Every NIS2 Art. 21 PAM Control. One Platform.
Session recording, privileged vault, MFA, and audit trail — mapped to NIS2 Art. 21 out of the box. Your data stays in Poland.
Built for CISOs who need a defensible, auditable PAM posture before the regulator calls — not a 12-month integration project.
Compliance documentation available on request — contact us.
EU-hosted · GCP Warsaw, Poland · SOC 2 Type II 2026 · NIS2-aligned · GDPR/RODO-native
NIS2 Art. 21 — every PAM control covered
VaultPAM was designed alongside NIS2 requirements from the first commit. No manual mapping required.
Risk Management (Art. 21(2)(a))
STRIDE threat models on every major component. 152+ threats analyzed. Dependency risk register with remediation tracking.
Incident Handling (Art. 21(2)(b))
Real-time security alerts, SIEM integration, full audit trail for investigation, documented incident response procedures.
Business Continuity (Art. 21(2)(c))
Automated database backup, audit-grade recording storage, Vault snapshots, defined RTO/RPO targets with tested failover.
Supply Chain Security (Art. 21(2)(d))
Automated SCA dependency scanning on every PR, vulnerability tracking dashboard, Ed25519 signed releases.
Multi-Factor Authentication (Art. 21(2)(j))
Mandatory MFA with TOTP, WebAuthn (YubiKey, Touch ID, Windows Hello), SMS OTP. Step-up MFA for admin operations.
Cryptography (Art. 21(2)(h))
AES-256-GCM at rest, TLS 1.2+/mTLS in transit, Ed25519 policy signing, Vault Transit key management. No deprecated algorithms.
Access Control / Privileged Access (Art. 21(2))
Zero Standing Privileges, JIT access, 87+ granular permissions, PBAC with signed policies, complete session recording.
Framework coverage at a glance
VaultPAM aligns with all major regulatory and security frameworks relevant to EU organizations.
| Framework | Coverage | Key controls |
|---|---|---|
| SOC 2 Type II | Architecture aligned; formal attestation planned | CC6.1, CC6.2, CC6.3, CC6.6, CC7.2, CC7.4, CC7.5, CC8.1 |
| ISO 27001:2022 | Controls mapped; certification planned | A.5.15, A.5.17, A.5.33, A.8.1, A.8.5, A.8.20, A.8.24, A.8.25 |
| GDPR / RODO | Compliant by design; DPA available | Art. 25 (Privacy by Design), Art. 32 (Security), Art. 33 (Breach), Art. 35 (DPIA) |
| NIS2 Directive | Art. 21 PAM requirements all covered | Risk management, incident handling, supply chain, MFA, cryptography |
| NIST 800-53 | Key control families implemented | AC, AU, IA, SC families fully covered |
SOC 2 Type II — control-level evidence
Every Trust Service Criteria mapped to a VaultPAM control with exportable evidence.
Logical Access
RBAC 87+ permissions, MFA enforcement, JWT-based sessions
Credentials
OpenBao Vault storage, automatic rotation, zero-knowledge access
Access Provisioning
Just-in-Time access with configurable TTL and automatic session expiry
System Boundaries
WAF (ModSecurity + OWASP CRS), outbound-only connectors, mTLS
Monitoring
50+ audit event types, real-time alerts, SIEM integration
Change Management
Mandatory code review, CI/CD pipeline, Ed25519 signed releases
Your audit trail. Your data. Your country.
Full PAM audit logs stored in Poland — NIS2 Art. 21 compliant, GDPR-ready, and auditor-friendly by design.
Every privileged session recorded and searchable. Every access event logged with tamper-evident timestamps. Every compliance question answered before the auditor asks it.
PDF · CSV · JSON
Export in the format your auditor requires
SHA-256 integrity manifest
Every report is signed and tamper-evident
Evidence Package
Bundle all reports into a single auditor-ready archive
Compliance documentation available on request — contact us.
EU-hosted · GCP Warsaw, Poland · SOC 2 Type II 2026 · NIS2-aligned · GDPR/RODO-native