Legal & Compliance

Regulatory Compliance, Contractual Framework, and Audit Evidence

Last Updated: 2026-05-01

---

Purpose

This section provides documentation required for MazeVault to operate as a compliant ICT supplier to regulated financial entities under Czech and EU law. It covers contractual templates, regulatory compliance mappings, and audit support.

For technical security documentation (encryption, RBAC, audit logging, penetration testing, key management, etc.), see the Security & Compliance section.

---

Applicable Regulations

Regulation	Relevance	MazeVault Document
Act No. 264/2025 Sb. (Czech Cybersecurity Act)	MazeVault is a supply chain vendor to regulated entities	NIS2 Compliance Mapping
DORA (EU 2022/2554)	ICT third-party provider to financial entities	DORA Compliance Mapping
GDPR (EU 2016/679)	Data processor for customer personal data	GDPR Compliance

---

Documents

Regulatory Compliance

Document	Purpose
NIS2 / Czech Cybersecurity Act	Supply chain requirements (§27), 25 control domains, incident reporting, security questionnaire
DORA Compliance Mapping	ICT third-party risk (Art. 28-30), Register of Information, exit strategy
GDPR Compliance	Data processor obligations, RoPA, DPIA, data subject rights, breach notification

Operational

Document	Purpose
Incident Response Plan	Detection, response, recovery. NUKIB notification within 24h. DORA within 4h.
Business Continuity & DR	RTO/RPO targets, backup strategy, failover procedures, DR testing
Subprocessor List	Third-party data processors and ICT providers
Compliance Evidence & Reporting	Built-in compliance reports, audit log access, Auditor role, SIEM integration

---

Relationship to Security & Compliance Section

The existing Security & Compliance section covers technical implementation details:

• Security Overview — 5-layer architecture, security principles
• Encryption & Key Management — AES-256-GCM, key hierarchy, HSM
• Authentication — SRP, SSO, MFA, session management
• RBAC & Roles — 8 roles, permission matrices, domain separation
• Audit Logging — Event taxonomy, SIEM integration, compliance reporting
• Penetration Testing — Vulnerability scanning, pen-test results
• Certificate Lifecycle — Issuance, rotation, revocation
• Compliance Matrix — ISO 27001, SOC 2, PCI DSS, NIS2, GDPR mapping

This Legal & Compliance section adds what the technical docs don't cover: formal contractual obligations, regulatory article-by-article mappings, incident reporting timelines, and audit delivery procedures.

---

Contact

For all security, compliance, and audit inquiries: info@mazevault.com