Compliance & Conformity

NDEVR is building a transparent compliance program for OWL and our software. This page is the launchpad for each area we address — what it covers, and where we stand today. We state plainly what is finalized and what is still in progress.

Compliance questions: security@ndevr.org · Back to the Security hub.

Honest by default. We publish our conformity status as it actually is — including the parts still in progress — rather than waiting for everything to be perfect. Each area below links to its own page with the detail.

1. EU Cyber Resilience Act (CRA)

The EU Cyber Resilience Act page covers OWL's status under Regulation (EU) 2024/2847: product classification (Default → self-assessment, Module A), the conformity route, our security support period, and a draft preview of the EU Declaration of Conformity.

Status: in progress — OWL is not yet placed on the EU market; the Declaration of Conformity is a draft pending sign-off and the appointment of an EU authorized representative. The CRA applies in phases (vulnerability reporting from 11 September 2026; full application from 11 December 2027).

2. Data protection & privacy

Our privacy policy describes what data OWL processes and what it cannot see (file and message contents are end-to-end encrypted and zero-knowledge), the legal bases, retention, sub-processors, and your rights — addressing GDPR and CCPA. The OWL web client uses no advertising or analytics trackers and makes no third-party network calls by default.

Status: live.

3. Sub-processors

The sub-processor list names the third-party providers we rely on to deliver OWL (hosting, payments, optional AI, user-initiated cloud import), what each does, and what data it receives. Because OWL is end-to-end encrypted, sub-processors never receive readable file or message content.

Status: live.

4. Payment card security

Full card numbers never touch our servers — card entry happens on our processors' PCI DSS Level 1 certified hosted pages, keeping OWL in the simplest PCI scope (SAQ A). See payment card security.

Status: live.

5. Cryptography

The cryptography page documents OWL's primitives — AES-256 content encryption, authenticated AES-256-GCM key wrapping, P-256 ECIES, SHA-256/HMAC, bcrypt, and pinned TLS — honestly, including our FIPS-approved-algorithms (not FIPS-validated) posture.

Status: live.

6. Secure development & supply chain

Our secure development page covers how we build and ship OWL: a CycloneDX SBOM, Ed25519-signed updates with SHA-256 download-integrity verification, and coordinated vulnerability disclosure — aligned with the NIST SSDF (SP 800-218).

Status: live.

7. OWASP Top 10

Our OWASP Top 10 self-assessment maps each 2021 category to OWL's controls — access control, cryptographic protection, parameterized data access, authentication hardening, software integrity, and logging.

Status: live (self-assessment; independent audit not yet performed).

8. Product security & vulnerability disclosure

Adjacent to formal compliance, two pages document how OWL is secured and how issues are handled: the OWL product security information page (security properties, secure-use guidance, support period) and our coordinated vulnerability disclosure policy.

Status: live (with CRA-driven items on the product-security page marked in progress).

9. Accessibility

Our accessibility statement describes our commitment to WCAG 2.2 AA, our current status and known limitations, and how to report an accessibility barrier — aligned with the European Accessibility Act (applicable from 28 June 2025), EN 301 549, and US Section 508.

Status: in progress.

10. Data Processing Agreement

Our Data Processing Agreement template sets out the GDPR Article 28 terms under which NDEVR processes personal data on behalf of business customers — roles, security measures, sub-processors, data-subject assistance, deletion on termination, and how EU↔US data transfers are handled. Because OWL is end-to-end encrypted, we process only ciphertext and metadata for customer content.

Status: live (template; counsel review pending). The binding DPA is the one executed with a customer; SCC/DPF transfer mechanisms are in progress.

11. US state privacy rights

Our US state privacy rights page explains the rights of US residents under California (CCPA/CPRA), Virginia, Colorado, Connecticut, Utah, Texas and other comprehensive state privacy laws, and how to exercise them. We do not sell or share personal information for targeted advertising and run no trackers, so most "opt-out" rights have nothing to opt out of — but we honour them.

Status: live.

12. Build provenance (SLSA)

Our SLSA self-attestation describes OWL's build-integrity posture against the Supply-chain Levels for Software Artifacts framework — Ed25519-signed updates with SHA-256 download verification and a CycloneDX SBOM today, with automatically generated build provenance as the next step.

Status: self-attested. Signed releases are in place; full SLSA build provenance is a work in progress, and we state the level honestly.

13. NIST Cybersecurity Framework

Our NIST CSF 2.0 self-alignment maps OWL's security program to the framework's six functions — Govern, Identify, Protect, Detect, Respond, and Recover — with maturing areas marked in progress. The CSF has no certification; this is an alignment statement.

Status: self-aligned.

14. Cloud security (CSA STAR)

Our CSA STAR Level 1 self-assessment answers the Cloud Security Alliance's Consensus Assessments Initiative Questionnaire (CAIQ) across the main cloud-security control domains — application security, cryptography & key management, identity & access, supply chain, logging, and privacy — with each row marked honestly as a finished control or a practice in progress.

Status: live (self-assessment). Level 1 is a vendor self-attestation, not a STAR certification or third-party audit; a STAR Level 2 (audited) entry is on the roadmap.

15. EU AI Act

Our EU AI Act position is a good-faith assessment of how Regulation (EU) 2024/1689 applies to OWL's optional AI features (the QUAIL assistant and AI-assisted modeling): we assess them as limited-risk, triggering mainly transparency obligations — not the high-risk regime — and we act as a deployer/integrator, not a foundation-model provider.

Status: in progress (assessment). An assessment for transparency, not legal advice or a declaration of conformity; the Act's obligations phase in through 2027.

16. NIST AI RMF

Our NIST AI RMF self-alignment maps OWL's AI features to the framework's four functions — Govern, Map, Measure, Manage — anchored on our opt-in, no-identity, no-training stance. The AI RMF is voluntary and has no certification; this is an alignment statement.

Status: self-aligned.

17. Certifications roadmap

We publish self-assessments today and pursue independent, audited certifications over time. The certifications roadmap tracks the audited certifications we are working toward — SOC 2 Type II, ISO/IEC 27001, Cyber Essentials, and CSA STAR Level 2 — each marked planned / not yet certified, so you can see our direction without us claiming anything we haven't earned. If you have a specific compliance requirement for evaluating OWL, contact security@ndevr.org.

Status: planned / not yet certified.