Navigate Trust Centre

Compliance Posture

Current as of: (pass 3 — full framework matrix). Review quarterly.

How to read this page

This page sets out QSECDEF's compliance posture against applicable UK and EU laws. It covers two areas:

  1. Data processing matrix — the data categories QSECDEF processes, where they are processed, which providers handle them, and which laws apply.
  2. Framework compliance matrix — all relevant frameworks, with three-state status (compliant / partial / not-in-scope) and the legal basis for each state. Includes both applicable laws and frameworks assessed as not in scope, with reasoning.

This page is maintained as an internal governance record and is published in the interest of transparency. It is not legal advice. Solicitor review is required before relying on any position set out here.

1. Data processing matrix

The table below maps QSECDEF's data processing activities against applicable legal frameworks. Structured by data category.

Data category Processed in Provider Laws that apply QSECDEF posture
Member registration dataName, email, organisation, membership tier United States — AWS US East (Virginia / DC metro area) via Mighty Networks Mighty Networks (Business plan, SOC 2 Type II) UK GDPR; EU GDPR (for EU members); DPA 2018 Processed under contract performance (Art 6(1)(b)) and consent (Art 6(1)(a)) where applicable. Article 28 DPA in force: Mighty Networks US DPA (effective 1 September 2025) and EU DPA Schedule 1 (EU SCCs Module 2 — Controller-to-Processor, effective 1 September 2025). Transfer mechanism documented at /trust/sub-processors/.
Payment dataCard details, billing address, transaction records United States — Stripe (inherited downstream sub-processor via Mighty Networks) Stripe (via Mighty Networks payment routing); QSECDEF does not contract Stripe directly UK GDPR; PCI DSS (via processor); Consumer Rights Act 2015 Card data not held by QSECDEF directly. Stripe operates under PCI DSS as a PCI Level 1 Service Provider. QSECDEF holds transaction references only. Transfer mechanism inherited via Mighty Networks DPA chain (US DPA + EU SCCs Module 2). Stripe maintains DPF certification and SCCs as default in its standard customer agreement.
Website analytics dataPage views, session data, device type EU (PostHog EU instance) PostHog (EU-hosted instance) UK GDPR; UK PECR; EU GDPR (for EU visitors) Processed under consent for analytics cookies (PECR/UK GDPR Art 6(1)(a)); memory-only mode for pre-consent visitors. Consent banner live. PostHog EU instance used. DPA in place with PostHog.
Email subscriber dataEmail address, subscription date, campaign engagement France / EU Brevo (Sendinblue SAS) UK GDPR; UK PECR; EU GDPR (for EU subscribers) Processed under explicit consent (Art 6(1)(a)). Opt-in at subscription; unsubscribe in every email. Brevo is an EU-based processor; UK→EU transfers covered by the UK adequacy decision for the EEA. Standard provider DPA in force.
Directory listing data (organisations)Company name, description, contact details, public information Cloudflare Pages / QSECDEF infrastructure Cloudflare; QSECDEF internal UK GDPR (limited — primarily relates to named contacts); Copyright, Designs and Patents Act 1988 Directory listings primarily cover organisational (not personal) data. Legitimate interests basis (Art 6(1)(f)) for editorial publication.
Contact form / enquiry dataName, email, message content Cloudflare Workers / QSECDEF infrastructure Cloudflare UK GDPR; EU GDPR (for EU enquirers) Processed under legitimate interests (Art 6(1)(f)) for responding to enquiries. [TBD — CURRENT: confirm retention period for contact enquiries is defined and applied.]

2. Framework compliance matrix

Three states are used: Compliant (compliant and operationally active); Partial (core obligations in place; named gaps under active resolution); Not in scope (framework does not apply — legal basis stated).

This matrix does not constitute legal advice. Solicitor review is recommended before relying on any posture stated here.

Framework Status Legal basis / notes Review trigger
UK GDPR / DPA 2018UK General Data Protection Regulation; Data Protection Act 2018 PARTIAL Core operational compliance in place. Lawful bases identified: Art 6(1)(a) consent; Art 6(1)(b) contract; Art 6(1)(f) legitimate interests. Article 30 Records of Processing Activities being established. ICO registration: application in process; reference C1938715. QSECDEF will confirm the full registration number on this page when received from the ICO. ICO registration confirmation — immediate.
EU GDPRRegulation (EU) 2016/679 PARTIAL EU Representative designated: WhizWang.com SAS, 1 Avenue du Pompadour, 19230, France (SIREN 835217803). Sub-processor transfer mechanisms: Mighty Networks EU DPA in force (EU SCCs Module 2 — Controller-to-Processor, effective 1 September 2025). Mighty Networks plan: Business; SOC 2 Type II attestation; member data hosted on AWS US East (Virginia / DC metro). Other US-based sub-processors (Cloudflare, GitHub, Google) inherit SCCs / DPF via their standard customer DPAs. Competent supervisory authority for Mighty Networks transfers: Autoriteit Persoonsgegevens (Dutch DPA). Confirm separately-executed SCCs status for non-MN US sub-processors (operational follow-up; standard DPAs in force).
ICO data controller registrationData Protection (Charges and Information) Regulations 2018 Application in process — reference C1938715 Registration required if QSECDEF processes personal data without applicable exemption. QSECDEF processes membership data, email marketing data, and analytics data. Application in process; reference C1938715. QSECDEF will confirm the full registration number on this page when received from the ICO. Immediate — confirm registration live before publication of Privacy Notice.
NCSC Cyber Essentials NOT IN SCOPE Not pursued at current scale. Editorial publisher and membership organisation. No contractual or regulatory obligation to hold CE at this stage. If UK central government contracts are pursued.
ISO 27001 NOT IN SCOPE Not pursued at current scale. No contractual or regulatory obligation. If enterprise or government contracts require certification.
IPSO Editors' Code CURRENT (voluntary) Voluntary adoption confirmed. Clause 1 (Accuracy) and Clause 2 (Privacy) adopted as benchmarks. QSECDEF is not a formal IPSO-regulated publisher. Review if formal IPSO membership is considered.
Reuters Trust Principles CURRENT (voluntary) Voluntary adoption confirmed. Commitment to integrity, independence, and freedom from bias. Commercial relationships do not influence editorial independence. Annual editorial governance review.
ASA / CAP Code CURRENT Paid directory listings are clearly labelled as commercial placements. Advertorial content is distinguished from editorial. Effective when paid tiers go live. On each commercial tier launch or change.
Equality Act 2010 CURRENT Non-discrimination in membership intake. Standard UK legal obligation for any business offering services to the public. On any change to membership criteria.
Modern Slavery Act 2015s.54 transparency statement VOLUNTARY (sub-threshold) Mandatory s.54 statement obligation threshold: £36 million global annual turnover. QSECDEF is below this threshold. Voluntary statement published in the interest of good governance. Review annually; mandatory if turnover exceeds £36 million.
EU AI Act — Article 50 (AI transparency)Regulation (EU) 2024/1689 CURRENT AI-assistance disclosure is live on the Trust Centre. QSECDEF discloses AI use in research, drafting, and data aggregation. Human review of all AI-assisted content before publication. Consistent with Article 50 transparency obligations. On any change to AI tool usage.
EU AI Act — high-risk obligations (Annex III)Regulation (EU) 2024/1689 NOT IN SCOPE QSECDEF does not deploy or offer AI systems in high-risk categories as defined in Annex III. AI tools are used as internal editorial aids; QSECDEF does not offer AI systems to third parties in Annex III categories. If QSECDEF offers AI-powered services to EU users in Annex III categories.
NIS2 DirectiveDirective (EU) 2022/2555 NOT IN SCOPE NIS2 applies to essential and important entities in specified sectors. QSECDEF is a UK-registered editorial publication and membership organisation. It is not an essential or important entity and does not provide cloud computing, online marketplace, search engine, or social networking platform services per NIS2 Annex I/II. If QSECDEF registers as an EU legal entity or materially expands EU operations into NIS2 sector services.
DORARegulation (EU) 2022/2554 NOT IN SCOPE DORA applies to regulated financial entities and their critical ICT third-party providers. QSECDEF is not a regulated financial entity. If QSECDEF becomes a regulated financial entity or a critical ICT provider to financial entities. Not anticipated.
DSADigital Services Act — Regulation (EU) 2022/2065 NOT IN SCOPE (editorial publisher exemption) DSA Article 3(i) defines an "online platform" as a hosting service disseminating content "at the request of a recipient." QSECDEF's directory is editorially curated; listings are not submitted by users and published automatically. DSA Recital 13 exempts services where the provider is editorially responsible. QSECDEF is an editorial publisher under its own editorial responsibility. If user-submitted listings, user reviews, or user-generated forum content is hosted on the qsecdef.com domain.
Cyber Resilience ActCRA — Regulation (EU) 2024/2847 NOT IN SCOPE (hosted service) CRA applies to manufacturers of "products with digital elements" placed on the EU market. QSECDEF's tools are browser-based applications delivered as hosted web services. CRA Recitals 15-16 exclude SaaS delivered as browser-hosted services. QSECDEF does not distribute downloadable executables, binaries, or installable packages. If any QSECDEF tool is distributed as a downloadable executable or installable package to EU users.

Review schedule

This compliance posture should be reviewed:

  • Quarterly — to check for new or amended legislation
  • On each material change to QSECDEF's operations — new data processing activities, new providers, new services, new jurisdictions
  • Before publication of the Privacy Notice and Disclaimer
  • After solicitor review — to incorporate legal advice

Questions about this compliance posture: info@qsecdef.com