AICPA. The evaluated controls cover: infrastructure (physical and logical access, network segmentation, encryption), identity and access management (MFA, periodic reviews, provisioning/deprovisioning), monitoring and detection (event logs, alerts, incident response), change management (code review, testing, controlled deployments).

Target date: completion in Q3 2026. The final report will be made available to clients under non-disclosure agreement.

SOC 2 Type II extends Type I by evaluating not only the design of controls, but also their operational effectiveness over an observation period of several months (typically 6 to 12 months).

The observation period begins immediately after obtaining Type I. During this period, the auditor collects evidence of continuous execution of controls: log samples, records of handled alerts, summaries of periodic reviews, business continuity test evidence, and incident history.

Target date: completion in Q4 2026. This milestone represents a significant commitment in terms of operational maturity, beyond the mere theoretical existence of controls.

ISO/IEC 27001 is the international reference standard for information security management systems (ISMS). It covers all risk management and information protection practices.

CaliaLabs' initiative targets certification according to the ISO/IEC 27001:2022 version, which integrates recent evolutions in digital threats, territorial regulatory compliance, and integration with other frameworks (27017 for cloud, 27018 for personal data).

Covered domains include: security policy, organisation of security, asset management, human resources security, access control, cryptography, physical security, operations security, communications security, systems acquisition and maintenance, supplier relationships, incident management, business continuity, compliance.

Target date: initial certification in Q4 2026, with annual surveillance audits planned for the following three years.

Regulation (EU) 2022/2554 on Digital Operational Resilience for the financial sector (DORA) entered into full application on 17 January 2025. It imposes on financial entities and their critical service providers a set of requirements for managing risks related to information and communication technologies.

Article 30 defines the minimum mandatory content of contracts between financial entities and third-party ICT providers. CaliaLabs has ensured that its standard contracts and operational practices enable its financial clients to meet all provisions of this article.

The elements covered include in particular: precise description of services provided and service levels, location of data processing and storage, incident notification obligations, audit rights and access to information, exit and reversibility plans, subcontracting conditions and supply chain transparency, termination clauses in case of serious default.

The Data Processing Agreement (DPA) and Service Level Agreement (SLA) published in this Trust Center formalise these commitments.

The General Data Protection Regulation (GDPR) is natively respected by the CEREBRO infrastructure: minimisation of collected data, explicit and limited purposes, retention periods defined by policy, strict separation of controller / processor roles, data subject rights (access, rectification, erasure, portability, objection) exercised through formal procedures.

Detailed documentation is available in the Data Processing Agreement (DPA), Privacy Policy, and Data Retention Policy, all accessible from the Trust Center.

All certification initiatives are driven by CaliaLabs' compliance team, under the responsibility of the CEO. External partners (auditors, consultants) are selected for their independence, their knowledge of the financial sector, and their ability to evaluate complex technical architectures.

Milestones are tracked internally via a dedicated dashboard, with monthly reporting to management. Any deviations from the schedule are documented with their causes and associated corrective actions.

This document is updated at each significant milestone, or at least quarterly.

For any question regarding the compliance programme or to obtain an audit report under non-disclosure agreement, the dedicated team can be reached at [email protected].

Information requests from external auditors or regulatory authorities are handled as a priority, with an initial reply within 48 business hours.