ISO/IEC 27001:2022 — Recertified Jan 2026

Trust is built
on transparency.

Dynapps digitalises business processes in Odoo for hundreds of customers across Europe. This Trust Center is a single, living source for everything our customers, prospects, partners, and auditors need to know about how we handle, host, and protect data — including our certifications, sub-processors, and the EU Data Act exit register.

Group scope:  Belgium & Netherlands Certified:  ISO/IEC 27001:2022 Data residency:  EU only Last updated:  May 2026
01 / Scope

Group entities covered by this Trust Center

The Dynapps Group operates a single, harmonised Information Security Management System (ISMS). Belgium and the Netherlands are in scope today; future entities will be added as they join the certified perimeter.

Belgium

Dynapps NV

Antwerpseweg 1, 2440 Geel, Belgium

Reg. nr.: BE 0830.629.113

ISO/IEC 27001:2022 certified

The Netherlands

Dynapps Nederland

Capelle aan den IJssel & Oisterwijk

Reg. nr.: Group entity

Aligned with the Dynapps NV ISMS

02 / Certifications

ISO/IEC 27001:2022 — certified

Our Information Security Management System is independently certified by Brand Compliance, an RvA-accredited certification body. The most recent recertification audit (January 2026) closed with zero non-conformities.

Information Security Management System

Certified for the implementation, development, hosting and support of Odoo-based ERP, CRM, HRM and e-commerce solutions.

Standard
ISO/IEC 27001:2022
Certificate number
NL 2767.1.1
Issued by
Brand Compliance B.V. (RvA C548)
Last audit
Recertification — Jan 27, 2026
Cycle
3-year (2026 – 2029)
Non-conformities
0 NCs · 9 OFIs
Download the certificate (PDF) Request the Statement of Applicability

What's in scope

The full Dynapps service portfolio: implementation, development, integration, maintenance, support, and hosting of Odoo solutions.

How it's audited

Annual surveillance audits during the cycle, plus continuous internal audits and management reviews. Pen-tests and vulnerability scans run regularly.

Adjacent compliance

NIS2 self-assessment completed; GDPR programme run by our Protection Officer; EU Data Act (Art. 25) exit register published.

03 / Security

How we protect customer data

Our ISMS is built around the CIA triad — Confidentiality, Integrity, Availability — and structured per ISO/IEC 27001:2022 Annex A. Below is a public summary; deeper detail is shared under NDA on request.

Encryption

TLS 1.2+ in transit. AES-256 at rest for hosted environments and backups. Per-customer database isolation; no shared data tables.

Access control

Mandatory MFA, SSO-backed identities, role-based access, and the principle of least privilege. Joiner-Mover-Leaver process tied to HR onboarding/offboarding.

Monitoring & response

Centralised logging via Datadog, intrusion alerts, weekly automated vulnerability scans, regular penetration testing, and a 24/7 security on-call.

Backups & resilience

Encrypted, geographically separate backups with defined RPO/RTO targets per service. Tested restore procedures and an annual DR exercise.

Policies & processes

Information Security Policy, Acceptable Use Policy, supplier policy, change management, secure development, hardware disposal — all approved by management and reviewed annually.

People & awareness

Background-checked hires, signed confidentiality agreements, mandatory annual security training, monthly phishing simulations, and a clear disciplinary process.

04 / Hosting & infrastructure

Where your data lives

Customer Odoo environments run on one of three EU-based, ISO 27001-certified hosting platforms. Customer data is processed and stored exclusively within the European Union.

Dyncloud (Combell)

Our primary managed hosting platform. Operated by Combell NV, ISO/IEC 27001 certified, with datacentres in Belgium (EU). Backups for Dyncloud environments stay entirely within the Combell landscape — they are never offloaded to any other cloud provider.

DeltaBlue

Our alternative managed hosting platform, operated by DeltaBlue NV. ISO/IEC 27001 certified, with datacentres in Belgium (EU). Used where DeltaBlue's stack is a better fit for the customer's workload.

Odoo.sh

Customers may also choose to run on Odoo's own SaaS platform. In that case Odoo SA is the hosting provider under the customer's direct contract; this Trust Center applies only to the implementation, development, and support services Dynapps delivers around it.

i

EU-only data residency. Whichever platform you choose, your Odoo data — including backups — is stored exclusively within the European Union. Where a peripheral sub-processor relies on infrastructure outside the EU/EEA, transfers are protected by EU Standard Contractual Clauses and GDPR Chapter V safeguards. The complete sub-processor list is below.

05 / DPA & Sub-processors

Authorised sub-processors

This is the canonical sub-processor register referenced by clause 5.6 of the Dynapps Framework Agreement. Customers will be notified of additions or replacements with a 14-day right to object, as set out in the agreement.

Sub-processor Purpose of processing Location Data categories Certifications DPA
Combell NV Customer Odoo environment hosting (BE) Belgium (EU) All customer Odoo data, attachments, backups ISO/IEC 27001 View DPA →
DeltaBlue NV Customer Odoo environment hosting (BE) Belgium (EU) All customer Odoo data, attachments, backups ISO/IEC 27001 View DPA →
Microsoft 365 Email, collaboration, file storage EU Customer-related correspondence, shared documents ISO/IEC 27001, SOC 2 View DPA →
Atlassian (Jira / Confluence) Project management, documentation, support tickets EU Customer project information, support tickets, contact data ISO/IEC 27001, SOC 2 View DPA →
GitHub Source code repositories EU/US (SCCs) Custom Odoo module code (no customer PII) ISO/IEC 27001, SOC 2 View DPA →
Slack Internal team communication EU Limited customer references in internal channels ISO/IEC 27001, SOC 2 View DPA →
Datadog Infrastructure observability EU Aggregated platform telemetry ISO/IEC 27001, SOC 2 View DPA →
Anthropic (Claude) AI assistance under enterprise contract — no training on Dynapps or customer data EU/US (SCCs) Limited prompts initiated by Dynapps personnel ISO/IEC 27001, SOC 2 View DPA →
Jamie AI Meeting transcription (workshops, customer calls — only with explicit consent) EU Meeting audio and transcripts ISO/IEC 27001 View DPA →
!

Suppliers that exclusively process Dynapps employee data (payroll, leasing, insurance) are deliberately excluded from this list, because they are not sub-processors of customer data. They are tracked separately in the internal supplier register and audited annually as part of our ISMS.

06 / EU Data Act

The Dynapps Exit Register

Published pursuant to Article 25 of Regulation (EU) 2023/2854 (the EU Data Act). This register applies to clients whose Odoo environment is hosted by Dynapps through Combell NV or DeltaBlue NV. It does not apply to clients on Odoo's own SaaS platform or to clients hosting on their own infrastructure.

1 What you can export

Three complete deliverables, sufficient to fully restore your environment with another Odoo hosting provider:

  • Full database dump — PostgreSQL pg_dump of the entire Odoo schema, restorable on any equivalent Odoo version.
  • File attachments archive — ZIP archive of the Odoo filestore directory containing every uploaded document and attachment.
  • Customer source code — the custom Odoo modules developed for your environment that are owned by or independently licensed to you, delivered as a Git repository or archive.

2 Indicative data categories

  • Customer & contact data
  • Sales & purchase records
  • Invoices & accounting data
  • Inventory & stock data
  • Project, timesheet & HR data
  • Configuration & master data
  • Custom Odoo module code (where independently licensed)
  • Uploaded documents & attachments
  • Application-level audit & activity logs

3 What is exempt

For trade-secret, security, or technical reasons, the export does not include hosting-infrastructure assets:

  • Server, network & firewall configuration
  • Hosting-provider credentials, API keys, encryption keys, TLS certificates
  • Internal monitoring, intrusion-detection, & performance logs
  • Dynapps-proprietary modules (e.g. Rental, LIMS) and DevOps tooling
  • Multi-tenant shared configuration
  • Backup/snapshot scheduling metadata

4 How to switch

  • Send a written switching request to your point of contact at Dynapps — typically your project manager, account manager, or support contact.
  • Dynapps will agree a switching plan with you and deliver the export.
  • Delivery: within 30 calendar days of the acknowledged request.
30 days — guaranteed switching delivery

Register version 1.0 — April 2026. Updated whenever export methods or hosting infrastructure change.

08 / Contact & document requests

Need more?

For audit packs, the full Statement of Applicability, signed DPAs, security questionnaires, or any other due-diligence material — get in touch and we'll respond within two business days.

Security & trust

For document requests, vendor due diligence, security questionnaires, and general trust-center enquiries.

Security Officer: Eric Lembregts
Phone: +32 472 88 46 13

Data protection & switching

For GDPR data-subject requests, Data Processing Agreement enquiries, breach notifications, and EU Data Act switching requests.

Postal: Antwerpseweg 1, 2440 Geel, Belgium
VAT: BE 0830.629.113