Logical access controls
Role-based access, MFA enforcement, and session token binding implemented across all VaultPAM surfaces.
VaultPAM maps directly to NIS2 Article 21, GDPR, SOC 2 and ISO 27001. Every control is implemented — not manually assembled — so your compliance report is a button, not a project.
EU-hosted · GCP Warsaw, Poland · SOC 2 Type II 2026 — final report pending · NIS2-aligned · GDPR-native
NIS2 mandates specific access controls for EU organizations. VaultPAM implements every relevant PAM control out of the box.
| Article | Requirement | VaultPAM control |
|---|---|---|
| Art. 21(2)(a) | Risk analysis and information system security policies | Audit trail + session recording for all privileged access. Exportable risk reports. |
| Art. 21(2)(b) | Incident handling | Real-time alerting on suspicious privileged sessions. Full session replay for incident investigation. |
| Art. 21(2)(e) | Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure | SBOM, SAST/SCA on every release, penetration test annually. Patch SLA enforced in CI pipeline. |
| Art. 21(2)(g) | Multi-factor authentication or continuous authentication solutions | TOTP, FIDO2/WebAuthn, SAML 2.0 SSO with MFA enforcement at the session layer. |
| Art. 21(2)(h) | Privileged access management — secure communications, emergency communications | Just-in-time credential checkout, time-limited sessions, no standing privileges. Role-based access with audit log. |
| Art. 21(2)(i) | Policies and procedures regarding the use of cryptography and encryption | AES-256-GCM at rest, TLS 1.3 in transit. Key rotation policy enforced. No plaintext credentials stored. |
| Art. 21(2)(j) | Human resources security, access control policies and asset management | RBAC with tenant isolation. Automated off-boarding via session revocation and credential rotation. |
Every access event is sealed with a cryptographic hash that chains to the next. Altering any record breaks the chain — making tampering immediately detectable.
Every access event is cryptographically chained — tamper-evident by design.
| Framework | PAM scope | Status |
|---|---|---|
| NIS2 | Art. 21(2)(a)(b)(e)(g)(h)(i)(j) — all PAM-relevant controls | Covered |
| GDPR / RODO | Art. 5, 25, 32, 44 — data protection by design, EU residency, access controls | Covered |
| SOC 2 Type II | CC6.1–CC6.3, CC7.2, CC9.2 — access, logical security, change management | In audit (2026) |
| ISO 27001 | A.9 (access control), A.12 (operations), A.14 (secure development) | Roadmap 2026 |
| DORA | Art. 9 — ICT security, access management, incident logging | Aligned |
VaultPAM's SOC 2 Type II audit covers the controls below. Final report expected 2026.
Role-based access, MFA enforcement, and session token binding implemented across all VaultPAM surfaces.
Password vaulting, just-in-time checkout, automatic rotation, and no standing credentials.
Least-privilege provisioning with approval workflows, time-limited access, and automated de-provisioning.
Real-time session monitoring, anomaly detection, and tamper-resistant audit logs.
All infrastructure and application changes require peer review, automated testing, and documented approval before deployment.
Vendor risk assessments, SLA commitments, and annual penetration testing documented and tracked to closure.
VaultPAM was designed for GDPR compliance from day one. Data residency in GCP europe-central2 (Warsaw) satisfies Article 44. Right-to-erasure workflows, data minimization and processing records are built in.
For compliance documentation requests, contact us at contact@vaultpam.com.