Compliance
  • 12 Jun 2023
  • 4 Minutes to read
  • Contributors
  • Dark
    Light
  • PDF

Compliance

  • Dark
    Light
  • PDF

Article summary

Compliance at Cirrus

As Cirrus we aim to enable our customers to create better assessments by providing a online platform to support the complete process of high-stakes testing. With high-stakes involved, it is even more critical that the different agreements and responsibilities, are clearly defined in writing.

On this page Cirrus brings together references to its different compliance related documents.

Agreements Overview

Major revision - May 26th 2023

Based on customer and internal feedback, Cirrus has decided to request a full review by laywers specialised in data and technology resulting in a full overhaul of our contract structure.

Key Changes

  • Cirrus Assessment as additional company name for "Cirrus Nederland B.V." (same CCI)
  • New Services Agreement to be signed with customers replaces Terms and Conditions
  • DPA is now an Annex to the Services Agreement and is fully revised, a.o. some data provisions in Terms and Conditions have been moved there.
  • SLA is now an Annex to the Services Agreement and is fully revised, a.o. some service level provisions in Terms and Conditions have been moved there.
  • Consistent naming and definitions between Order Form, DPA, SLA and (new) Services Agreement.

Services Agreement

The "Services Agreement", in full "SERVICES AGREEMENT CIRRUS ASSESSMENT PLATFORM" or short "the Agreement", refers to its Annex 1 - Order Form about the specifics of agreed Cirrus Services, including usage of the Cirrus Platform, and details the terms and conditions of said services. Both the Services Agreement and its Annex 1 - Order Form shall be signed.

The Services Agreement has two further Annexes: Annex 2 our DPA and Annex 3 our SLA.

Even though customers will sign a copy we publish our current Services Agreement template so it is available for download(1) in our Customer Portal.

(1) Customer Portal Login required.

Order Form

When a customer signs up for usage of the Cirrus Platform and other Cirrus services, they sign both a Services Agreement and its Annex 1 - Order Form.

The Order Form contains the customer specific details, like customer information and contacts, agreed desired usage, and o.a. where the customer data shall be hosted for data privacy. Often an Order Form also contains other parts pertaining to Cirrus related services like e.g. training.

Terms and Conditions (superseded)

Before we revised our contract structure, that introduced the Services Agreement above, the Terms and Conditions were in a separate document.

Data Processing Addendum (DPA)

Cirrus adheres to the EU's GDPR; "the world's toughest privacy and security law in the world" [gdpr.eu]. The GDPR has been used as a blueprint for privacy regulations by many countries across the globe.

Our Annex 2 - Data Processing Addendum(1), or short DPA is an annex to our Services Agreement and available for download(1) in our Customer Portal.

Updates to our DPA will be announced via our Release Notes.

Our DPA refers to the List of Sub-Processors.

If you have questions about our DPA, please contact us to Ask a Contract Question ⧉(1).

(1) Customer Portal Login required.

Service Level Agreement (SLA)

The parameters of all services covered by your Services Agreement are outlined in its Annex 3, our Service Level Agreement. Our Annex 3 - Service Level Agreement (1) or short SLA is available for download(1) in our Customer Portal.

Updates to our SLA will be announced via our Release Notes.

The SLA refers to the System Requirements.

If you have questions about our SLA, please contact us to Ask a Contract Question ⧉(1).

(1) Customer Portal Login required.

Other Compliance information

Information Security ISO/IEC-27001:2013

ISO27001 Certified - Duijnborgh Certification

Cirrus is ISO-27001 certified!

Since September 2022 the development, maintaining and servicing by Cirrus are services ISO/IEC-27001 certified! (And not only Cirrus' hosting) ISO/IEC-27001 Certificate,
/ ISO/IEC-27001 Statement of Applicability.

ISO/IEC 27001 ⧉ is an international standard on how to manage information security. It details requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS). Information Security not only encompasses Confidentiality but also Integrity and Availability.
Among other the ISO/IEC 27001 standard prescribes a list of Information Security measures or controls. There are 114 Annex A Controls, divided into 14 categories, also listed in Cirrus' ISO-27001:2013 Statement of Applicability.

Accessibility Statement

The Accessibility Statement for Cirrus Assessment from Cirrus Nederland B.V. details the measures Cirrus Nederland B.V. takes to ensure accessibility of Cirrus Assessment.

SOC / ISAE 3402

According to many the ISO-27001 standard is more thorough than SOC (Security operations center). As such Cirrus sees currently too little benefit to invest in authoring a SOC (ISAE 3402) report or becoming SOC certified.

If your security/privacy experts is looking for SOC / ISAE 3402 reports

we kindly request you to refer them to our public Cirrus' ISO/IEC-27001 Certificate and Cirrus' ISO/IEC-27001 Statement of Applicability as explained [above](#Information Security ISO/IEC-27001:2013)

Useful Information