{"organization":{"name":"Reglyze","slug":"reglyze","country":"FR","sector":"digital_providers","headcount":5,"memberSince":"2026-04-07T17:06:49.115Z"},"compliance":{"score":58.56481481481481,"assessmentDate":"2026-05-19T21:36:45.767Z","controls":[{"controlId":"nis2.20.1.a.1","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"The information security policy and board briefing deck show CEO approval of risk-management measures; formal board-level approval resolution is implied but no separate signed approval record is evidenced beyond the policy sign-off field."},{"controlId":"nis2.20.1.a.2","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"Active oversight is limited to a single director who is also the sole operator; the board briefing deck describes oversight intent but no recurring oversight meeting minutes or tracking artefacts are evidenced, making this ad hoc in practice."},{"controlId":"nis2.20.1.a.3","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"The board briefing deck explicitly flags Article 20 personal liability for management body members; Cyril's acknowledgement is implicit in policy approval but no signed liability acknowledgement form is evidenced."},{"controlId":"nis2.20.1.a.4","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"Policies state annual review cycles but no evidence of a completed review cycle exists yet (all documents are version 1.0 at initial issue); governance review cadence is planned but not yet operationally demonstrated."},{"controlId":"nis2.20.2.a","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"The training plan documents a mandatory cybersecurity training programme for the management body and Cyril is noted as self-trained per task 1.5; however, no auditable completion records or refresher cadence evidence exists yet, capping implementation at 2."},{"controlId":"nis2.20.2.a.1","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"The cybersecurity training plan establishes a mandatory programme for the management body; Cyril's self-training is noted but no formal enrolment or completion certificate is evidenced."},{"controlId":"nis2.20.2.a.2","implementationScore":1,"documentationScore":2,"severity":"medium","notes":"The training plan specifies an annual refresher cadence; no evidence of a completed first refresher cycle exists given all policies are at initial version 1.0."},{"controlId":"nis2.20.2.a.3","implementationScore":1,"documentationScore":1,"severity":"high","notes":"No auditable completion records (certificates, LMS logs, sign-off sheets) are evidenced in the policy digest; the training plan describes the requirement but does not demonstrate fulfilment."},{"controlId":"nis2.20.2.a.4","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"The management body consists solely of Cyril Poder; the training plan covers him, so coverage of all management body members is technically complete, though the single-person scope limits the robustness of this control."},{"controlId":"nis2.20.2.a.5","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"The training plan explicitly encourages staff cybersecurity training for all 5 FTE; implementation is plausible given the small team but no training completion records are evidenced."},{"controlId":"nis2.21.2.a","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"A comprehensive information security policy (REGLYZE-ISP-001) exists with a risk assessment framework, treatment plan, and review schedule; all documents are version 1.0 at initial issue with no evidence of a completed annual review cycle, capping documentation at 2."},{"controlId":"nis2.21.2.a.1","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"The information security policy defines a risk assessment framework including methodology, scope, and asset classification; no evidence of a completed risk assessment register or risk treatment output is provided in the digest."},{"controlId":"nis2.21.2.a.2","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"REGLYZE-ISP-001 is a written, version-controlled information security policy approved by the CEO; it is version 1.0 with next review 2026, so not yet confirmed reviewed within 12 months."},{"controlId":"nis2.21.2.a.3","implementationScore":1,"documentationScore":1,"severity":"high","notes":"The information security policy references a risk treatment plan but no standalone risk treatment plan document or register is evidenced in the policy digest; treatment is described in principle only."},{"controlId":"nis2.21.2.a.4","implementationScore":1,"documentationScore":1,"severity":"high","notes":"Risk acceptance criteria are referenced within the ISP framework section but no explicit documented risk acceptance criteria table or threshold definition is evidenced as a standalone artefact."},{"controlId":"nis2.21.2.a.5","implementationScore":1,"documentationScore":2,"severity":"medium","notes":"The ISP mandates annual risk review; no completed review cycle is evidenced (version 1.0, next review 2026), so the process is planned but not yet operationally demonstrated, capping implementation at 1."},{"controlId":"nis2.21.2.b","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"A formal incident response plan exists (version 1.0) covering classification, detection, notification timelines, and post-incident review; however, the plan has never been triggered by a real incident and no tabletop or live test is evidenced, capping implementation at 2."},{"controlId":"nis2.20.1.a","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"Cyril Poder as sole director has approved policies and the board briefing deck evidences governance oversight; however, as a 5-person org with a single director, formal periodic governance review cadence and escalation paths are nascent and untested. Policies are version 1.0 and not yet confirmed reviewed within 12 months by an independent body."},{"controlId":"nis2.21.2.b.3","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"The incident response plan includes an incident classification and triage framework with severity levels; classification has not been exercised against a real event."},{"controlId":"nis2.21.2.b.4","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"The IRP documents NIS2 Article 23 notification timelines (early warning 24h, notification 72h, final report 1 month); no actual notification to ANSSI has been made, so the process is documented but untested operationally."},{"controlId":"nis2.21.2.b.5","implementationScore":1,"documentationScore":2,"severity":"medium","notes":"The IRP includes a post-incident review section; since no real incident has occurred, no post-incident review has ever been conducted, making this entirely theoretical at present."},{"controlId":"nis2.21.2.c","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"A business continuity plan and a backup/disaster recovery policy both exist; daily rclone-to-Google-Drive backups are operational, but restore has never been tested in the past 12 months, capping implementation at 2."},{"controlId":"nis2.21.2.c.1","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"The BCP document covers scope, governance, RTO/RPO objectives, and recovery procedures; it is version 1.0 and has not been exercised, so operational maturity is documented-but-untested."},{"controlId":"nis2.21.2.c.3","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"The DR policy defines recovery procedures for Hetzner primary and Cloudflare CDN/DNS failover scenarios; no DR test or failover drill is evidenced, capping implementation at 2."},{"controlId":"nis2.21.2.c.4","implementationScore":1,"documentationScore":2,"severity":"medium","notes":"Crisis management is addressed within the BCP at a high level; with a 5-person fully remote team and single on-call, a dedicated crisis management capability is structurally limited and no crisis simulation has been conducted."},{"controlId":"nis2.21.2.c.5","implementationScore":1,"documentationScore":2,"severity":"medium","notes":"The BCP and DR policy both mandate annual testing and exercises; no test has been conducted (backups untested, BCP unexercised), so the testing programme exists on paper only."},{"controlId":"nis2.21.2.d","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"A supply chain security policy (REGLYZE-POL-SC-001) exists covering supplier risk assessment, contractual requirements, and monitoring; no evidence of completed supplier questionnaires or audit outputs is provided, capping implementation at 2."},{"controlId":"nis2.21.2.d.1","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"The supply chain security policy defines a supplier risk assessment framework; key suppliers (Anthropic, Stripe, Hetzner, Cloudflare, GitHub, Resend) are identifiable from the stack profile but no completed risk assessment records are evidenced."},{"controlId":"nis2.21.2.d.2","implementationScore":1,"documentationScore":2,"severity":"medium","notes":"The supply chain policy specifies contractual security requirements to be imposed on suppliers; no evidence of executed supplier contracts with security clauses or DPA addenda is provided in the digest."},{"controlId":"nis2.21.2.d.3","implementationScore":1,"documentationScore":2,"severity":"medium","notes":"Supplier monitoring is described in the policy but no recurring supplier review cadence, scorecard, or monitoring log is evidenced; at 5 persons this is likely informal at best."},{"controlId":"nis2.21.2.d.4","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"Dependabot and Renovate are actively enabled on the TypeScript/Node.js monorepo, providing automated software supply chain dependency monitoring; the vulnerability management policy also covers software supply chain risk."},{"controlId":"nis2.21.2.d.5","implementationScore":1,"documentationScore":1,"severity":"high","notes":"Coordinated risk assessments with suppliers or sector peers are not evidenced; at Reglyze's scale and OOS status, participation in coordinated assessments (e.g. ANSSI sector exercises) has not been described."},{"controlId":"nis2.21.2.e","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"A vulnerability management policy exists and Dependabot/Renovate provide automated dependency hygiene; a secure development lifecycle is implied by the TypeScript monorepo and GitHub pipeline but not formally documented as an SDLC policy."},{"controlId":"nis2.21.2.e.1","implementationScore":2,"documentationScore":1,"severity":"medium","notes":"Development practices on the TypeScript/Node.js monorepo with GitHub CI/CD imply a repeatable build and review process; no formal written secure development lifecycle (SDLC) policy or secure coding standard is evidenced in the digest."},{"controlId":"nis2.21.2.e.2","implementationScore":1,"documentationScore":2,"severity":"medium","notes":"The supply chain and vulnerability management policies reference security in procurement; no procurement checklist or vendor security evaluation form is evidenced as an operational artefact."},{"controlId":"nis2.21.2.e.3","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"Dependabot and Renovate provide automated vulnerability detection and patch management for dependencies; the vulnerability management policy (REG-SEC-POL-003) documents scanning, patching, and CVD procedures."},{"controlId":"nis2.21.2.e.4","implementationScore":1,"documentationScore":2,"severity":"medium","notes":"The vulnerability management policy includes a coordinated vulnerability disclosure (CVD) process section; no public security.txt, bug bounty programme, or CVD disclosure record is evidenced operationally."},{"controlId":"nis2.21.2.e.5","implementationScore":2,"documentationScore":1,"severity":"medium","notes":"GitHub-based CI/CD with pull-request workflows implies change management controls; no formal change and configuration management policy or change log is evidenced as a standalone written document."},{"controlId":"nis2.21.2.f","implementationScore":1,"documentationScore":2,"severity":"medium","notes":"An effectiveness testing policy (REG-POL-ETP-001) exists defining audit cadence, KPIs, and management review; no completed audit, penetration test, or KPI measurement cycle is evidenced, capping implementation at 1."},{"controlId":"nis2.21.2.f.1","implementationScore":1,"documentationScore":2,"severity":"medium","notes":"The effectiveness testing policy mandates periodic security audits with a quarterly checklist template (Annex A); no completed audit report or checklist output is evidenced."},{"controlId":"nis2.21.2.f.2","implementationScore":0,"documentationScore":2,"severity":"high","notes":"The effectiveness testing policy references penetration testing as a planned measure; no penetration test has been conducted and no test report is evidenced; implementation is zero at this time."},{"controlId":"nis2.21.2.b.2","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"Detection relies on Cloudflare WAF alerts, Dependabot/Renovate notifications, and on-call monitoring by Cyril; no SIEM or SOC is in place, but tooling provides partial automated detection coverage documented in the IRP."},{"controlId":"nis2.21.2.f.5","implementationScore":1,"documentationScore":2,"severity":"medium","notes":"Continuous improvement is described as a principle in the effectiveness testing policy and ISP; no improvement log, corrective action register, or PDCA cycle evidence is provided."},{"controlId":"nis2.21.2.g","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"A cybersecurity training plan exists covering awareness, role-based training, and hygiene baseline for all 5 staff; no training completion records or effectiveness measurement outputs are evidenced, capping implementation at 2."},{"controlId":"nis2.21.2.g.1","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"The training plan establishes a cybersecurity awareness programme for all personnel; no completion records or awareness campaign artefacts (e.g. phishing simulation results) are evidenced."},{"controlId":"nis2.21.2.g.2","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"Management body training is covered in both the training plan and the board briefing deck; Cyril's self-training is noted but no completion certificate or formal record exists."},{"controlId":"nis2.21.2.g.3","implementationScore":1,"documentationScore":2,"severity":"medium","notes":"The training plan specifies role-based security training; with only 5 staff and no dedicated security or development roles differentiated in the digest, role-based differentiation is limited in practice."},{"controlId":"nis2.21.2.g.4","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"MFA enforced everywhere, encryption at rest and in transit, Dependabot/Renovate, and Cloudflare WAF constitute a strong cyber hygiene baseline operationally; the training plan and ISP document these as baseline requirements."},{"controlId":"nis2.21.2.g.5","implementationScore":1,"documentationScore":2,"severity":"medium","notes":"The training plan describes training effectiveness measurement requirements; no measurement data, quiz results, or effectiveness assessment outputs are evidenced as having been produced."},{"controlId":"nis2.21.2.h","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"A cryptography and encryption policy (REG-SEC-POL-CRYPTO-001) exists; encryption at rest and in transit is operationally enforced (Cloudflare TLS, Hetzner storage encryption); key management procedures are documented but not independently audited."},{"controlId":"nis2.21.2.h.1","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"REG-SEC-POL-CRYPTO-001 defines cryptographic standards, approved algorithms, and usage requirements; it is version 1.0 and not yet confirmed reviewed within 12 months."},{"controlId":"nis2.21.2.h.2","implementationScore":3,"documentationScore":2,"severity":"low","notes":"Encryption at rest is operationally enforced across Postgres, Redis, MinIO on Hetzner and Google Drive backups; this is a genuine operational strength. Documentation exists in the cryptography policy but not yet through a completed annual review."},{"controlId":"nis2.21.2.h.3","implementationScore":3,"documentationScore":2,"severity":"low","notes":"TLS is enforced via Cloudflare for all in-transit communications; this is fully implemented and covers all in-scope assets. Documentation exists in the cryptography policy at version 1.0."},{"controlId":"nis2.21.2.h.4","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"Key management procedures are described in the cryptography policy; operational key management relies on platform-managed keys (Cloudflare, Hetzner, Google) which is appropriate at this scale but no independent key management audit is evidenced."},{"controlId":"nis2.21.2.h.5","implementationScore":1,"documentationScore":1,"severity":"high","notes":"Cryptographic agility (ability to migrate algorithms) is not explicitly addressed as an operational capability; the cryptography policy does not evidence a tested algorithm migration plan or agility assessment."},{"controlId":"nis2.21.2.i.1","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"The asset management policy (REGLYZE-POL-ASM-001) defines asset inventory and classification requirements; the tech stack (Hetzner, Cloudflare, GitHub, Postgres, Redis, MinIO, etc.) is identifiable but no completed asset register is evidenced as an operational artefact."},{"controlId":"nis2.21.2.i.2","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"The access control policy (REG-SEC-POL-001) documents least-privilege, need-to-know, and role-based access principles; MFA is enforced everywhere, providing strong operational backing."},{"controlId":"nis2.21.2.i.3","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"MFA is enforced across all systems; identity and access management relies on platform-native controls (GitHub, Hetzner, Cloudflare) with no centralised IAM platform, which is proportionate for 5 persons but limits maturity."},{"controlId":"nis2.21.2.i.4","implementationScore":1,"documentationScore":2,"severity":"medium","notes":"The HR security policy covers pre-employment screening and onboarding security requirements; no completed onboarding checklist, background check record, or NDA execution log is evidenced for the current 5-person team."},{"controlId":"nis2.21.2.i.5","implementationScore":1,"documentationScore":2,"severity":"medium","notes":"The HR security policy addresses termination and role-change procedures including access revocation; no offboarding checklist completion record or access revocation log is evidenced operationally."},{"controlId":"nis2.21.2.j","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"MFA is enforced everywhere per the profile and documented in the MFA/secured communications policy (REGLYZE-POL-SEC-007); secured communications rely on standard SaaS tooling (not end-to-end encrypted dedicated platforms) and no secured emergency communication system is evidenced."},{"controlId":"nis2.21.2.j.1","implementationScore":3,"documentationScore":2,"severity":"low","notes":"MFA is enforced everywhere across all systems and accounts; this is a genuine operational strength fully covering all in-scope assets. The MFA policy documents this requirement at version 1.0."},{"controlId":"nis2.21.2.j.2","implementationScore":1,"documentationScore":1,"severity":"high","notes":"Continuous authentication (beyond MFA at login) is not described as an operational capability; no session risk scoring, device trust, or continuous authentication tooling is evidenced."},{"controlId":"nis2.21.2.j.3","implementationScore":1,"documentationScore":2,"severity":"medium","notes":"The MFA/secured communications policy references requirements for secured voice and video communications; no dedicated end-to-end encrypted voice/video platform (beyond standard commercial tools) is evidenced as operationally deployed."},{"controlId":"nis2.21.2.f.3","implementationScore":1,"documentationScore":2,"severity":"medium","notes":"The effectiveness testing policy defines KPI thresholds and an escalation matrix (Annex B); no KPI measurement data or dashboard output is evidenced as having been produced."},{"controlId":"nis2.21.2.j.5","implementationScore":1,"documentationScore":2,"severity":"medium","notes":"Secured emergency communications are addressed in the MFA/secured communications policy; no dedicated emergency communication channel, out-of-band contact list, or emergency comms test is evidenced operationally."},{"controlId":"nis2.20.1.a.5","implementationScore":1,"documentationScore":1,"severity":"high","notes":"With a single-person management body, a formal escalation path to the management body is structurally trivial but not documented as a distinct procedure; no escalation matrix or on-call escalation chain to a board level is evidenced beyond the incident response plan's internal escalation."},{"controlId":"nis2.21.2.b.1","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"The incident response plan is a documented, structured procedure covering containment, eradication, and recovery; it has never been activated in a real incident, so operational maturity is repeatable-on-paper but untested."},{"controlId":"nis2.21.2.c.2","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"Daily rclone backups to Google Drive are operationally running; the backup/DR policy (REGLYZE-POL-BDR-001) documents retention and recovery objectives, but restore testing has not been performed in the past 12 months."},{"controlId":"nis2.21.2.f.4","implementationScore":1,"documentationScore":2,"severity":"medium","notes":"The effectiveness testing policy mandates management body review of audit outputs; no completed management review meeting record or remediation backlog review is evidenced."},{"controlId":"nis2.21.2.i","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"HR security, access control, and asset management policies all exist as separate written documents; MFA is enforced everywhere and least-privilege access is described; no evidence of completed onboarding/offboarding checklists or asset inventory register as operational artefacts."},{"controlId":"nis2.21.2.j.4","implementationScore":2,"documentationScore":2,"severity":"medium","notes":"Text communications likely use standard encrypted messaging (e.g. Signal or equivalent) consistent with a remote-first tech team; the policy documents secured text communication requirements, though no specific tool mandate or enforcement evidence is provided."}]},"suppliers":[{"id":"ee71a19b-77f9-46d7-99b0-5b76aec3474e","name":"Hetzner Online GmbH","serviceType":"Cloud infrastructure / hosting","criticality":"critical","dataShared":"All application data, customer accounts, encrypted backups"},{"id":"48885ec6-f16d-4bf4-8fb1-ba84c20449fd","name":"Cloudflare","serviceType":"CDN, DNS, WAF, TLS termination","criticality":"critical","dataShared":"All HTTP/S traffic metadata, no plaintext payloads"},{"id":"980f5386-f276-4109-9249-2696bc7a06db","name":"Stripe","serviceType":"Payment processing and billing","criticality":"high","dataShared":"Customer billing details, subscription metadata"},{"id":"5e0492e9-7618-4227-b09e-d866a535ffaa","name":"Anthropic","serviceType":"AI/LLM (Claude API for document generation)","criticality":"high","dataShared":"Customer organization context for document generation prompts"},{"id":"f45443e8-dc58-4d82-b1e2-6685ed3ca71f","name":"GitHub","serviceType":"Source code hosting and CI/CD","criticality":"high","dataShared":"Source code, deployment secrets via Actions"},{"id":"08a4f723-5623-4ba1-b67b-065ba04309d0","name":"Resend","serviceType":"Transactional email delivery","criticality":"medium","dataShared":"Recipient email addresses (customer admins, vendor questionnaire contacts), email bodies (compliance notifications, vendor questionnaire requests, billing notices)."},{"id":"8b30a6e2-3b9f-4618-b146-8dd8f1ae557b","name":"Google (Workspace + Drive via rclone)","serviceType":"Off-site backup destination","criticality":"high","dataShared":"Encrypted daily Postgres dumps + MinIO blob backups mirrored via rclone. Encryption at rest by Google; Reglyze does not currently apply client-side encryption on top."}],"documents":[{"type":"training_certificate","title":"NIS2 Article 20(2) Training Certificate — Cyril Poder","status":"approved","updatedAt":"2026-05-17T17:44:21.787Z"},{"type":"information_security_policy","title":"Reglyze Information Security Policy","status":"approved","updatedAt":"2026-05-17T17:44:21.787Z"},{"type":"incident_response_plan","title":"Reglyze Incident Response Plan","status":"approved","updatedAt":"2026-05-17T17:44:21.787Z"},{"type":"business_continuity_plan","title":"Reglyze Business Continuity Plan","status":"approved","updatedAt":"2026-05-17T17:44:21.787Z"},{"type":"backup_disaster_recovery","title":"Reglyze Backup and Disaster Recovery Plan","status":"approved","updatedAt":"2026-05-17T17:44:21.787Z"},{"type":"supply_chain_security","title":"Reglyze Supply Chain Security Policy","status":"approved","updatedAt":"2026-05-17T17:44:21.787Z"},{"type":"vulnerability_management","title":"Reglyze Vulnerability Management Policy","status":"approved","updatedAt":"2026-05-17T17:44:21.787Z"},{"type":"effectiveness_testing_policy","title":"Reglyze Effectiveness Testing Policy","status":"approved","updatedAt":"2026-05-17T17:44:21.787Z"},{"type":"training_plan","title":"Reglyze Cybersecurity Training Plan","status":"approved","updatedAt":"2026-05-17T17:44:21.787Z"},{"type":"cryptography_encryption","title":"Reglyze Cryptography Policy","status":"approved","updatedAt":"2026-05-17T17:44:21.787Z"},{"type":"hr_security","title":"Reglyze HR Security Policy","status":"approved","updatedAt":"2026-05-17T17:44:21.787Z"},{"type":"access_control","title":"Reglyze Access Control Policy","status":"approved","updatedAt":"2026-05-17T17:44:21.787Z"},{"type":"asset_management","title":"Reglyze Asset Management Policy","status":"approved","updatedAt":"2026-05-17T17:44:21.787Z"},{"type":"mfa_secured_comms","title":"MFA & Secured Communications Policy","status":"approved","updatedAt":"2026-05-17T17:44:21.787Z"},{"type":"board_briefing_deck","title":"Board/Management Cybersecurity Briefing Deck","status":"approved","updatedAt":"2026-05-17T17:44:21.787Z"}]}