Vendor due diligence

This page is a pre-filled vendor due-diligence response for enterprise procurement teams evaluating Inger s.r.o. as an ICT supplier. It mirrors the common questions from SIG Lite, CAIQ, and EBA guidelines on outsourcing arrangements. Each answer links to the underlying evidence. Where an answer needs to be tailored to a specific engagement, this is stated explicitly and handled during the DPA/MSA phase.

For enterprise procurement: this document is safe to import into your vendor management system. A machine-readable version is available at /vendor-dd.json. For anything missing — bespoke DPA, TOM, SIG Full, insurance certificates — write to info@inger.sk.

1. Company snapshot

2. Data handling & residency

Personal data processed by this site

Name, email, message (contact form) + standard access logs. No analytics, no tracking, no third-party cookies.

Lawful basis (GDPR Art. 6)

Pre-contract (6(1)(b)) for inquiries; legitimate interest (6(1)(f)) for server logs and anti-abuse.

Data residency — site data

France (o2switch data centres). No transfer outside EEA for site operations.

Data residency — source code

GitHub (United States). Standard Contractual Clauses (2021/914) rely on EU Commission adequacy equivalents; no personal client data stored in repos.

Data residency — operator endpoint

Slovakia (developer workstation, full-disk encryption, OS-level lock).

Client data residency (engagements)

Engagement-specific. Stated in DPA. Default: EEA-only where client data is regulated (GDPR, NIS2, DORA).

Retention — site inquiries

12 months if no engagement follows. 10 years for accounting records of active engagements (statutory, Slovak Act 431/2002 Z.z.).

Retention — client data in engagements

Defined in each DPA. Default: deletion within 30 days of engagement termination unless statutory retention applies.

Data subject rights handling

Requests via info@inger.sk. Acknowledged within 5 business days, completed within 30 days per GDPR Art. 12(3).

DPO

Not appointed — thresholds of GDPR Art. 37 not met. Single point of contact for data protection: info@inger.sk.

3. Security controls

Transport security

HTTPS enforced, HSTS max-age=31536000; includeSubDomains; preload. TLS 1.2+ only (hosting-level).

Content Security Policy

Strict default-src 'self' with explicit allow-lists. No inline script, no external origins.

Clickjack & MIME protection

X-Frame-Options: SAMEORIGIN, CSP frame-ancestors 'self', X-Content-Type-Options: nosniff.

Anti-abuse (contact form)

Rotating honeypot + timing token + behavioural signals + disposable-email filter + per-IP rate limit. No third-party anti-abuse SDKs.

Secrets management

No secrets in public repo. Server-side secrets in .env outside document root, file permissions 0600.

Vulnerability management

Continuous tracking of PHP/Apache advisories (hosting operator + manual). Application-level dependency scan on each release. Own-tooling scan via ZulienScore.

Access control (infrastructure)

SSH key-only to server (no password auth). GitHub 2FA mandatory. Deployment via GitHub Actions with scoped secrets.

Endpoint security (operator)

macOS with FileVault full-disk encryption, screen lock, firmware password, Little Snitch outbound filtering.

Backup cadence

Source code — git distributed by design. Server content — daily snapshot by o2switch, 30-day retention. Client engagement backups — per-engagement specification.

Penetration testing

Automated scan on each release (axe-core a11y, ZulienScore). External pen test on request for enterprise engagements.

Disclosure policy

Public — trust.html#disclosure. Machine-readable security.txt.

4. Operational resilience

Business continuity plan

Documented internally. Key vectors: operator incapacity (shared credentials with named stand-in), hosting failure (60-minute failover to secondary provider on provision), upstream repository loss (distributed git + server-side mirror).

Disaster recovery — RTO

Static site: < 1 h to alternative host. Client engagement services: per-engagement SLA.

Disaster recovery — RPO

Static site: 0 (code in git, no state). Client engagement services: per-engagement specification, typically ≤ 24 h.

Incident response SLA

24 h early warning · 72 h initial assessment · 30 d final report. Aligned with NIS2 Art. 23. See trust.html §5.

Incident severity classification

S1 service-down · S2 degraded · S3 contained · S4 informational. Escalation paths documented per engagement.

Change management

Git-based, every deploy traceable to a commit. Rollback < 5 min for site; per-engagement rollback procedure for client services.

Capacity planning

Site is static — capacity bounded by hosting plan, currently headroom > 20× baseline traffic. Client services — explicit in engagement SLA.

Monitoring

Uptime monitoring (third-party ping). Application error alerts via email. Client engagement monitoring per SLA (often via client-provided tooling).

5. Regulatory & compliance mapping

GDPR (EU 2016/679)

Controller for own data, processor for client data under DPA. No DPO mandatory. Standard SCC module 2 for any non-EEA transfer.

NIS2 (EU 2022/2555)

Direct scope: NONE (entity below size floor). Indirect obligation: YES via Art. 21(2)(d) supply-chain for essential/important clients. Full verdict: trust.html §6.

DORA (EU 2022/2554)

Not in scope as entity (not a financial entity). Contractually accept Art. 28/30 obligations for DORA-regulated clients. TOM document available on request.

ISO 27001

Not certified. Controls aligned with Annex A for client engagements where required; formal certification is a P3 item (see trust.html §9).

SOC 2

Not attested. Procedural equivalents documented for each engagement's change-management, access-control, and incident-response areas.

WCAG 2.2 AA

This site targets and achieves WCAG 2.2 AA. Automated scanning via axe-core on each release (0 violations as of 2026-04-23).

Slovak NBÚ

Cybersecurity competent authority. No binding NIS2 determination sought as entity is below the size floor. Available for engagement-specific questions.

Tax & accounting

VAT-registered in Slovakia (SK2120217781). Annual financial statements filed in Slovak Business Register (public).

6. Subprocessors & supply chain

Full current list for www.inger.sk is in trust.html §8. Key points for due-diligence:

o2switch (hosting)

France, EU. ISO 27001 certified. DPA in place.

GitHub (source & CI)

Microsoft Corp., USA. No client personal data in repos. SCCs apply for the GitHub DPA.

Fonts

Self-hosted (Inter, JetBrains Mono as WOFF2). No third-party font CDN. GDPR-clean.

Anthropic (developer AI tooling)

USA, enterprise tier with SCCs. No production client data enters the tool; used only for code-assist on non-confidential inputs.

Subprocessor notification

Material changes announced on /trust with a minimum 30-day notice before activation. Clients with a bespoke DPA receive direct email notification.

Right to object

Clients with a bespoke DPA may object to a new subprocessor; if unresolved, they may terminate the affected services without penalty.

7. Legal & contractual

Standard contract template

MSA + SoW per engagement. DPA based on the Slovak Commercial Code + EU Commission SCCs (2021/914) for data-processing addenda.

Governing law

Slovak law by default. Client-domicile law on request for EU/EEA clients.

Dispute resolution

Negotiation → mediation → Slovak court of competent jurisdiction. Arbitration optional by mutual agreement.

Liability cap

Default: 12 × monthly fee or €50 000, whichever is higher. Negotiable per engagement.

Audit right

Accepted for regulated clients (financial, health, critical infrastructure) subject to 30-day notice, scope agreement, and cost allocation.

Confidentiality

Mutual NDA on request. Default 5-year term, perpetual for trade secrets and personal data.

IP assignment

Work product IP assigned to client on payment. Background IP (pre-existing libraries, internal frameworks) retained with perpetual client licence.

Exit & off-boarding

On termination: data export in a machine-readable format within 30 days, documented handover, destruction certificate on request.

Insurance

Professional indemnity on request for contracts > €50 000. Specifics confirmed during MSA review.

8. Artifacts available on request

The following are not posted publicly but can be issued to prospective enterprise clients under an NDA:

• Technical & organisational measures (TOM) — GDPR Art. 32 full document
• Data processing agreement (DPA) — signable template, EU SCCs-ready
• Subprocessor CSV — engagement-specific list with data-flow diagrams
• Business continuity plan — operator-level detail
• Risk assessment (information security) — latest annual review
• Incident response runbook — operator-level detail
• SIG Lite / SIG Core completed spreadsheet — on request, mapped to this page
• CAIQ v4.0.2 completed spreadsheet — for cloud-related engagements (we are not a cloud service provider in the strict sense; provided for alignment)
• Insurance certificates — per-engagement basis

Request any of the above via info@inger.sk with the subject line "Vendor DD — [company]". Response time: 3 business days for standard artifacts, 10 business days for tailored SIG/CAIQ responses.

9. Meta — how this page is maintained

This page is reviewed and re-dated on the 23rd of every April (or earlier whenever a material change occurs: new subprocessor, change in size category, change in regulatory scope, change in hosting provider). The machine-readable companion at /vendor-dd.json is updated on the same cadence and serves as the source of truth for automated ingestion.

If your procurement tool parses security.txt, humans.txt, or structured JSON, you should have everything you need without human back-and-forth for the common questions.