Compliance Posture
How to read this page
This page sets out QSECDEF's compliance posture against applicable UK and EU laws. It covers two areas:
- Data processing matrix — the data categories QSECDEF processes, where they are processed, which providers handle them, and which laws apply.
- Framework compliance matrix — all relevant frameworks, with three-state status (compliant / partial / not-in-scope) and the legal basis for each state. Includes both applicable laws and frameworks assessed as not in scope, with reasoning.
This page is maintained as an internal governance record and is published in the interest of transparency. It is not legal advice. Solicitor review is required before relying on any position set out here.
1. Data processing matrix
The table below maps QSECDEF's data processing activities against applicable legal frameworks. Structured by data category.
| Data category | Processed in | Provider | Laws that apply | QSECDEF posture |
|---|---|---|---|---|
| Member registration dataName, email, organisation, membership tier | United States — AWS US East (Virginia / DC metro area) via Mighty Networks | Mighty Networks (Business plan, SOC 2 Type II) | UK GDPR; EU GDPR (for EU members); DPA 2018 | Processed under contract performance (Art 6(1)(b)) and consent (Art 6(1)(a)) where applicable. Article 28 DPA in force: Mighty Networks US DPA (effective 1 September 2025) and EU DPA Schedule 1 (EU SCCs Module 2 — Controller-to-Processor, effective 1 September 2025). Transfer mechanism documented at /trust/sub-processors/. |
| Payment dataCard details, billing address, transaction records | United States — Stripe (inherited downstream sub-processor via Mighty Networks) | Stripe (via Mighty Networks payment routing); QSECDEF does not contract Stripe directly | UK GDPR; PCI DSS (via processor); Consumer Rights Act 2015 | Card data not held by QSECDEF directly. Stripe operates under PCI DSS as a PCI Level 1 Service Provider. QSECDEF holds transaction references only. Transfer mechanism inherited via Mighty Networks DPA chain (US DPA + EU SCCs Module 2). Stripe maintains DPF certification and SCCs as default in its standard customer agreement. |
| Website analytics dataPage views, session data, device type | EU (PostHog EU instance) | PostHog (EU-hosted instance) | UK GDPR; UK PECR; EU GDPR (for EU visitors) | Processed under consent for analytics cookies (PECR/UK GDPR Art 6(1)(a)); memory-only mode for pre-consent visitors. Consent banner live. PostHog EU instance used. DPA in place with PostHog. |
| Email subscriber dataEmail address, subscription date, campaign engagement | France / EU | Brevo (Sendinblue SAS) | UK GDPR; UK PECR; EU GDPR (for EU subscribers) | Processed under explicit consent (Art 6(1)(a)). Opt-in at subscription; unsubscribe in every email. Brevo is an EU-based processor; UK→EU transfers covered by the UK adequacy decision for the EEA. Standard provider DPA in force. |
| Directory listing data (organisations)Company name, description, contact details, public information | Cloudflare Pages / QSECDEF infrastructure | Cloudflare; QSECDEF internal | UK GDPR (limited — primarily relates to named contacts); Copyright, Designs and Patents Act 1988 | Directory listings primarily cover organisational (not personal) data. Legitimate interests basis (Art 6(1)(f)) for editorial publication. |
| Contact form / enquiry dataName, email, message content | Cloudflare Workers / QSECDEF infrastructure | Cloudflare | UK GDPR; EU GDPR (for EU enquirers) | Processed under legitimate interests (Art 6(1)(f)) for responding to enquiries. [TBD — CURRENT: confirm retention period for contact enquiries is defined and applied.] |
2. Framework compliance matrix
Three states are used: Compliant (compliant and operationally active); Partial (core obligations in place; named gaps under active resolution); Not in scope (framework does not apply — legal basis stated).
This matrix does not constitute legal advice. Solicitor review is recommended before relying on any posture stated here.
| Framework | Status | Legal basis / notes | Review trigger |
|---|---|---|---|
| UK GDPR / DPA 2018UK General Data Protection Regulation; Data Protection Act 2018 | PARTIAL | Core operational compliance in place. Lawful bases identified: Art 6(1)(a) consent; Art 6(1)(b) contract; Art 6(1)(f) legitimate interests. Article 30 Records of Processing Activities being established. ICO registration: application in process; reference C1938715. QSECDEF will confirm the full registration number on this page when received from the ICO. | ICO registration confirmation — immediate. |
| EU GDPRRegulation (EU) 2016/679 | PARTIAL | EU Representative designated: WhizWang.com SAS, 1 Avenue du Pompadour, 19230, France (SIREN 835217803). Sub-processor transfer mechanisms: Mighty Networks EU DPA in force (EU SCCs Module 2 — Controller-to-Processor, effective 1 September 2025). Mighty Networks plan: Business; SOC 2 Type II attestation; member data hosted on AWS US East (Virginia / DC metro). Other US-based sub-processors (Cloudflare, GitHub, Google) inherit SCCs / DPF via their standard customer DPAs. Competent supervisory authority for Mighty Networks transfers: Autoriteit Persoonsgegevens (Dutch DPA). | Confirm separately-executed SCCs status for non-MN US sub-processors (operational follow-up; standard DPAs in force). |
| ICO data controller registrationData Protection (Charges and Information) Regulations 2018 | Application in process — reference C1938715 | Registration required if QSECDEF processes personal data without applicable exemption. QSECDEF processes membership data, email marketing data, and analytics data. Application in process; reference C1938715. QSECDEF will confirm the full registration number on this page when received from the ICO. | Immediate — confirm registration live before publication of Privacy Notice. |
| NCSC Cyber Essentials | NOT IN SCOPE | Not pursued at current scale. Editorial publisher and membership organisation. No contractual or regulatory obligation to hold CE at this stage. | If UK central government contracts are pursued. |
| ISO 27001 | NOT IN SCOPE | Not pursued at current scale. No contractual or regulatory obligation. | If enterprise or government contracts require certification. |
| IPSO Editors' Code | CURRENT (voluntary) | Voluntary adoption confirmed. Clause 1 (Accuracy) and Clause 2 (Privacy) adopted as benchmarks. QSECDEF is not a formal IPSO-regulated publisher. | Review if formal IPSO membership is considered. |
| Reuters Trust Principles | CURRENT (voluntary) | Voluntary adoption confirmed. Commitment to integrity, independence, and freedom from bias. Commercial relationships do not influence editorial independence. | Annual editorial governance review. |
| ASA / CAP Code | CURRENT | Paid directory listings are clearly labelled as commercial placements. Advertorial content is distinguished from editorial. Effective when paid tiers go live. | On each commercial tier launch or change. |
| Equality Act 2010 | CURRENT | Non-discrimination in membership intake. Standard UK legal obligation for any business offering services to the public. | On any change to membership criteria. |
| Modern Slavery Act 2015s.54 transparency statement | VOLUNTARY (sub-threshold) | Mandatory s.54 statement obligation threshold: £36 million global annual turnover. QSECDEF is below this threshold. Voluntary statement published in the interest of good governance. | Review annually; mandatory if turnover exceeds £36 million. |
| EU AI Act — Article 50 (AI transparency)Regulation (EU) 2024/1689 | CURRENT | AI-assistance disclosure is live on the Trust Centre. QSECDEF discloses AI use in research, drafting, and data aggregation. Human review of all AI-assisted content before publication. Consistent with Article 50 transparency obligations. | On any change to AI tool usage. |
| EU AI Act — high-risk obligations (Annex III)Regulation (EU) 2024/1689 | NOT IN SCOPE | QSECDEF does not deploy or offer AI systems in high-risk categories as defined in Annex III. AI tools are used as internal editorial aids; QSECDEF does not offer AI systems to third parties in Annex III categories. | If QSECDEF offers AI-powered services to EU users in Annex III categories. |
| NIS2 DirectiveDirective (EU) 2022/2555 | NOT IN SCOPE | NIS2 applies to essential and important entities in specified sectors. QSECDEF is a UK-registered editorial publication and membership organisation. It is not an essential or important entity and does not provide cloud computing, online marketplace, search engine, or social networking platform services per NIS2 Annex I/II. | If QSECDEF registers as an EU legal entity or materially expands EU operations into NIS2 sector services. |
| DORARegulation (EU) 2022/2554 | NOT IN SCOPE | DORA applies to regulated financial entities and their critical ICT third-party providers. QSECDEF is not a regulated financial entity. | If QSECDEF becomes a regulated financial entity or a critical ICT provider to financial entities. Not anticipated. |
| DSADigital Services Act — Regulation (EU) 2022/2065 | NOT IN SCOPE (editorial publisher exemption) | DSA Article 3(i) defines an "online platform" as a hosting service disseminating content "at the request of a recipient." QSECDEF's directory is editorially curated; listings are not submitted by users and published automatically. DSA Recital 13 exempts services where the provider is editorially responsible. QSECDEF is an editorial publisher under its own editorial responsibility. | If user-submitted listings, user reviews, or user-generated forum content is hosted on the qsecdef.com domain. |
| Cyber Resilience ActCRA — Regulation (EU) 2024/2847 | NOT IN SCOPE (hosted service) | CRA applies to manufacturers of "products with digital elements" placed on the EU market. QSECDEF's tools are browser-based applications delivered as hosted web services. CRA Recitals 15-16 exclude SaaS delivered as browser-hosted services. QSECDEF does not distribute downloadable executables, binaries, or installable packages. | If any QSECDEF tool is distributed as a downloadable executable or installable package to EU users. |
Review schedule
This compliance posture should be reviewed:
- Quarterly — to check for new or amended legislation
- On each material change to QSECDEF's operations — new data processing activities, new providers, new services, new jurisdictions
- Before publication of the Privacy Notice and Disclaimer
- After solicitor review — to incorporate legal advice
Questions about this compliance posture: info@qsecdef.com