Contents x
    Compliance
    • 04 Nov 2025
    • 4 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    • PDF
    Contents

    Compliance

    • Updated on 04 Nov 2025
    • 4 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    • PDF
    Article summary

    Compliance at Cirrus

    As Cirrus we aim to enable our customers to create better assessments by providing a online platform to support the complete process of high-stakes testing. With high-stakes involved, it is even more critical that the different agreements and responsibilities, are clearly defined in writing.

    On this page Cirrus brings together references to its different compliance related documents.

    ISO-27001-Certified.png

    Agreements Overview

    Major revision - May 26th 2023

    Based on customer and internal feedback, in Q4 2022 Cirrus had decided to request a full review by laywers specialised in data (Privacy, GDPR) and technology that culimnated in a complete overhaul of our contract structure.

    Key Changes

    • Cirrus Assessment registered as an additional company name for "Cirrus Nederland B.V." (same CCI registration)
    • New Services Agreement to be signed with customers that replaces the previous "Terms and Conditions".
    • DPA is now an Annex to the Services Agreement and is fully revised, a.o. some data provisions from the old "Terms and Conditions" have been moved there.
    • SLA is now an Annex to the Services Agreement and is fully revised, a.o. some service level provisions from the old "Terms and Conditions" have been moved there.
    • Consistent naming and definitions between Order Form, DPA, SLA and (newly introduced) Services Agreement.

    Services Agreement

    The "Services Agreement", in full "SERVICES AGREEMENT CIRRUS ASSESSMENT PLATFORM" or short "the Agreement", refers to its Annex 1 - Order Form about the specifics of agreed Cirrus Services, including usage of the Cirrus Platform, and details the terms and conditions of said services. Both the Services Agreement and its Annex 1 - Order Form shall be signed.

    The Services Agreement has two further Annexes: Annex 2 our DPA and Annex 3 our SLA.

    Even though customers will sign their copy, we publish our current Services Agreement template so it is available for download(1) in our Customer Portal.

    (1) Customer Portal Login required.

    Order Form

    When a customer signs up for usage of the Cirrus Platform and other Cirrus services, they sign both a Services Agreement and its Annex 1 - Order Form.

    The Order Form contains the customer specific details, like customer information and contacts, agreed desired usage, and o.a. where the customer data shall be hosted for data privacy. Often an Order Form also contains other parts pertaining to Cirrus related services like e.g. training.

    Terms and Conditions (superseded)

    Before we revised our contract structure, that introduced the Services Agreement above, the Terms and Conditions were in a separate document.

    Data Processing Addendum (DPA)

    Cirrus adheres to the EU's GDPR; "the world's toughest privacy and security law in the world" [gdpr.eu]. The GDPR has been used as a blueprint for privacy regulations by many countries across the globe.

    Our Annex 2 - Data Processing Addendum(1), or short DPA is an annex to our Services Agreement and available for download(1) in our Customer Portal.

    Updates to our DPA will be announced via our Release Notes.

    Our DPA refers to the List of Sub-Processors.

    If you have questions about our DPA, please contact us to Ask a Contract Question ⧉(1).

    (1) Customer Portal Login required.

    Service Level Agreement (SLA)

    The parameters of all services covered by your Services Agreement are outlined in its Annex 3, our Service Level Agreement. Our Annex 3 - Service Level Agreement (1) or short SLA is available for download(1) in our Customer Portal.

    Updates to our SLA will be announced via our Release Notes.

    The SLA refers to the System Requirements.

    If you have questions about our SLA, please contact us to Ask a Contract Question ⧉(1).

    (1) Customer Portal Login required.

    Other Compliance information

    Information Security ISO/IEC-27001:2022

    ISO27001 Certified - Duijnborgh Certification

    Cirrus is ISO-27001 certified!

    Since September 2022 the development, maintaining and servicing by Cirrus have been ISO/IEC-27001 certified (and not only Cirrus' hosting)! At first ISO-27001:2013 and since 2025 27001:2022: ISO/IEC-27001 Certificate / ISO/IEC-27001 Statement of Applicability.

    ISO/IEC 27001 ⧉ is an international standard on how to manage information security. It details requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS). Information Security not only encompasses Confidentiality but also Integrity and Availability.
    Among other the ISO/IEC 27001:2022 standard prescribes a list of Information Security measures or controls. There are 93 Annex A Controls, divided into 4 categories, also listed in Cirrus' ISO-27001:2022 Statement of Applicability.

    Accessibility Statement

    The Accessibility Statement for Cirrus Assessment from Cirrus Nederland B.V. details the measures Cirrus Nederland B.V. takes to ensure accessibility of Cirrus Assessment.

    SOC / ISAE 3402

    According to many cyber security experts the ISO-27001 standard is more thorough and rigorous than SOC (Security operations center). Therefore currently Cirrus sees too little benefit to invest in authoring a SOC (ISAE 3402) report and becoming SOC certified.

    If your security/privacy experts is looking for SOC / ISAE 3402 reports

    We kindly request you to refer them to our public Cirrus' ISO/IEC-27001 Certificate and Cirrus' ISO/IEC-27001 Statement of Applicability as explained above

    Useful Information

    What's Next