NIS2 / Czech Cybersecurity Act Compliance¶

MazeVault Compliance with Act No. 264/2025 Sb. and EU Directive 2022/2555 (NIS2)

Document ID: MV-LEG-020
Version: 1.0.0
Classification: Internal
Owner: Chief Information Security Officer (CISO)
Last Updated: 2026-05-01
Review Cycle: Annual (and upon regulatory changes)
Approved By: CEO / Board of Directors

1. Regulatory Overview¶

1.1 Act No. 264/2025 Sb. (Zákon o kybernetické bezpečnosti)¶

Act No. 264/2025 Sb. ("the Act") is the Czech transposition of the NIS2 Directive (EU 2022/2555) into national law. It entered into force on 1 November 2025, replacing the previous Act No. 181/2014 Sb. The Act fundamentally restructures the Czech cybersecurity regulatory landscape and imposes significantly expanded obligations on regulated entities and their supply chains.

Key characteristics of the Act:

Aspect	Description
Effective date	1 November 2025
Supervisory authority	Národní úřad pro kybernetickou a informační bezpečnost (NÚKIB)
Obligation regime	Two-tier: higher obligations (režim vyšších povinností) / lower obligations (režim nižších povinností)
Implementing decrees	7 implementing decrees (vyhlášky) detailing technical requirements
Control domains	25 security control domains for entities under higher-obligation regime
Penalties	Up to CZK 250,000,000 or 2% of annual global turnover (whichever is higher) for entities; up to CZK 10,000,000 for individuals
Personal liability	Management bodies (statutární orgány) bear personal liability for cybersecurity governance
Registration	Mandatory registration with NÚKIB within 60 days of meeting criteria
Compliance deadline	1 year after registration confirmation to achieve full compliance

1.2 NIS2 Directive (EU 2022/2555)¶

The NIS2 Directive establishes a high common level of cybersecurity across the European Union. It entered into force on 16 January 2023 with a transposition deadline of 17 October 2024. The Czech Republic transposed it via Act No. 264/2025 Sb. with effectiveness from 1 November 2025.

NIS2 key expansions over NIS1:

Expanded scope to 18 sectors (11 highly critical, 7 critical)
Mandatory supply chain security requirements
Harmonized incident reporting timelines
Enhanced enforcement and penalties
Personal accountability for management
Cross-border cooperation mechanisms

1.3 NÚKIB as Supervisory Authority¶

NÚKIB (Národní úřad pro kybernetickou a informační bezpečnost) is the designated competent authority under the Act, with powers to:

Issue binding security measures
Conduct inspections and audits
Impose corrective measures and penalties
Maintain the national registry of regulated entities
Operate the national CERT (GovCERT.CZ)
Receive and process incident notifications
Issue early warnings and advisory publications

1.4 Two-Tier Obligation Regime¶

The Act distinguishes between two levels of obligations:

Higher obligations (režim vyšších povinností): - Essential entities in highly critical sectors - Includes credit institutions (banks), energy, transport, health, digital infrastructure - Must comply with all 25 security control domains - Subject to proactive supervisory inspections - Stricter penalty regime

Lower obligations (režim nižších povinností): - Important entities in critical sectors - Reduced but still substantial security requirements - Reactive supervision (post-incident or complaint-based)

1.5 Implementing Decrees¶

The 7 implementing decrees detail:

Technical security measures for higher-obligation entities
Technical security measures for lower-obligation entities
Registration and notification procedures
Incident classification and reporting formats
Security audit requirements
Supply chain security requirements
Sector-specific requirements (including financial sector)

2. MazeVault's Regulatory Position¶

2.1 Classification as Supplier (Dodavatel)¶

MazeVault is classified as a supplier (dodavatel) to regulated entities under the Act. MazeVault itself is not directly a "regulated service" (regulovaná služba) or "regulated entity" (povinná osoba) unless it independently meets the size thresholds (medium or large enterprise) and provides services in a regulated sector.

MazeVault's position:

Primary role: ICT third-party service provider (supplier) to regulated banking entities
Direct regulation: Not directly regulated under the Act (below size thresholds for standalone classification)
Indirect obligations: Subject to supply chain requirements imposed by customers who are regulated entities
Contractual obligations: Must meet security requirements specified by customers in accordance with §27 et seq.

2.2 Customer Obligations Regarding MazeVault¶

Banking customers of MazeVault are credit institutions classified as essential entities (základní subjekt) in the banking sector under the higher-obligation regime. These customers have the following obligations regarding MazeVault as their supplier:

Customer Obligation	Legal Basis	MazeVault's Role
Register MazeVault as a significant supplier	§27(2)	Acknowledge registration, provide required information
Conduct risk assessment of MazeVault	§27(3)	Provide security documentation, evidence, certifications
Include security requirements in contract	§27(4)	Accept Security Annex, DPA, SLA with security provisions
Monitor MazeVault's ongoing compliance	§27(5)	Provide periodic compliance evidence, submit to audits
Include MazeVault in crisis management plans	§28	Participate in crisis exercises, maintain IRP
Ensure safe termination provisions	§27(4)(g)	Documented exit strategy, data return procedures
Assess subcontractor chain	§29	Disclose subprocessors, maintain chain governance

2.3 MazeVault's Enabling Role¶

MazeVault enables its banking customers to meet their own regulatory obligations by:

Providing comprehensive security documentation — enabling customer's due diligence and risk assessment
Accepting contractual security obligations — Security Annex, DPA, SLA with security KPIs
Maintaining auditable compliance evidence — continuous compliance monitoring and reporting
Supporting incident response — timely notification, evidence provision, cooperation
Facilitating regulatory audits — unrestricted audit rights, documentation availability
Ensuring operational resilience — BCP/DRP, redundancy, failover capabilities
Managing supply chain downward — governance of MazeVault's own subprocessors

3. Supply Chain Requirements (Part 1, Section 5 — §27 et seq.)¶

3.1 Supplier Selection Rules (§27(1))¶

The Act requires regulated entities to establish transparent rules for selecting suppliers, considering cybersecurity aspects. MazeVault supports this by providing:

Pre-contract security documentation package
Completed security questionnaire (Section 7 of this document)
Evidence of security certifications and compliance posture
References from existing regulated customers
Demonstration of technical security capabilities

3.2 Significant Supplier Registration (§27(2))¶

Regulated entities must maintain a register of significant suppliers and formally notify them of their registration status. Upon registration by a customer:

MazeVault acknowledges the registration in writing
Designates a security contact for the customer relationship
Commits to meeting the obligations arising from supplier status
Provides the information required for the customer's supplier register

3.3 Risk Assessment Before Contract (§27(3))¶

Before entering into a contract, the regulated entity must conduct a risk assessment of MazeVault. MazeVault facilitates this by providing:

Assessment Area	Documentation Provided
Security posture	Information Security Policy (MV-LEG-001), compliance reports
Technical controls	Architecture documentation, security control descriptions
Operational resilience	BCP/DRP (MV-LEG-008), DR test results
Incident handling	Incident Response Plan (MV-LEG-007), incident history
Personnel security	Organizational HR policy (MazeVault s.r.o.)
Physical security	Cloud provider SOC 2 reports (Azure)
Supply chain	Third-party Risk Management Policy (MV-LEG-011), subprocessor list
Data protection	DPA, Data Classification Policy (MV-LEG-005)
Vulnerability management	Pen-test reports, vulnerability scan results
Access control	Access Control Policy (MV-LEG-003), RBAC documentation

3.4 Contractual Obligations (§27(4))¶

The Act mandates specific provisions in contracts with significant suppliers. MazeVault's contractual framework addresses each requirement:

Statutory Requirement	Contract Reference	MazeVault Provision
(a) Scope of supplier's access to information and systems	Security Annex §2	Defined access scope, data processing boundaries, system access matrix
(b) Communication methods and contact persons	Security Annex §3	Designated security contacts, communication channels, escalation procedures
(c) Data handling and protection obligations	DPA + Security Annex §4	Data processing instructions, retention, deletion, encryption requirements
(d) Audit rights for the regulated entity	Security Annex §5	Unrestricted right to audit with 30-day notice, annual audit facilitation
(e) Maintenance of agreed security level	SLA + Security Annex §6	Security KPIs, patching SLAs, vulnerability remediation timelines
(f) Inclusion in crisis management plans	Security Annex §7	Crisis communication procedures, IRP alignment, joint exercise participation
(g) Safe termination provisions	Security Annex §8	Exit strategy, data return, secure deletion, transition support (min. 6 months)
(h) Mutual responsibility and liability	Master Agreement §9	Defined responsibilities, liability allocation, indemnification

3.5 Supplier Chaining (§29)¶

The Act extends supply chain requirements to subcontractors (poddodavatelé). MazeVault ensures:

All critical and significant subprocessors are disclosed to customers (Third-party Risk Management Policy, MV-LEG-011)
Subprocessors undergo equivalent security assessment before engagement
Contractual flow-down of security requirements to subprocessors
Customer notification (30 days advance) of subprocessor changes
Customer objection right regarding new subprocessors
Auditable evidence of subprocessor governance

3.6 MazeVault's Deliverables to Customers¶

To satisfy supply chain obligations, MazeVault provides the following to regulated customers:

Deliverable	Purpose	Frequency
Security Annex	Contractual security obligations	At contract, upon amendment
Data Processing Agreement (DPA)	GDPR and data protection	At contract, upon amendment
Service Level Agreement (SLA)	Service quality and security KPIs	At contract, annual review
Annual compliance report	Overall compliance posture evidence	Annual
Penetration test report (executive summary)	Third-party security validation	Annual (Q4)
Vulnerability scan summary	Continuous security monitoring evidence	Quarterly
Incident notification	Timely customer notification of incidents	As needed (within 24h)
Subprocessor list	Supply chain transparency	At contract, upon change
Audit cooperation	Right to audit fulfilment	Upon request (30-day notice)
Security questionnaire responses	Due diligence support	Upon request, annual update

4. Security Control Domains Mapping¶

The Act's implementing decree for higher-obligation entities defines 25 security control domains. The following table maps each domain to MazeVault's implementation and available evidence artifacts.

4.1 Complete Domain Mapping¶

#	Control Domain (Czech/English)	MazeVault Implementation	Evidence Artifacts
1	Bezpečnostní politika / Security Policy	Information Security Policy (MV-LEG-001) as apex ISMS document. Hierarchical policy structure with subordinate policies for each domain. Annual review and approval by CEO/Board.	Policy document, version history, approval records, annual review minutes
2	Řízení rizik / Risk Management	Risk Management Policy (MV-LEG-002) establishing formal risk assessment methodology. Quarterly risk reviews. ComplianceReportService generating automated compliance posture reports. Risk register maintained and reviewed.	Risk register, quarterly risk review reports, ComplianceReportService outputs, risk treatment plans
3	Správa aktiv / Asset Management	Data Classification Policy (MV-LEG-005) with 4-tier classification (Public, Internal, Confidential, Restricted). database_health.go ExpectedTables defining system asset inventory. Configuration management database.	Asset inventory, classification labels in code, data flow diagrams, configuration records
4	Řízení přístupu / Access Control	RBAC with 8 system roles (Viewer, Operator, Auditor, Manager, Admin, CertAdmin, SecurityOfficer, SuperAdmin) and 50+ granular permissions. MFA (TOTP-based). SSO integration. Project-level isolation. Session management with configurable expiration. API key scoping.	Access Control Policy (MV-LEG-003), permission matrix, access review logs, MFA enrollment records, SSO configuration
5	Kryptografie / Cryptography	AES-256-GCM for data at rest (NIST SP 800-38D). RSA-2048/4096 and ECDSA P-256/P-384 for certificates. HSM integration (Azure Key Vault, AWS CloudHSM, GCP KMS, PKCS#11). Automated key rotation. TLS 1.2+ for all transit.	Cryptography Policy (MV-LEG-004), key rotation logs, HSM audit trails, TLS configuration records
6	Bezpečnost sítě / Network Security	TLS enforcement on all endpoints. mTLS for agent-to-platform communication. Network segmentation between service tiers. Firewall/NSG rules. CORS policy enforcement. Security headers (HSTS, CSP, X-Frame-Options). Certificate validation for all outbound connections.	TLS scan results, network architecture diagrams, firewall rule sets, mTLS certificate inventory
7	Bezpečnost provozu / Operations Security	Structured JSON logging with correlation IDs. Prometheus-based monitoring with alerting. Health check endpoints (/health, /readiness). Automated deployment pipelines. Change management procedures. Capacity monitoring.	Logging & Monitoring Policy (MV-LEG-009), Prometheus dashboards, health check configurations, deployment records
8	Bezpečnost komunikací / Communications Security	TLS 1.2+ minimum for all external communications. mTLS for internal service-to-service communication. CORS configuration restricting origins. Security headers preventing clickjacking, XSS, MIME sniffing. Email security (SPF, DKIM, DMARC) configured at domain DNS level (outside application scope).	TLS configuration, header scan results, CORS policy
9	Akvizice, vývoj a údržba / Acquisition, Development, and Maintenance	Secure Software Development Lifecycle (SSDLC). CI/CD security gates (linting, SAST, dependency scanning, container scanning). Mandatory code review (PR-based). Automated testing. Vulnerability scanning per build (Trivy, govulncheck).	CI pipeline configuration, PR review records, SAST scan results, build logs, vulnerability reports
10	Řízení dodavatelů / Supplier Management	Third-party Risk Management Policy (MV-LEG-011). Three-tier supplier classification (Critical, Significant, Standard). Annual supplier reassessment. Contractual security requirements. Subprocessor governance. Exit strategies.	Supplier register, assessment records, contracts with security annexes, subprocessor list
11	Řízení incidentů / Incident Handling	Incident Response Plan (MV-LEG-007). IncidentService with structured incident lifecycle (Detection → Triage → Containment → Eradication → Recovery → Lessons Learned). 4-level severity classification. Defined response times (P1: ≤15 min). Customer notification within 24h.	Incident records, notification logs, post-incident reports, IRP test results
12	Řízení kontinuity / Business Continuity	BCP/DRP (MV-LEG-008). Multi-datacenter deployment. Gateway failover (active/passive). Database replication. Automated backup and restore. Defined RTO/RPO targets. Annual DR testing.	BCP/DRP document, DR test reports, backup verification logs, failover test results
13	Personální bezpečnost / Human Resources Security	Organizational commitment of MazeVault s.r.o.: developer onboarding security briefing, security awareness communication, background verification for personnel with production access (per internal HR policy). Defined responsibilities in employment contracts. Disciplinary procedures for policy violations. Note: these are organizational processes of MazeVault s.r.o., not platform features.	Employment contract templates, HR policy documentation (available upon request from MazeVault s.r.o.)
14	Fyzická bezpečnost / Physical Security	Cloud-first deployment on Azure (SOC 2 Type II certified data centers). Customer on-premise deployments under customer's physical security controls. No MazeVault-operated physical infrastructure.	Azure SOC 2 Type II reports, Azure physical security documentation, shared responsibility model
15	Řízení zranitelností / Vulnerability Management	Vulnerability & Patch Management Policy (MV-LEG-010). Continuous scanning: Trivy (containers), govulncheck (Go dependencies), npm audit (frontend). Annual penetration testing by qualified third party. Patching SLAs: Critical ≤48h, High ≤7 days, Medium ≤30 days, Low ≤90 days.	Vulnerability scan reports, pen-test results (last: Q4 2025, 0 Critical/High), patching records, SBOM
16	Bezpečnost průmyslových a řídicích systémů / Industrial Control Systems Security	Not applicable — MazeVault does not operate industrial control systems or OT environments.	N/A declaration
17	Bezpečnostní architektura / Security Architecture	5-layer security architecture (Network → Application → Authentication → Authorization → Data). Zero Trust principles. Defense in depth. Secure by default configuration. Security architecture documentation and review.	Architecture documentation, security design reviews
18	Správa identit / Identity Management	Centralized identity management. Unique user identification. Service account governance. Identity lifecycle management (provisioning, modification, deprovisioning). Federation support (SAML, OIDC).	Identity inventory, lifecycle procedures, federation configuration, deprovisioning logs
19	Řízení změn / Change Management	Formal change management process. CI/CD pipelines with approval gates. Code review requirements. Staging environment validation. Rollback procedures. Change documentation.	Change records, PR history, deployment logs, rollback procedures
20	Monitoring a detekce / Monitoring and Detection	AnomalyDetectionService with behavioral analysis. 17 SIEM-ready detection rules. Prometheus alerting with defined thresholds. Audit log analysis. Real-time dashboard monitoring. Chain-hashed audit logs ensuring tamper evidence.	SIEM rule configuration, alert history, Prometheus rules, anomaly detection logs
21	Audit a kontrola / Audit and Compliance	Chain-hashed audit logging (SHA-256, tamper-evident). Comprehensive audit trail for all security-relevant events. ComplianceReportService generating ISO 27001, SOC 2, PCI-DSS, and GDPR compliance reports. 365-day log retention.	Audit logs, compliance reports, log integrity verification results, retention policy
22	Bezpečnost cloudových služeb / Cloud Security	Azure-native security controls. AKS with network policies. Azure Key Vault integration. Managed identity usage. Infrastructure defined as code (Terraform). Shared responsibility model documentation.	Azure security configuration, Key Vault audit logs, network policy definitions, Terraform IaC
23	Bezpečný vývoj / Secure Development	SSDLC with security requirements in design phase. SAST integration in CI/CD (Trivy filesystem scan). Dependency vulnerability checking (govulncheck, npm audit). Container image scanning (Trivy). CI/CD pipeline integrity via GitHub Actions.	SSDLC documentation, CI/CD pipeline configuration, SAST scan results, dependency audit results, container scan results
24	Ochrana osobních údajů / Personal Data Protection	GDPR compliance framework. Data Processing Agreement (DPA) template. Data minimization principles. Purpose limitation. Defined retention periods. Data subject rights procedures. Privacy impact assessments.	DPA, privacy policy, DPIA records, data subject request logs, retention schedule
25	Vzdělávání a povědomí / Training and Awareness	Organizational commitment of MazeVault s.r.o.: security awareness communication for all personnel, role-specific security briefings for developers (secure coding practices, OWASP Top 10), new-hire security onboarding. Note: training is an organizational process of MazeVault s.r.o., not a platform feature.	HR training documentation (available upon request from MazeVault s.r.o.)

5. Incident Reporting Support¶

5.1 Customer's Reporting Obligation¶

Under §15 of the Act and Article 23 of NIS2, regulated entities must report significant incidents to NÚKIB within defined timelines:

Report Type	Deadline	Content Requirements
Initial notification (počáteční oznámení)	Within 24 hours of becoming aware	Suspected incident, initial classification, affected services
Intermediate report (průběžné hlášení)	Within 72 hours of initial notification	Updated assessment, severity, scope, indicators of compromise
Final report (závěrečná zpráva)	Within 1 month of intermediate report	Root cause, full impact assessment, remediation, lessons learned

5.2 MazeVault's Notification Obligation to Customer¶

MazeVault commits to the following notification obligations toward its banking customers:

Immediate notification (without undue delay, maximum 4 hours) upon detecting any incident that may affect the customer's service, data, or security posture
Preliminary incident report within 12 hours containing: incident classification, affected systems, initial scope assessment, containment measures taken
Detailed incident report within 48 hours containing: root cause analysis (if known), full impact assessment, remediation timeline, indicators of compromise
Final incident report within 14 days containing: complete root cause, all affected resources, remediation completed, preventive measures implemented

5.3 Evidence Provided During Incidents¶

MazeVault provides the following evidence to support the customer's incident reporting to NÚKIB:

Evidence Type	Description	Format
Audit logs	Chain-hashed, tamper-evident logs covering the incident timeframe	JSON export, cryptographically verified
Incident timeline	Chronological sequence of events with timestamps (UTC)	Structured report
Affected resources	List of affected systems, data, certificates, secrets	Enumerated list with classification
Containment actions	Actions taken to contain the incident	Timestamped action log
Indicators of compromise (IoC)	IP addresses, hashes, patterns identified	STIX/TAXII compatible format
Impact assessment	Confidentiality, integrity, availability impact analysis	Structured assessment document
Communication log	All communications related to the incident	Timestamped communication record

5.4 NÚKIB Portal Integration Guidance¶

For customers reporting to NÚKIB via the designated portal:

Portal access: https://portal.nukib.cz (requires authorized credentials)
Classification guidance: MazeVault provides pre-assessed impact classification to assist customer's own classification
Template alignment: MazeVault's incident reports are structured to align with NÚKIB's reporting template fields
Evidence attachment: All evidence is provided in formats acceptable by NÚKIB's portal
Timeline coordination: MazeVault ensures its reporting timelines allow customers sufficient time to meet their own NÚKIB deadlines

6. Evidence Artifacts for Customer Audits¶

6.1 Available Compliance Reports¶

MazeVault provides automated compliance reports via API endpoints:

Endpoint	Framework	Content
`GET /compliance/iso27001`	ISO/IEC 27001:2022	Control implementation status, evidence mapping
`GET /compliance/soc2`	SOC 2 Type II	Trust Services Criteria alignment
`GET /compliance/pci-dss`	PCI DSS 4.0	Payment card data protection controls
`GET /compliance/gdpr`	GDPR	Data protection compliance status

6.2 Audit Evidence Catalog¶

The following evidence artifacts are available upon customer request (subject to 30-day notice for on-site audits):

Category	Artifact	Description	Availability
Security Testing	Penetration test report	Annual third-party pen-test (executive summary)	Annual (Q4)
Security Testing	Vulnerability scan results	Per-build container and dependency scanning	Per-build (continuous)
Security Testing	SBOM (CycloneDX)	Software Bill of Materials	Per-release
Access Control	Permission matrix	Complete RBAC role-permission mapping	On request
Access Control	Access review records	Periodic access review results	Quarterly
Cryptography	Key rotation history	Encryption key rotation audit trail	On request
Cryptography	HSM audit logs	Hardware Security Module operation logs	On request
Audit	Audit log exports	Chain-hashed logs with integrity verification	On request (365d retention)
Audit	Chain hash verification	Proof of log integrity (unbroken hash chain)	On request
Incidents	Incident history	Historical incident records and resolutions	On request
Incidents	Notification logs	Evidence of timely customer notifications	On request
Continuity	DR test results	Disaster recovery exercise outcomes	Annual
Continuity	Backup verification	Backup integrity and restoration test results	Monthly
Compliance	Personnel security documentation	Organizational HR policy and commitment evidence	On request (from MazeVault s.r.o. HR)
Compliance	Policy review records	Evidence of annual policy review cycle	Annual
Supply Chain	Subprocessor assessments	Security assessments of MazeVault's suppliers	On request

6.3 Audit Cooperation Procedure¶

Request: Customer submits audit request with 30 calendar days advance notice
Scoping: MazeVault and customer agree on audit scope, timeline, and methodology
Execution: Audit conducted (remote or on-site) with MazeVault cooperation
Evidence provision: Requested documentation provided within 10 business days
Findings: MazeVault responds to findings with remediation plan within 15 business days
Follow-up: Remediation verification upon request

7. Security Questionnaire Pre-Answers¶

The following addresses the most common security questionnaire topics encountered during due diligence assessments by regulated banking customers.

7.1 Data Protection and Encryption¶

Question	Answer
Do you encrypt data at rest?	Yes. All data at rest is encrypted using AES-256-GCM (NIST SP 800-38D, FIPS 197). Encryption is mandatory and cannot be disabled.
What encryption algorithm is used?	AES-256-GCM with 96-bit random nonce and 128-bit authentication tag. Key derivation via HKDF-SHA256.
Do you support Hardware Security Modules (HSM)?	Yes. Azure Key Vault, AWS CloudHSM, GCP Cloud KMS, and PKCS#11-compliant HSMs. Customer-managed HSM keys supported.
Where is data stored?	Customer-managed infrastructure. Options: on-premise (customer data center), Azure EU regions, or hybrid. Customer retains full control over data residency.
Is data encrypted in transit?	Yes. TLS 1.2+ enforced on all connections. mTLS for agent-to-platform communication. No unencrypted communication paths exist.
Do you support customer-managed encryption keys (CMEK)?	Yes. Customers can provide their own encryption keys via HSM integration. MazeVault never has access to plaintext customer keys when CMEK is configured.

7.2 Access Control and Authentication¶

Question	Answer
How do you manage access?	Role-Based Access Control (RBAC) with 8 system roles and 50+ granular permissions. Project-level isolation. Least privilege enforced by default (no permissions until explicitly assigned).
Do you support multi-factor authentication (MFA)?	Yes. TOTP-based MFA with configurable enforcement policies. Can be mandated for all users or specific roles.
Do you support Single Sign-On (SSO)?	Yes. SAML 2.0 and OpenID Connect (OIDC) federation. Customer identity provider integration.
How are service accounts managed?	Dedicated service account type with API key authentication. Scoped permissions. No interactive login capability. Configurable expiration.
Do you perform access reviews?	Yes. Quarterly access reviews for all privileged accounts. Automated detection of dormant accounts. Deprovisioning within 24 hours of role change.
How is session management handled?	Token-based sessions with configurable expiration. Automatic logout on inactivity. Session revocation capability. Concurrent session limiting.

7.3 Audit and Logging¶

Question	Answer
Do you have audit logging?	Yes. Comprehensive chain-hashed audit logging (SHA-256). All security-relevant events captured. Tamper-evident (any modification breaks the hash chain). SIEM-ready JSON format.
What is the log retention period?	365 days minimum. Configurable per customer requirements. Immutable storage for compliance purposes.
Can logs be exported?	Yes. JSON export with cryptographic integrity verification. SIEM integration via syslog, webhook, or API.
Are logs tamper-proof?	Yes. Chain-hashing (each log entry includes the hash of the previous entry) ensures any tampering is immediately detectable. Integrity can be independently verified by the customer.

7.4 Vulnerability Management¶

Question	Answer
How do you handle vulnerabilities?	Continuous automated scanning per build (Trivy, govulncheck, npm audit). Patching SLAs: Critical ≤48h, High ≤7 days, Medium ≤30 days, Low ≤90 days.
Do you do penetration testing?	Yes. Annual penetration testing by qualified third-party firm. Last test: Q4 2025 — 0 Critical findings, 0 High findings. Executive summary available to customers.
Do you have an SBOM?	Yes. CycloneDX Software Bill of Materials generated per release. Available to customers upon request.
How do you manage dependencies?	Automated dependency scanning in CI/CD. Dependabot/Renovate for update monitoring. Vulnerable dependencies blocked from deployment.
Do you have a vulnerability disclosure program?	Yes. Responsible disclosure policy. Security contact: info@mazevault.com. 90-day coordinated disclosure timeline.

7.5 Incident Response¶

Question	Answer
Do you have an incident response plan?	Yes. Formal Incident Response Plan (MV-LEG-007) with defined severity levels (P1-P4), response times, escalation procedures, and communication protocols.
How quickly will you notify us of an incident?	Within 24 hours of confirmed incident affecting customer service or data. Preliminary notification within 4 hours for P1/P2 incidents.
Do you test your incident response?	Yes. Annual tabletop exercises. Post-incident reviews for all P1/P2 incidents. IRP updated based on lessons learned.
How are incidents classified?	4-tier severity classification (P1-P4) based on impact to confidentiality, integrity, and availability. CVSS scoring for vulnerability-related incidents.

7.6 Business Continuity and Disaster Recovery¶

Question	Answer
Do you have a BCP/DRP?	Yes. Business Continuity Plan and Disaster Recovery Plan (MV-LEG-008). Defined RTO and RPO targets. Annual DR testing with documented results.
What is your architecture for resilience?	Multi-datacenter deployment. Gateway failover (active/passive). Database replication. Automated backup and restore. No single point of failure for critical components.
How often are backups performed?	Daily full PostgreSQL database backups. Transaction log backups every 15 minutes. Encryption key backups to secondary HSM. Vault configuration backups daily.
Are backups tested?	Yes. Monthly backup restoration testing. Results documented and available for audit.

7.7 Network and Infrastructure Security¶

Question	Answer
What cloud provider do you use?	Microsoft Azure (primary). Kubernetes (AKS) for orchestration. Customer on-premise deployment option available.
Do you have environment segregation?	Yes. Strict separation: Development, Staging, Production. Additionally, NPR (non-production) and PRO (production) gateway environments. No data sharing between environments.
How is network access controlled?	Network Security Groups (NSG), firewall rules, private endpoints. No direct internet exposure of backend services. All ingress via load balancer with WAF.
Do you use containers?	Yes. Containerized microservices on AKS. Container images scanned per build (Trivy). Minimal base images. No root execution. Read-only file systems where possible.

7.8 Compliance and Governance¶

Question	Answer
What compliance frameworks do you follow?	ISO/IEC 27001:2022 (aligned), SOC 2 Type II (aligned), PCI DSS 4.0 (relevant controls), GDPR, NIS2/Act 264/2025, DORA.
Do you have a CISO?	Yes. Designated Chief Information Security Officer with direct reporting to CEO. Responsible for ISMS governance, risk management, and compliance.
How often are policies reviewed?	Annually (minimum). Additionally upon significant regulatory changes, security incidents, or organizational changes.
Do you have security certifications?	ISO/IEC 27001:2022 alignment (formal certification in progress). SOC 2 Type II alignment. Annual third-party security assessment.

7.9 Personnel Security¶

Question	Answer
Do employees receive security training?	Yes. Security awareness briefing during onboarding. Role-specific security guidance for developers (secure coding, OWASP Top 10). Training is an organizational process of MazeVault s.r.o.
Do you perform background checks?	Yes. Background verification for personnel with access to production systems per internal HR policy of MazeVault s.r.o.
What happens when an employee leaves?	Immediate access revocation upon termination. Return of all company assets. NDA obligations survive termination. Exit interview includes security debrief.

7.10 Supply Chain and Third Parties¶

Question	Answer
Do you use subprocessors?	Yes. Limited set of subprocessors disclosed in subprocessor list. 30-day advance notification of changes. Customer objection right.
How do you assess your suppliers?	Three-tier classification (Critical, Significant, Standard). Security assessment proportionate to tier. Annual reassessment for Critical/Significant suppliers. Contractual security requirements.
Do you have exit/transition procedures?	Yes. Documented exit strategy per contract. Minimum 6-month notice period. Data return in standard formats. Secure deletion confirmation. Transition support.

8. Transitional Provisions¶

8.1 Registration Timeline¶

Under the transitional provisions of Act No. 264/2025 Sb.:

Milestone	Deadline	Description
Act effective	1 November 2025	Act enters into force
Entity self-assessment	Within 60 days (by 31 December 2025)	Regulated entities must assess whether they fall under the Act
Registration with NÚKIB	Within 60 days of meeting criteria	Entities register via NÚKIB portal
Registration confirmation	Variable (NÚKIB processing)	NÚKIB confirms registration and assigns obligation regime
Full compliance deadline	1 year after registration confirmation	Entity must fully comply with all applicable security controls
Supplier obligations	Concurrent with entity's compliance deadline	Entities must have supplier governance in place by compliance deadline

8.2 Implications for MazeVault¶

Banking customers who registered by 31 December 2025 will have received confirmation by Q1-Q2 2026
Full compliance (including supplier governance) required by Q1-Q2 2027
MazeVault must have all contractual instruments (Security Annex, DPA, SLA) ready for customer compliance timelines
Current status: All documentation and compliance evidence artifacts available as of May 2026

8.3 Ongoing Monitoring of Regulatory Developments¶

MazeVault monitors:

NÚKIB publications and guidance documents
Implementing decree amendments
European Commission delegated acts under NIS2
ENISA guidance and best practices
Czech National Bank (ČNB) supervisory communications regarding supplier requirements

9. Compliance Maintenance¶

9.1 Annual Review¶

This document and all referenced compliance evidence SHALL be reviewed:

Annually — comprehensive review of regulatory alignment, control effectiveness, and evidence adequacy
Upon regulatory changes — when new implementing decrees, amendments, or NÚKIB guidance are published
Upon significant organizational changes — mergers, acquisitions, new product lines, or market entry
After significant incidents — when an incident reveals gaps in compliance posture

9.2 Responsibilities¶

Role	Responsibility
CISO	Overall compliance oversight, document ownership, regulatory monitoring
Legal Counsel	Regulatory interpretation, contractual compliance, penalty risk assessment
Engineering Lead	Technical control implementation, evidence generation, security architecture
Customer Success	Customer communication, audit coordination, questionnaire management
CEO/Board	Approval authority, resource allocation, strategic compliance decisions

9.3 Continuous Improvement¶

MazeVault maintains a compliance improvement cycle:

Monitor — Track regulatory changes, audit findings, and customer feedback
Assess — Evaluate impact on current compliance posture
Plan — Develop remediation or enhancement plans
Implement — Execute technical and procedural changes
Verify — Confirm effectiveness through testing and audit
Document — Update evidence artifacts and this compliance mapping

Document ID	Title	Relevance
MV-LEG-001	Information Security Policy	Apex ISMS document, overall security framework
MV-LEG-002	Risk Management Policy	Risk assessment methodology and governance
MV-LEG-003	Access Control Policy	Authentication, authorization, RBAC
MV-LEG-004	Cryptography Policy	Encryption standards, key management
MV-LEG-005	Data Classification & Retention Policy	Data handling, classification, retention
MV-LEG-007	Incident Response Plan	Incident detection, response, recovery
MV-LEG-008	Business Continuity & Disaster Recovery	Operational resilience, DR procedures
MV-LEG-009	Logging & Monitoring Policy	Audit logging, monitoring, detection
MV-LEG-010	Vulnerability & Patch Management Policy	Vulnerability handling, patching SLAs
MV-LEG-011	Third-party Risk Management Policy	Supply chain governance, subprocessors
MV-LEG-021	DORA Compliance Mapping	Digital Operational Resilience Act alignment

Document Control¶

Version	Date	Author	Changes
1.0.0	2026-05-01	CISO	Initial release

This document is maintained by the MazeVault Information Security team and is subject to annual review. For questions regarding this document, contact the CISO or the legal compliance team.