Responsibility
ISMS governance
Executive management bears overall responsibility for the ISMS. Roles and responsibilities are documented; access follows the need-to-know principle.
For due diligence
An overview for NIS2 and ISO 27001-oriented assessments
PEDIF processes business documents within a defined scope. For technical, legal and procurement assessments, key aspects include governance, data location, access controls, deletion concepts, incident processes and the handling of external service providers.
Risk control
Risk management & SoA
Supedio conducts structured risk analyses, treats risks with documented measures and documents the selection of ISO 27001 Annex A-oriented controls in a Statement of Applicability.
Evidence
Monitoring, audit & improvement
The ISMS is audited internally at least annually and after material changes. Findings are classified by severity and tracked to closure through CAPA.
Data protection
External Data Protection Officer
Supedio has appointed Andrea Prinz, Datenschutz Prinz GmbH, as external Data Protection Officer with effect from 2025-11-01. The role acts independently and reports directly to management.
Data categories
Which data is in scope
Supedio processes only business-related documents between legally independent organizations, such as orders, delivery notes and invoices. Personal data generally concerns employee contact information from those organizations.
- Customers must ensure that only business documents are processed.
- Private or impermissible content must not be transmitted.
- Onboarding defaults to dummy or sanitized data; real business documents are not required.
Technical & organizational measures
Controls across PEDIF operations
The following points are written as a compact, auditable overview for data protection, IT security, ERP/EDI and procurement teams.
Hosting & data location
Hosting is performed exclusively with ISO 27001-certified cloud providers. Data is stored within the European Union throughout the entire lifecycle.
- ISO 27001-certified cloud providers
- Data storage within the EU
- Cloud and on-premises scenarios described in the ISMS scope
Access management
Access is controlled through IAM, role-based permissions, least-privilege principles and limited administrative access. Production access is restricted to authorized Supedio personnel and logged.
- RBAC and need-to-know
- SSO with 2FA active for PEDIF Portal, EPIC Prod and Mailious
- Production access logged with identity, IP details and activity
Network protection
Customer-facing services are protected against DDoS and common web and bot attacks through Cloudflare and AWS WAF.
- Edge protection through Cloudflare and AWS WAF
- Email domains protected with SPF, DKIM and DMARC
- Least-privilege and hardened privileged access
Encryption
All data transfers use SSL/TLS. For data at rest, AWS platform encryption in the EU region is active; cryptographic target standards are documented in the ISMS.
- TLS 1.2 or 1.3 for data in transit
- AWS EC2/EBS platform encryption active
- AES-256 and KMS-managed keys as documented target standard
Backups & disaster recovery
Backups are encrypted daily, retained for 14 days and support recovery from data-loss or ransomware events.
- RPO: 24 hours
- RTO: 6 hours
- Restore tests recurring, after major releases and at least every 12 months
Secure development & patch management
The secure development lifecycle includes peer or senior code reviews, dependency and secret scanning, SAST, release approvals and an emergency-change process.
- Mandatory review before merge
- Testing and quality assurance before release
- Security fixes by severity SLAs: critical 24h, high 7 days, medium 30 days, low 90 days
Operational use
Operators normally work with system logs rather than customer documents. Download, export and local storage of customer data are allowed only for specific operational tasks, restricted and logged.
- No-touch processing as standard
- Manual review only for genuine error cases
- Content access only named, authorized, logged and monitored
Validation & output integrity
Extracted data is checked before handoff against defined refinement, target-format, validation and sanity rules.
- Versioned validation scripts
- Traceability through validator version and responsible approver
- Unclear or failing cases go to review
AI use
AI is used for document recognition, extraction and to assist anonymization. Customer data is not used to train AI models.
- Real customer documents only where required to deliver or debug the contracted service
- Customer approval before real-document processing
- AI governance through register, vendor review and DPIA screening
External service providers
External service providers support Supedio in software development, bug fixing and maintenance within clearly defined technical responsibilities and controlled systems.
- Development and maintenance with dummy, anonymized or pseudonymized data
- No standing production access for external service providers
- Real customer-data exceptions only documented, purpose-bound, time-limited and customer-approved
Incident management & awareness
Supedio operates a documented incident process. Reports via the defined incident channel are monitored on business days and triaged within 24 hours.
- Analysis, containment, resolution and lessons learned
- Potential personal data breaches assessed without undue delay
- Information security training at onboarding and at least annually
Export, deletion & exit
Customers can request export and early deletion of their data. On termination, a structured export is available; customer data is deleted within 30 days unless otherwise agreed.
- Defined, logged request process
- Deletion date confirmed back to the customer
- Support for termination or migration
Deployment option
Supedio On-Prem Solution for stronger data control
For organizations with strict data protection, compliance or infrastructure requirements, PEDIF-oriented processing can also be operated as an on-prem model. The operational runtime runs inside the customer's infrastructure, while Supedio continues to support the product, updates, fingerprint creation, workflow configuration and service onboarding.
Runtime in the customer environment
The core processing stack is brought into the customer's private environment. Documents can be received, processed, converted and routed without requiring operational data to leave the customer-controlled system.
EPIC Live & DTC
EPIC Live provides the extraction runtime; DTC provides the workflow and orchestration layer. Input can be processed via API, email, SFTP or AS2.
Target formats & use cases
Typical outputs include EDI, CSV, Excel, XML or customer-specific formats. The model is suitable for PDF-to-EDI, invoice processing, purchase order automation, dispatch advice processing, order response handling and supply-chain workflows.
Shared operating model
Customers can apply their own standards for network access, TLS termination, user permissions, logging, monitoring, backups and disaster recovery; Supedio provides the application, updates, workflow and fingerprint expertise.
FAQ
Answers for data protection, security and procurement teams
Is Supedio itself ISO 27001 certified?
No. No ISO 27001 certification claim is made for Supedio itself. The substantiated facts are an internal ISMS based on established best practices and ISO/IEC 27001 requirements, plus hosting exclusively with ISO 27001-certified cloud providers. Supedio is certified according to DIN EN ISO 9001:2015.
How should this page be read in the NIS2 context?
The page is structured as a due-diligence overview for NIS2-oriented questions. It describes governance, risk, access protection, incident management, business continuity, data minimization and evidence handling without claiming blanket NIS2 conformity.
Who is appointed as external Data Protection Officer?
Supedio has appointed Andrea Prinz, Datenschutz Prinz GmbH, as external Data Protection Officer with effect from 2025-11-01. The role acts independently and reports directly to management.
Where is data stored?
Data is stored within the European Union throughout the entire lifecycle. Hosting is performed exclusively with ISO 27001-certified cloud providers.
Who can see customer documents?
No-touch processing is the standard. Support usually works from system logs. Access to customer document content is only intended for genuine error cases where the issue cannot be resolved from logs alone; access is restricted to named, authorized operations personnel and is logged and monitored.
How long is operational data stored?
Operational data is deleted no later than 30 days after processing unless otherwise agreed. Backups containing the data are overwritten within the 14-day backup retention cycle.
Is customer data used to train AI models?
No. Customer data is not used to train AI models. Real customer documents are processed only where required to deliver or debug the contracted service and only after customer approval.
When does the On-Prem Solution make sense?
The On-Prem Solution is useful for companies that want to use PEDIF-oriented document automation and EDI capabilities while keeping runtime processing, runtime documents, logs and security controls inside their own infrastructure.
Can customers request export or early deletion?
Yes. Customers can request export and early deletion. This is handled through a defined, logged request process with confirmation.
Note: This page is a public, curated overview and does not replace a contractual agreement, DPA or full audit package. Detailed evidence should be provided through a controlled process.
Contact Us
Questions, need help choosing the right setup?