Roseman Labs successfully completed audits by Software Improvement Group (SIG), Secura and Digitrust.
Security is our top priority. Auditability and robust assessment of our product ensures that our systems are secure not only by design, but also in implementation.
An evaluation lab supervised by the Dutch General Intelligence and Security Service (AIVD) performed the Baseline Product Security Assessment (BSPA) of our platform with positive results. The BSPA is a certification scheme developed and maintained by the Dutch General Intelligence and Security Service aimed at the security needs of the Dutch government and in exceptional cases also private sector organizations.
Our product has successfully passed this certification, carried out by Secura. For more information about the security level and the scope of the BSPA evaluation, please refer to the BSPA deployment advisory and the list of evaluated products on the AIVD website.
The highly specialized Software Improvement Group (SIG) performed a comprehensive source code assessment of the maintainability, security and cryptography of our product. Two of the SIG consultants are experts in validation of cryptographic products and state level cryptography. The assessment was performed against the ISO 25010 standard and SIG's Cryptographic trustworthiness model.
We are proud to highlight that the SIG assessment method leaned heavily on manual code review, involving comparing our code to relevant scientific publications and including extensive technical sessions with our team for interview, validation and discussion. In addition, the consultants utilized leading static analysis tools to support the code review, find security weaknesses and measure maintainability.
To quote Rob van der Veer, SIG’s senior principal expert in AI, security and privacy:
“Our assessment concluded that Roseman Labs’ product offers sound confidentiality and integrity. It is fit for purpose when it comes to maintainability, security and cryptographic trustworthiness.”
The ISO 27001 is the world's best-known standard for information security management systems (ISMS) and the NEN 7510 is the corresponding Dutch standard that relates to information security in healthcare. The NEN 7510 is based on the international ISO 27001 norm, and includes additional, specific controls for healthcare (service) providers. DigiTrust performs certification against the ISO 27001 and NEN 7510 norms on an annual basis.
In addition to the above, we apply standard penetration tests, conducted by external parties to test the information security of our product. This is done at least on an annual basis.
Auditability, and the ability for customers to assess the robustness of our product, ensures that systems are secure not only by design, but also by implementation, through thorough evaluations and assessments.
When building a product based on novel cryptographic building blocks, auditability is particularly important because the technology involves complex and subtle cryptographic techniques that can increase the potential risk of errors in implementations. It is essential that code is periodically reviewed by cryptographic experts to ensure that the implementation functions according to specs.
Roseman Labs takes the responsibility of protecting customer data seriously. A robust information security management system, periodic penetration tests and evaluation of well-specified cryptographic protocols provide a foundation of trust. Detailed review and ongoing audits by independent specialists ensure that potential vulnerabilities are identified and addressed before they can pose a security risk.
"Security is our top priority. We protect your data and our systems across the board."
- Hugo Ideler, CISO and Head of Engineering, Roseman Labs
We invite security researchers to review our Responsible Disclosure Policy and the broader community to reach out to us directly, or join the Collaborative Computing Slack channel to be part of the conversation.
Generate new insights on sensitive data with Roseman Labs’ secure Multi-Party Computation technology. Want to find out how your organization can do that? Contact us using the form below.