Security
You record your processes, your risks and your controls with us. So you are entitled to know how we handle security ourselves. Most vendors show a logo. We show our homework — including what is still open.
Assessed against OWASP ASVS 5.0 Level 2
ASVS is the application security standard from OWASP. Level 2 is the level intended for applications that process sensitive data. We have gone through all 253 requirements of Level 1 and 2 one by one and recorded, for each requirement, where it stands — and why.
This is a self-assessment, not a certification
No external auditor has reviewed it. That is why we do not call ourselves ASVS-compliant, ASVS-certified or ASVS-ready: that would suggest someone else had assessed it. What you see here is our own assessment, justified line by line, with the open points simply left in.
Where we stand
222 of the 253 are settled or not applicable, with justification. The remaining 31 are listed by name in our register — including the reason.
These figures are derived from the register and checked at every release. So they cannot quietly go stale while the register changes.
What that means in practice
A standard is abstract. This is what it amounts to in practice:
Separation between organisations
All process, risk and master data queries pass through a tenant boundary that enforces the organisation and fails closed if that context is missing — a forgotten boundary produces an error, never someone else's data in silence. A user from one organisation cannot retrieve another organisation's data — not even with a guessed id.
Roles and permissions on the server
Who may do what is decided on the server, not in the browser. A reader cannot change any of the content — not even by conjuring a button back into view.
Two-factor authentication
Available through an authenticator app, with backup codes. We offer it and do not mandate it; that trade-off is justified in the register.
Breached passwords are rejected
When a password is set, we check it against the Have I Been Pwned database. If it appears there, it is not allowed.
Rate-limited login paths
The paths that handle credentials are rate-limited — and that limit lives in the database, not in the memory of a single process, so a restart or a second container does not reset it.
Strict Content-Security-Policy
With a nonce per page, so an injected script never runs.
Sessions
The session cookie is HttpOnly, Secure and SameSite. There is an absolute maximum lifetime, and sensitive actions ask for your password again.
Audit trail and security logging
Changes to your processes, roles, risks and controls are recorded with who, what and when. A denied authorisation is logged separately — a failed login is noise, but someone with a valid session attempting something they are not allowed to do is a signal.
Supply chain
We maintain an SBOM of the dependencies we run in production, and the pipeline automatically scans each change for accidentally committed secrets.
By chapter
The 17 chapters of the standard, with the state of play per chapter. The chapter titles are the names from the standard itself and we leave them untranslated — that way they can be looked up.
| Chapter | Requirements | Met | N/A | Partial | Open |
|---|---|---|---|---|---|
| V1 Encoding and Sanitization | 27 | 12 | 15 | 0 | 0 |
| V2 Validation and Business Logic | 11 | 7 | 1 | 3 | 0 |
| V3 Web Frontend Security | 19 | 18 | 0 | 0 | 1 |
| V4 API and Web Service | 10 | 2 | 6 | 2 | 0 |
| V5 File Handling | 9 | 4 | 4 | 1 | 0 |
| V6 Authentication | 35 | 26 | 6 | 2 | 1 |
| V7 Session Management | 18 | 15 | 3 | 0 | 0 |
| V8 Authorization | 7 | 7 | 0 | 0 | 0 |
| V9 Self-contained Tokens | 7 | 0 | 7 | 0 | 0 |
| V10 OAuth and OIDC | 29 | 0 | 29 | 0 | 0 |
| V11 Cryptography | 14 | 12 | 1 | 1 | 0 |
| V12 Secure Communication | 9 | 3 | 1 | 2 | 3 |
| V13 Configuration | 13 | 6 | 0 | 4 | 3 |
| V14 Data Protection | 9 | 7 | 0 | 2 | 0 |
| V15 Secure Coding and Architecture | 13 | 10 | 0 | 3 | 0 |
| V16 Security Logging and Error Handling | 16 | 13 | 0 | 1 | 2 |
| V17 WebRTC | 7 | 0 | 7 | 0 | 0 |
What is still open
We publish what is not finished too — otherwise transparency is just a marketing word. At the moment 10 requirements are open and 21 partial. The bulk of them are infrastructure requirements we have consciously accepted on the basis of our threat model, alongside a few policy choices that still call for a decision, one deviation that sits in a third-party library, and a remainder of hardening we have yet to finish ourselves. Every point is in the register with its reason — including the ones we want to close first.
Why not just tick every box?
Because not every requirement carries the same weight in this application. We have made a conscious trade-off for each requirement and written it down — including the requirements we do not (yet) meet and why we consider that risk acceptable. That does not make us ASVS-conformant on those points; it makes the choice traceable. A silent gap would not be.
And NIS2?
If your organisation falls under NIS2, you have to demonstrate a grip on your processes, your risks and your supply chain. Capturing exactly that is what Proceshuis is built for: processes, roles through RASCI, risks and controls in one system, with version history and an audit trail over that content showing who changed what and when.
What we do not claim here
Proceshuis does not make your organisation NIS2-conformant, and we do not call ourselves NIS2-compliant. NIS2 is an organisational directive: risk management, incident reporting, supply-chain responsibility, management liability. Software covers one part of that. We support your obligations; we do not take them over.
The full register
All 253 requirements with the justification line by line, including the open points and why they are open. We share it on request: it contains implementation details that do not belong on a public page.
Request the register