Subject: Statement of Security Alignment: ISO 27001 to SOC 2 (Qwil Messenger Deployment)
This document addresses how our existing security posture satisfies your SOC 2 requirements for the deployment of Qwil Messenger. Network Platform Technologies Limited (“NPT” or “Qwil”) maintains a robust Information Security Management System (ISMS) certified to the ISO/IEC 27001:2022 standard since 2020. Our compliance is independently audited and verified annually by British a leading UKAS-accredited certification body British Assessment Bureau part of the AMTIVO Group.
For secure communication platforms like Qwil Messenger, data confidentiality, access control, and platform integrity are paramount. While SOC 2 and ISO 27001 have different structures, they share identical foundational goals. Our ISO 27001 controls naturally cover the SOC 2 Security (Common Criteria) requirements by 85–90% as well as Confidentiality, Processing, Availability and Privacy of data and our systems. .
Below is an executive mapping demonstrating how our ISO 27001 ISMS aligns with the core SOC 2 requirements relevant to Qwil Messenger. Do refer to our Security White Paper available here.
Security (Common Criteria)
Baseline criteria focusing on infrastructure security, access management, and human resources.
| SOC 2 Criteria (TSC) |
ISO 27001:2022 Clauses / Controls |
Qwil Messenger software |
CC6.1, CC6.2, CC6.3
(Access registration, modification, and privilege enforcement)
|
Control A.8.2 (Privileged access rights)
Control A.8.3 (Information access restriction)
Control A.8.5 (Secure authentication)
|
Identity & Access Management: Operates on a strict "deny all" default principle. Staff access requires unique multi-factor authentication (MFA) credentials and role-based access control (RBAC) based on least privilege.
|
CC6.6, CC6.7
(Boundary protection and endpoint security)
|
Control A.5.15 (Access control)
Control A.8.1 (User endpoint devices)
|
End-User Access Controls: Invitation-only platform (no self-subscription). Enforces MFA across all devices, limits login attempts, and automatically wipes local data upon repeated failures.
|
CC6.4, CC6.8
(Network segregation and malware detection)
|
Control A.8.20 (Network security)
Control A.8.22 (Web filtering)
Control A.8.4 (Access to source code)
|
Network Security: Production environments are completely segregated from development/test via isolated cloud accounts. External connections utilize TLS 1.2+ and host-based IDS/IPS with restricted VPN access.
|
CC1.4, CC6.5
(Commitment to competence and access revocation)
|
Clause 7.2 (Competence)
Control A.6.1 (Screening)
Control A.6.2 (Employment terms)
Control A.6.5 (Termination of employment)
|
Human Resources Security: Mandatory background screening and security training for all direct and indirect personnel. System access is immediately and centrally revoked upon termination.
|
Confidentiality
Focuses on protecting sensitive data from unauthorized disclosure during collection, transmission, and disposal.
| SOC 2 Criteria (TSC) |
ISO 27001:2022 Clauses / Controls |
Qwil Messenger software |
CC6.11, CC7.1
(Data categorization and encryption at rest)
|
Control A.8.24 (Use of cryptography)
Control A.8.7 (Protection of information assets)
|
Data Encryption at Rest: Server data is encrypted at the block and logical levels using unique, self-maintained keys. Mobile apps use AES-256 databases secured via hardware keystores (e.g., iOS Keychain) and are excluded from backups.
|
CC6.7, CC7.2
(Transmission encryption and vulnerability mitigation)
|
Control A.8.24 (Use of cryptography)
Control A.8.21 (Security of network services)
|
Data Encryption in Transit: Utilizes HTTPS and WSS secure protocols exclusively over TLS 1.2 (no downgrade allowed). Employs certificate pinning on mobile apps to actively block man-in-the-middle (MitM) attacks.
|
CC6.10
(Asset disposal and logical data segregation)
|
Control A.8.10 (Information deletion)
Control A.8.14 (Redaction)
|
Data Segregation & Disposal: Multi-tenant architecture guarantees single-tenant logical isolation for persistence components. Upon contract termination, data is completely wiped, and physical disks are sanitized by cloud providers before reuse.
|
Processing Integrity
Ensures that system processing is complete, valid, accurate, timely, and authorized.
| SOC 2 Criteria (TSC) |
ISO 27001:2022 Clauses / Controls |
Qwil Messenger software |
CC8.1
(Change management and security testing)
|
Control A.8.25 (Secure SDLC)
Control A.8.29 (Security testing in development)
|
Secure SDLC: Agile development where security experts validate requirements before sprints. Employs a test-driven continuous integration (CI) workflow backed by highly comprehensive automated acceptance testing.
|
CC8.1, PI1.1
(System release authorizations and definitions)
|
Control A.8.32 (Change management)
Control A.8.19 (Software installation on operational systems)
|
Deployment Integrity: Utilizes a proprietary toolkit managing automated "blue-green" releases. Relational databases track deployment versions and service definitions to ensure repeatable, tamper-proof releases via Jenkins.
|
PI1.2, CC7.2
(System input validation and threat detection)
|
Control A.8.13 (Information backup/integrity)
Control A.8.16 (Monitoring activities)
|
Input Validation: Integrates an antivirus engine into all file exchange processes to detect malware and trojans. Administrators can enforce custom attachment whitelists and block password-protected files.
|
Availability
Ensures systems remain operational and resilient against disruptions, fulfilling service level agreements.
| SOC 2 Criteria (TSC) |
ISO 27001:2022 Clauses / Controls |
Qwil Messenger software |
A1.1
(Infrastructure maintenance and capacity management)
|
Control A.8.14 (Redundancy of information processing facilities)
|
High Availability: All infrastructure components (servers, databases, cache, queues) are engineered with full redundancy and load-balanced across multiple physical data centers.
|
A1.2, A1.3
(Data backup, disaster recovery, and continuity)
|
Clause 8.1 (Operational planning)
Control A.5.29 (Information security during disruption)
Control A.8.13 (Information backup)
|
Disaster Recovery: Distributed cloud topology replicates data continuously across separate physical availability zones. Clustered databases feature automated failover capabilities and daily snapshot backups.
|
CC7.1, CC7.2
(Threat detection and boundary mitigation)
|
Control A.8.20 (Network security)
|
DDoS Protection: Deploys a hybrid strategy of managed and non-managed cloud edge solutions to safeguard regional endpoints from application and volumetric-layer DDoS attacks.
|
Privacy
Addresses the ethical handling, location limits, and processing of personal data (PII).
| SOC 2 Criteria (TSC) |
ISO 27001:2022 Clauses / Controls |
Qwil Messenger Security Whitepaper Implementation |
P1.1, P3.1
(Privacy policy notice and collection limits)
|
Clause 4.2 (Needs of interested parties)
Control A.5.34 (Privacy and protection of PII)
|
Data Sovereignty: Cloud-native architecture allows Qwil to deploy an organization's tenancy in almost any specified country or geographic cloud region to satisfy local privacy mandates (e.g., GDPR).
|
P4.1, P4.2
(Use, retention, and access constraints)
|
Control A.5.34 (Privacy and protection of PII)
Control A.5.36 (Compliance with policies)
|
Data Ownership: Conversation data and metadata remain the exclusive property of the customer organization. Qwil personnel are restricted from viewing data except during documented, customer-approved support scenarios.
|
CC2.1, P6.1
(Accountability and data erasure protocols)
|
Control A.8.15 (Logging)
Control A.8.17 (Clock synchronization)
|
Immutable Integrity & Erasure: No user can delete chat history or modify logs, ensuring compliance security. However, data can be purged at the organizational level to accommodate corporate retention or right-to-be-forgotten requests.
|
By adhering to the ISO 27001 standard, NPT ensures that Qwil Messenger operates within a strictly monitored, highly restricted, and continuously audited environment.
If you require our detailed Statement of Applicability, policies and procedures or a copy of our current ISO 27001 certificate, please reach out to our security team at security@qwilmessenger.com
Laurent Guyot
CEO
Network Platform Technologies (trading as Qwil Messenger)
.svg){kind=icon}