Compliance & Conformity
NDEVR is building a transparent compliance program for OWL and our software. This page is the launchpad for each area we address — what it covers, and where we stand today. We state plainly what is finalized and what is still in progress.
Contents
- EU Cyber Resilience Act (CRA)
- Data protection & privacy
- Sub-processors
- Payment card security
- Cryptography
- Secure development & supply chain
- OWASP Top 10
- Product security & vulnerability disclosure
- Accessibility
- Data Processing Agreement
- US state privacy rights
- Build provenance (SLSA)
- NIST Cybersecurity Framework
- Cloud security (CSA STAR)
- EU AI Act
- NIST AI RMF
- Certifications roadmap
1. EU Cyber Resilience Act (CRA)
The EU Cyber Resilience Act page covers OWL's status under Regulation (EU) 2024/2847: product classification (Default → self-assessment, Module A), the conformity route, our security support period, and a draft preview of the EU Declaration of Conformity.
Status: in progress — OWL is not yet placed on the EU market; the Declaration of Conformity is a draft pending sign-off and the appointment of an EU authorized representative. The CRA applies in phases (vulnerability reporting from 11 September 2026; full application from 11 December 2027).
2. Data protection & privacy
Our privacy policy describes what data OWL processes and what it cannot see (file and message contents are end-to-end encrypted and zero-knowledge), the legal bases, retention, sub-processors, and your rights — addressing GDPR and CCPA. The OWL web client uses no advertising or analytics trackers and makes no third-party network calls by default.
Status: live.
3. Sub-processors
The sub-processor list names the third-party providers we rely on to deliver OWL (hosting, payments, optional AI, user-initiated cloud import), what each does, and what data it receives. Because OWL is end-to-end encrypted, sub-processors never receive readable file or message content.
Status: live.
4. Payment card security
Full card numbers never touch our servers — card entry happens on our processors' PCI DSS Level 1 certified hosted pages, keeping OWL in the simplest PCI scope (SAQ A). See payment card security.
Status: live.
5. Cryptography
The cryptography page documents OWL's primitives — AES-256 content encryption, authenticated AES-256-GCM key wrapping, P-256 ECIES, SHA-256/HMAC, bcrypt, and pinned TLS — honestly, including our FIPS-approved-algorithms (not FIPS-validated) posture.
Status: live.
6. Secure development & supply chain
Our secure development page covers how we build and ship OWL: a CycloneDX SBOM, Ed25519-signed updates with SHA-256 download-integrity verification, and coordinated vulnerability disclosure — aligned with the NIST SSDF (SP 800-218).
Status: live.
7. OWASP Top 10
Our OWASP Top 10 self-assessment maps each 2021 category to OWL's controls — access control, cryptographic protection, parameterized data access, authentication hardening, software integrity, and logging.
Status: live (self-assessment; independent audit not yet performed).
8. Product security & vulnerability disclosure
Adjacent to formal compliance, two pages document how OWL is secured and how issues are handled: the OWL product security information page (security properties, secure-use guidance, support period) and our coordinated vulnerability disclosure policy.
Status: live (with CRA-driven items on the product-security page marked in progress).
9. Accessibility
Our accessibility statement describes our commitment to WCAG 2.2 AA, our current status and known limitations, and how to report an accessibility barrier — aligned with the European Accessibility Act (applicable from 28 June 2025), EN 301 549, and US Section 508.
Status: in progress.
10. Data Processing Agreement
Our Data Processing Agreement template sets out the GDPR Article 28 terms under which NDEVR processes personal data on behalf of business customers — roles, security measures, sub-processors, data-subject assistance, deletion on termination, and how EU↔US data transfers are handled. Because OWL is end-to-end encrypted, we process only ciphertext and metadata for customer content.
Status: live (template; counsel review pending). The binding DPA is the one executed with a customer; SCC/DPF transfer mechanisms are in progress.
11. US state privacy rights
Our US state privacy rights page explains the rights of US residents under California (CCPA/CPRA), Virginia, Colorado, Connecticut, Utah, Texas and other comprehensive state privacy laws, and how to exercise them. We do not sell or share personal information for targeted advertising and run no trackers, so most "opt-out" rights have nothing to opt out of — but we honour them.
Status: live.
12. Build provenance (SLSA)
Our SLSA self-attestation describes OWL's build-integrity posture against the Supply-chain Levels for Software Artifacts framework — Ed25519-signed updates with SHA-256 download verification and a CycloneDX SBOM today, with automatically generated build provenance as the next step.
Status: self-attested. Signed releases are in place; full SLSA build provenance is a work in progress, and we state the level honestly.
13. NIST Cybersecurity Framework
Our NIST CSF 2.0 self-alignment maps OWL's security program to the framework's six functions — Govern, Identify, Protect, Detect, Respond, and Recover — with maturing areas marked in progress. The CSF has no certification; this is an alignment statement.
Status: self-aligned.
14. Cloud security (CSA STAR)
Our CSA STAR Level 1 self-assessment answers the Cloud Security Alliance's Consensus Assessments Initiative Questionnaire (CAIQ) across the main cloud-security control domains — application security, cryptography & key management, identity & access, supply chain, logging, and privacy — with each row marked honestly as a finished control or a practice in progress.
Status: live (self-assessment). Level 1 is a vendor self-attestation, not a STAR certification or third-party audit; a STAR Level 2 (audited) entry is on the roadmap.
15. EU AI Act
Our EU AI Act position is a good-faith assessment of how Regulation (EU) 2024/1689 applies to OWL's optional AI features (the QUAIL assistant and AI-assisted modeling): we assess them as limited-risk, triggering mainly transparency obligations — not the high-risk regime — and we act as a deployer/integrator, not a foundation-model provider.
Status: in progress (assessment). An assessment for transparency, not legal advice or a declaration of conformity; the Act's obligations phase in through 2027.
16. NIST AI RMF
Our NIST AI RMF self-alignment maps OWL's AI features to the framework's four functions — Govern, Map, Measure, Manage — anchored on our opt-in, no-identity, no-training stance. The AI RMF is voluntary and has no certification; this is an alignment statement.
Status: self-aligned.
17. Certifications roadmap
We publish self-assessments today and pursue independent, audited certifications over time. The certifications roadmap tracks the audited certifications we are working toward — SOC 2 Type II, ISO/IEC 27001, Cyber Essentials, and CSA STAR Level 2 — each marked planned / not yet certified, so you can see our direction without us claiming anything we haven't earned. If you have a specific compliance requirement for evaluating OWL, contact security@ndevr.org.
Status: planned / not yet certified.