Opsio - Cloud and AI Solutions
Trust & Compliance

Enterprise compliance expertise and operations

Opsio operates cloud infrastructure for regulated industries across Europe and Asia. This page documents how we handle your data, the frameworks our team delivers against, and where to get the contract documents procurement needs.

Request DPA & security packOur compliance expertise
India ISMS
ISO 27001:2022
Data processor role
GDPR Art. 28
Uptime SLA
99.9%
Primary data residency
EU/EEA

Compliance expertise

Opsio's core service is helping regulated enterprises achieve and maintain their compliance posture. Below, each framework shows what Opsio carries itself and what we deliver for customers. Supporting documentation is available for procurement review under NDA.

  • ISO 27001:2022

    Opsio: India scope · Customer programs

    Opsio: ISO 27001 certified at our Bangalore delivery center (scope covers operations staff and development activities there). For customers: we lead full ISO 27001 implementation programs — gap analysis, ISMS design, policy authorship, internal audit, and Stage 1/Stage 2 audit support. Multiple customers have achieved certification via this approach.

  • SOC 2 Type II

    Customer readiness programs

    Opsio: not currently SOC 2 attested as a firm. For customers: we run SOC 2 readiness programs — control mapping, evidence automation, monitoring setup, and auditor liaison through the observation window. Our architects are familiar with the Security, Availability, Confidentiality, and Processing Integrity trust service criteria.

  • GDPR (EU 2016/679)

    Article 28 processor

    Opsio: data processor under GDPR Article 28 for customer personal data we handle during managed operations. Standard Contractual Clauses on file for any transfer to our India team. For customers: DPIA support, controller-processor agreement drafting, and technical implementation of data subject rights tooling.

  • NIS2 Directive

    Customer compliance programs

    Opsio: operational practices aligned with NIS2 expectations for essential and important entities. For customers: full NIS2 compliance programs — applicability assessment, risk analysis, article-21 controls mapping, incident reporting integration with MSB, and third-party risk management.

  • HIPAA (US customers)

    BAA available · Customer architectures

    Opsio: Business Associate Agreement available for US healthcare customers. For customers: HIPAA-ready architecture on AWS, Azure, or GCP with audit controls, encryption, and BAA chain management. Delivered to several mid-size US healthcare workloads.

  • DORA (EU 2022/2554)

    Customer compliance programs

    For customers in financial services: DORA ICT risk management program, third-party-risk register, incident classification, testing program (TLPT), and board reporting templates. Opsio architects have delivered this for banks and insurers in Sweden and the Nordics.

  • DPDPA (India)

    India operations · Customer programs

    Opsio: operations at the Bangalore delivery center align with India's Digital Personal Data Protection Act. For customers: DPDPA readiness assessments, consent architecture, retention controls, and CERT-In incident reporting pipelines.

Data Processing Agreement

Opsio acts as a data processor under GDPR Article 28 for customer personal data we process on your behalf during managed operations, migration, and consulting engagements.

  • Standard DPA template provided at contract signing or on request beforehand for procurement review.
  • Supports EU Standard Contractual Clauses (2021/914) for any transfer to non-adequate jurisdictions, including our Bangalore delivery center.
  • Customer retains controller status and decision rights over data classification, retention, and deletion.
  • Subprocessor changes communicated with at least 30 days' notice via the contact channel you nominate.
  • Breach notification within 72 hours of confirmed personal data incident per Article 33.
Request DPA

We will typically return a signed DPA template within 2 business days. For pre-contract review we can sign a mutual NDA first — request via the same email.

Subprocessors

Opsio engages the following subprocessors to deliver services. The current authoritative list is maintained internally and provided as an annex to the DPA on request. Hyperscaler region selection is configurable per customer contract.

SubprocessorPurposeProcessing region
Amazon Web Services (AWS)Hosting, compute, storage, and managed services where customer has elected AWSCustomer-selected AWS region (eu-north-1, eu-west-1, us-east-1, ap-south-1, etc.)
Microsoft AzureHosting and managed services where customer has elected AzureCustomer-selected Azure region
Google Cloud PlatformHosting and managed services where customer has elected GCPCustomer-selected GCP region
Google WorkspaceInternal business communication and shared document handlingEU
Microsoft 365 (Teams)Internal and customer-facing meetings, chat, and collaboration during engagementsEU
GitHub / GitLabSource code hosting for customer engagement artefacts (Infrastructure-as-Code, scripts)Customer-selected per engagement
OdooInternal ERP, CRM, project tracking, and billingEU
Opsio IndiaDelivery-center operations for customers who have explicitly contracted follow-the-sun support; personnel access governed by SCCsIndia (Bangalore)

Customers may object to new subprocessors within the 30-day notice window. Engagement-specific subprocessors (monitoring agents, SIEM platforms, etc.) are disclosed in the Statement of Work.

Service Level Agreement

SLA commitments are documented in the Master Service Agreement for each engagement. The following summary represents our standard terms; customised SLAs for 99.95% or 99.99% tiers are available for mission-critical workloads.

  • Infrastructure uptime99.9%

    Measured monthly. Service credits apply to breaches.

  • Severity 1 response15 minutes

    24/7. Production impact, business-critical.

  • Severity 2 response1 hour

    24/7. Degraded performance, workaround possible.

  • Severity 3 response4 business hours

    Sweden or India business hours.

  • Monitoring coverage24/7/365

    Follow-the-sun across Karlstad and Bangalore.

  • Patch managementMonthly baseline

    Out-of-cycle emergency patches within 48 hours of CVE publication for critical severity.

Request full SLA terms

Data residency

Customer production data is processed in the cloud region you select. For European customers we default to EU/EEA regions (AWS eu-north-1 Stockholm, Azure Sweden Central, GCP europe-north1 Finland) unless contractually agreed otherwise.

Opsio personnel access customer environments via named accounts with MFA and just-in-time elevation. Support operations are conducted from Sweden (primary) and India (delivery center). Personnel access outside the EEA uses Standard Contractual Clauses where applicable.

Backups and logs inherit the customer's selected region by default. Cross-region replication for disaster recovery is customer-configurable.

Security practices

How we protect customer environments end-to-end.

  • Penetration testing

    Annual third-party penetration test against Opsio production systems. Engagement-specific penetration testing available as a managed service through our OSCP-certified team.

  • Vulnerability management

    Continuous CVE monitoring with severity-based SLA for patching. Critical CVEs patched within 48 hours of responsible disclosure.

  • Identity & access management

    SSO-enforced named accounts with mandatory MFA. Customer-environment access is time-bound and logged centrally. Shared credentials are prohibited.

  • Encryption

    Data in transit: TLS 1.2+ enforced. Data at rest: hyperscaler-native encryption (AWS KMS, Azure Key Vault, GCP KMS) with customer-managed keys available on request.

  • Logging & monitoring

    All privileged access is logged, tamper-evident, and retained per customer contractual requirements. SIEM integration available for customers using Opsio MDR services.

  • Incident response

    24/7 security incident response with documented playbooks. Personal data breach notification within 72 hours of confirmation, per GDPR Article 33.

Responsible disclosure

Security researchers who identify a vulnerability in Opsio-operated systems are encouraged to report it via encrypted email. We commit to acknowledging receipt within one business day and providing a remediation timeline within five business days. We do not pursue legal action against good-faith research that follows these guidelines.

Report to: security@opsio.se

Procurement & compliance contact

For DPA requests, security questionnaires, SLA negotiations, or anything else procurement needs to close a deal:

compliance@opsio.se