Independently certified. Continuously audited. Operationally accountable.

ISO/IEC 27001:2023 — Information Security Management

deister software operates an Information Security Management System certified against the current edition of the international standard, UNE-ISO/IEC 27001:2023. The certification was awarded by ADOK Certificación, S.L., a Spanish certification body accredited under ISO 17065.

Scope, as printed on the certificate (verbatim, Spanish): "Los sistemas de información que dan soporte a los servicios Axional de deister software en sus modalidades On Premise y Saas, así como la gestión del alojamiento Cloud según la declaración de aplicabilidad 2025_V6."

English translation: the information systems that support the Axional services in their on-premise and SaaS modalities, together with the management of the cloud hosting environment, in accordance with the 2025_V6 Statement of Applicability.

Coverage. Grupo deister software — six legal entities operating across Spain and Peru: deister software Consulting, deister software Tech Services, deister software S.A., deister software Cloud, deister software S.A. Sucursal Perú and deister software Software Perú. Operational sites under the certificate: Barcelona (Sant Pere Claver), Madrid (Edificio Baluarte), Girona (Bernat Boades) and Lima (Javier Prado Este).

Reference data. Certificate number 044807 · awarded 16 July 2025 · valid through 15 July 2028 · Statement of Applicability 2025_V6. The signed certificate and the annex listing every covered entity are available under NDA on request.

ENS Medium — Spanish National Security Framework

The same information systems are certified under the Spanish National Security Framework (Esquema Nacional de Seguridad) established by Real Decreto 311/2022. The certification is at MEDIUM level, awarded by ADOK Certificación under ENAC ISO 17065 accreditation nº 242 / C-PR473.

Security dimensions. All five ENS dimensions are rated Medium: confidentiality, integrity, traceability, authenticity and availability. Sixty-three distinct security controls are implemented and verified.

Scope. The same Axional service surface as the ISO 27001 certificate — on-premise, SaaS and managed cloud hosting — under the current Statement of Applicability.

Why this matters. ENS Medium is the qualifying threshold for Spanish public-sector procurement and for most autonomous-community healthcare and education buyers. Vendors who lack this certification do not pass intake.

Reference data. Certificate number 624807 · awarded 13 January 2025 · valid through 12 January 2027 · issued in Bilbao on 5 March 2025. The signed certificate is available under NDA on request.

External infrastructure audits

Quarterly external infrastructure audits are conducted by mdtel / SECUNIT, an independent Spanish security operations centre. Each cycle covers: external network exposure mapping, service and version fingerprinting, TLS configuration and certificate hygiene, HTTP security header review, web application surface analysis, web application firewall coverage, and inventory of information disclosure indicators.

Each finding is severity-rated against a published rubric. A remediation plan is produced, tracked and validated at the next quarterly cycle. The auditor and the cycle are public; the findings themselves are confidential to the audit relationship and available under NDA to qualified procurement and security teams conducting due diligence.

Data residency

Customer data for cloud-hosted Axional services resides in the European Union. Production hosting runs from two named Atlas Edge data centres on Spanish soil: Atlas Edge Barcelona (Carrer de l'Acer 9, Sants-Montjuïc, 08038) and Atlas Edge Madrid (Av. de Manoteras 42B, Hortaleza, 28050). Both facilities are referenced explicitly on the ENS certificate.

Spain-only data residency is available for public-sector customers and for healthcare workloads subject to autonomous-community data protection regulation. On-premise deployments place customer data at the customer's nominated location, with no operational access from deister software beyond the contractually defined support paths.

Privacy and data protection

deister software processes customer personal data as a processor under contract, in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation) and Spanish Organic Law 3/2018 on personal data protection and digital rights.

The Data Processing Addendum reflecting GDPR Article 28 obligations is incorporated into the master service agreement signed with every cloud and SaaS customer. A standalone template, suitable for procurement review ahead of contract, is included in the evidence pack available under NDA.

The Data Protection Officer function is reachable at dpo@deister.es. Subject-access, rectification, erasure and portability requests routed through this mailbox are acknowledged within seventy-two hours and resolved within thirty calendar days, in line with GDPR Article 12.

The data controllers for Grupo deister software are the six legal entities named on the ISO 27001 certificate (Spain and Peru). The registration data of each entity is published in the corresponding national commercial register and is referenced in the master service agreement at signature.

Vulnerability disclosure

Coordinated security disclosures are welcome from researchers, customers and partners. The published security contact is security@deister.es. A signed PGP key is published at the canonical security.txt location, /.well-known/security.txt, in line with RFC 9116.

Service-level commitments. New reports are acknowledged within one working day. Triage and severity assignment complete within five working days. Critical-severity findings under active exploitation are routed to incident response immediately and the customer base is notified within seventy-two hours of confirmation, in line with GDPR Article 33.

Safe-harbour. Good-faith research conducted under the published disclosure policy — proportionate testing, no data exfiltration, no service disruption, no third-party impact — will not be pursued. Researchers acting in good faith are credited in the disclosure record at their election.

Page status

This page is reviewed quarterly and after any material change to the certified scope, the sub-processor register or the disclosure programme. Page last reviewed 14 May 2026. Next scheduled review 14 August 2026.

Machine-readable security contact: /.well-known/security.txt (RFC 9116). Security mailbox: security@deister.es. Data protection mailbox: dpo@deister.es.