Compliance

How Berserk maps to the security and privacy frameworks buyers ask about. Each page below is a self-assessment, compatibility extract, or readiness pack — we say plainly which controls have evidence, which are partial, and which are deliberately out of scope at our current stage.

Available now

• GDPR Compliance — controller and processor activities, data-subject rights, breach notification, international transfers, and Article 30 records of processing. Self-hosted product means no customer-data sub-processors today.
• NIS2 Compatibility — Article 21(2) measure-set coverage and the Article 23 reporting model. NIS2 is a directive, not a certification; this page documents alignment, not an audit. Self-hosted Berserk is not directly in scope today — the artefacts here discharge our customers' Article 21(d) supply-chain obligations.
• ISO 27001 Readiness — mapped posture against ISMS clauses 4–10 and all 93 Annex A controls. Sub-processor inheritance, deliberate gaps, and the path to certification all named openly. Not currently certified.
• CAIQ v4 Self-Assessment — Cloud Security Alliance Consensus Assessments Initiative Questionnaire v4, answered across all 17 control domains. The right starting point if your procurement team uses CAIQ or SIG-style questionnaires.
• Security Roadmap — the single consolidated public list of compliance items in flight, grouped by trigger (next 6 months · pre-managed-offering · pre-Stage 1 audit · long-term).

Roadmap

• NIST CSF 2.0. Target profile maintained internally across all six functions. The summary lives in the Security Whitepaper §"Compliance mapping".
• SOC 2 Type II. Not audited today. We will prioritize a SOC 2 audit if and when customer requirements make it necessary.

Asking for more

The artefacts above are the public extracts. The Statement of Applicability, the full control matrix, the internal NIS2 applicability memo, and the internal policies and procedures are available to enterprise customers under NDA on request to security@bzrk.dev.