Certifications & audits

Point-in-time attestation that Claresia controls (Security, Availability, Confidentiality) are designed appropriately.

Scope

Claresia Cloud control plane (Identity, Command Center, Hub, Distribution Plane, Telemetry).

Last evaluated

Not yet evaluated

Next milestone

Q1 2026 — audit window opens with Vanta + 3PA

Auditor

Schellman & Co. (planned)

Audit window opens Q1 2026. Claresia is engaged with Vanta for continuous evidence collection and Schellman as the third-party assessor. The Type 1 letter will be available under NDA from Q1 close.

Operating effectiveness of controls across a 12-month observation window.

Scope

All Claresia Cloud production workloads, all six logical layers.

Last evaluated

Not yet evaluated

Next milestone

Q4 2026 — report delivery (12-month observation starting Q1 2026)

Auditor

Schellman & Co. (planned)

The Type 1 audit window opens Q1 2026 and converts into a Type 2 observation period through Q4 2026. Type 2 letter availability under NDA from Q1 2027.

Annual black-box + grey-box external penetration test of Claresia Cloud production endpoints, admin console, and provisioning portal.

Scope

All public Claresia Cloud surfaces + Onboarding Portal + Hub APIs + Distribution Plane.

Last evaluated

Not yet evaluated

Next milestone

Q2 2026 — first engagement signed Q1, results Q2

Auditor

Trail of Bits or Bishop Fox (RFP open)

First annual engagement scheduled Q2 2026. Executive summary will be available publicly; full report available under NDA. Cadence will be annual at minimum, with additional targeted engagements when material architectural changes ship.

Information Security Management System (ISMS) certification.

Scope

Claresia Cloud production environment, employee access controls, vendor management.

Last evaluated

Not yet evaluated

Next milestone

Q2 2027 — Stage 1 audit (ISMS scoped Q3 2026)

Auditor

TBD (RFP Q3 2026)

ISO 27001 work begins after SOC 2 Type 1 close. Claresia chose to sequence rather than parallel-run because most Annex A controls are reusable from the SOC 2 evidence base, cutting ISO 27001 work by ~40%.

First international standard for AI Management Systems (AIMS), covering responsible AI development, deployment, and lifecycle controls.

Scope

Claresia Skill IR pipeline, Distribution Plane publishing, alignment-model checks, agent governance framework.

Last evaluated

Not yet evaluated

Next milestone

Q3 2027 (after ISO 27001 baseline)

Auditor

TBD

ISO 42001 is the differentiator that lifts Claresia above generic SaaS — AI vendors that can attest to a managed AI system will win regulated-industry RFPs in 2027+.

EU General Data Protection Regulation compliance posture, controller / processor obligations, Schrems II safeguards.

Scope

All EU resident personal data processed by Claresia Cloud, sub-processor flow-down, SCC + UK IDTA in place.

Last evaluated

2026-04-15

Next milestone

Quarterly review (next: 2026-07-15)

Claresia Cloud is GDPR-compliant by design: EU residency available (eu-central-1), DPA published, Standard Contractual Clauses + UK International Data Transfer Addendum executed with all sub-processors that egress data outside the EU.

Pre-signed customer-facing DPA template with sub-processor flow-down, SCC module 2 + module 3 selectable, security annex aligned to ISO 27001 controls.

Scope

Every Claresia customer regardless of region or deployment mode.

Last evaluated

2026-03-20

Next milestone

Annual review (next: 2027-03-20)

DPA v1.2 published 2026-03-20. Compatible with EU-US Data Privacy Framework, Schrems II, and UK IDTA. Customers can countersign as-is or request bilateral redlines; standard turnaround is 5 business days.

Vendor due-diligence response pack for customers classified as "essential" or "important" entities under NIS2. Covers supply-chain security evidence, incident reporting cooperation, and contractual flow-down of NIS2 controls.

Scope

Italian and EU customers classified as essential/important entities (Dainese-class manufacturers ≥250 FTE in medium-impact sectors).

Last evaluated

Not yet evaluated

Next milestone

Q2 2026

NIS2 readiness pack will include: incident-reporting cooperation MoU template, supply-chain risk-assessment evidence, contractual annex with NIS2 control flow-down, mapping of Claresia controls to NIS2 Article 21 requirements. Built jointly with Italian outside counsel.

Article 50 transparency obligations + Article 53 GPAI provider obligations + Article 11 + Annex IV technical documentation. Phased application 2025-2027.

Scope

All Claresia outputs in EU jurisdictions. Mandatory.

Last evaluated

Not yet evaluated

Next milestone

Q3 2026 (full conformance program operational)

Claresia is a downstream deployer of GPAI models (Claude / GPT / Gemini) and a provider of "high-impact AI systems" under Article 6 + Annex III when used for employment decisions. Compliance program covers: Article 50 transparency stamps on AI outputs, Article 53 GPAI obligations flow-down, Article 11 + Annex IV technical documentation maintained per skill, Garante (Italian DPA) alignment notes.