DocuProof NIS2 Compliance Statement

Effective Date: March 11, 2026

DocuProof Inc. complies with the EU NIS2 Directive (2022/2555) as an important entity in digital services, implementing required cybersecurity measures.

Scope: Applies to our platform providing immutable document storage and sharing in critical sectors like finance and healthcare.

Key Measures Implemented:

  • Risk analysis policies via SHA-256 hashing, WORM storage, and audit trails.

  • Incident handling with append-only logs, detection, and response.

  • Business continuity through redundant immutable storage and verification.

  • Supply chain security with vetted providers (e.g., Stripe, Hyperledger Fabric).

  • Basic hygiene: Encryption at rest/transit, TLS, KMS key rotation.

  • Access control: RBAC, MFA (SMS OTP), tenant isolation.

  • Asset management: Document metadata tracking.

  • Crisis management: EU-CyCLONe alignment for reporting.

  • Training: Admin oversight and user education on crypto features.

  • Testing: QA buffer in development phases.

Reporting: Significant incidents reported within 24 hours to national authorities.

Enforcement: Management accountable; non-compliance risks fines up to 2% turnover.

DocuProof NIS2 Compliance Details

Effective Date: March 11, 2026

DocuProof complies with NIS2 (Directive 2022/2555) as an important entity in digital services. WORM storage uses AWS S3 Object Lock in Compliance mode; Hyperledger Fabric blockchain nodes hosted on Hetzner servers with automated backups.

Risk Management Measures:

  • Conduct regular risk analyses via SHA-256 hashing for uploads, WORM commits on AWS S3 (no delete/overwrite), append-only audit trails in PostgreSQL.

  • Tenant isolation scopes data by tenant_id; RBAC enforces roles (Admin/Uploader/Viewer).

  • Encryption: TLS in transit, KMS-managed keys at rest with rotation (envelope encryption).

  • Vulnerability management: API hardening, rate limiting; periodic scans in QA buffer (12 hrs in Phase 2).

Incident Handling:

  • Detection via separated security logs, alerts on suspicious access (e.g., unauthorized attempts).

  • Response: CSIRT-aligned processes; isolate incidents without altering immutable data.

  • For large-scale: Align with EU-CyCLONe for info exchange.

Reporting Obligations:

  • Notify national authorities within 24 hours for significant incidents disrupting service or causing damage.

Supply Chain Security:

  • Vetted providers: AWS for S3 WORM, Hetzner for blockchain nodes/backups, Stripe for billing, Fabric CA for identities.

  • Policies ensure secure integrations; no unvetted third-parties.

Business Continuity:

  • Redundant immutable storage on AWS S3; Hetzner backups for blockchain nodes.

  • Verification independent of live components (relies on hashes/audits); downtime doesn't affect stored proofs.

Human Resources Security:

  • Policies for cybersecurity education; admins trained on RBAC, keys, workflows.

  • Awareness via UI notices on immutability.

Testing:

  • Integration testing/QA (12 hrs in Phase 2); peer reviews for capabilities.

  • Validate no-delete via scripts in staging.

Oversight and Enforcement:

  • Management accountable for compliance; non-compliance risks fines up to 2% turnover.

  • NIS Cooperation Group alignment for strategic info exchange.

Contact: oskar@vo-initiatives.com. Not legal advice.

Get in touch with BlockchainSolutions.

We're here to help — whether you're starting small with a single workflow or scaling immutability across your entire organization. No pressure, just a conversation.


Share your details below and we will contact you.

For direct contact? Get in touch with Oskar.

Email us

Or

WhatsApp us