Skip to content

ISMS Scope

Document ID: ISO-001 Document owner: Jan Marc Castlunger (ISO) Classification: Confidential Version: 1.0 Approved: March 2026 Next review: March 2027 Framework: ISO 27001 (4.1, 4.2, 4.3)

1. Organisation

Field Detail
Legal entity CTW Data Solutions GmbH
Trade name / Product Quick-ID (quick-id.com)
Registered office Germany
CEO / ISO Jan Marc Castlunger
CTO / DPO Sebastian Windeck
Employees 4-10
Industry Identity verification technology / SaaS
Customers 50+ active API customers globally

2. Context of the Organisation (Clause 4.1)

2.1 External Issues

Category Issue Impact on ISMS
Regulatory GDPR / DSGVO — stringent data protection requirements for EU personal data processing Mandatory DPA compliance, 72h breach notification, DPO appointment, Art. 30 register
Regulatory BDSG — German federal data protection law supplementing GDPR Additional requirements for employee data and DPO obligations
Regulatory EU AI Act (Regulation 2024/1689) — AI systems regulation entering force 2025-2027 Quick-ID's document verification involves automated decision-support; classification assessment required (see Legal Register)
Regulatory eIDAS 2.0 — EU digital identity framework Future opportunity; may require additional compliance for EU Digital Identity Wallet integration
Market Enterprise customers increasingly require ISO 27001 + SOC 2 as procurement prerequisites Direct driver for ISMS certification; competitive differentiation
Market Identity verification market is highly competitive with well-funded incumbents Security posture and certifications are key differentiators
Technology Rapid evolution of AI/ML capabilities for document fraud Continuous need to update detection models and security controls
Technology Cloud provider dependency (Microsoft Azure) Single cloud vendor risk; mitigated by Terraform IaC portability
Threat landscape Rising sophistication of phishing, credential theft, and supply chain attacks Continuous need for security awareness, MFA enforcement, and dependency scanning
Economic Startup/scale-up environment with limited budget Prioritisation of security investments; lean ISMS approach

2.2 Internal Issues

Category Issue Impact on ISMS
Organisation size Small team (4-10 employees) Limited segregation of duties; key person dependency; dual-role holders (CTO=DPO, CEO=ISO)
Work model 100% remote / distributed team No physical office to secure; BYOD policy required; reliance on cloud-based collaboration
Technical expertise Deep technical competence in core team (AI, cloud, security) Enables lean operations but creates key person risk if personnel leave
Key person dependency Critical knowledge concentrated in CEO (Jan Marc) and CTO (Sebastian) Documented in risk register (R10); mitigated by runbook documentation
Culture Engineering-first, security-aware culture Positive: team is receptive to security controls; challenge: formalising what was previously informal
Growth Scaling from startup to enterprise-ready SaaS ISMS must scale with growth; processes need to work at 4 people and at 20+
Infrastructure Cloud-native, IaC-managed (Terraform), containerised (AKS) Enables reproducible environments and auditable infrastructure changes
Data sensitivity Processing government-issued ID documents (passports, ID cards) Highest data sensitivity category; in-memory-only processing is a key control

3. Scope Statement

The Information Security Management System (ISMS) of CTW Data Solutions GmbH covers:

All information assets, processes, personnel, and systems involved in the development, operation, delivery, and support of the Quick-ID document verification and OCR SDK platform.

This includes the entirety of CTW Data Solutions GmbH operations.

4. Inclusions

Area Description
Software development Design, coding, testing, and deployment of the Quick-ID API and SDK
Cloud infrastructure Microsoft Azure Germany West Central (Frankfurt) — AKS (Kubernetes), Key Vault, Monitor; additional EU regions for non-DACH customers
API management Customer API key provisioning, authentication, rate limiting, and access control
Data processing Transient in-memory processing of government ID images and OCR extraction; consent-based error image storage (max 7 days via email)
Employee operations HR, access management, training, and security awareness
Supplier management Third-party relationships with Azure, GitHub, and Google Workspace
Customer support Technical support and incident communication
Compliance GDPR/DSGVO, contractual obligations, and regulatory requirements

5. Exclusions

Exclusion Justification
Physical data centre operations CTW operates as cloud-only (Microsoft Azure); no on-premise infrastructure
Physical security perimeters No dedicated office facility; employees work remotely or from co-working spaces
Manufacturing or production Software-only business; no physical goods

6. Interfaces and Dependencies

Interface Direction Description
API customers Outbound Quick-ID API serves document verification requests globally
Microsoft Azure Outbound Primary cloud infrastructure provider
GitHub Outbound Source code management, CI/CD pipelines
Google Workspace Outbound Internal communication, HR data, documentation
Regulatory authorities (BfDI) Outbound GDPR breach notification and compliance reporting
Certification body Outbound ISO 27001 audit and certification

7. Applicable Standards and Regulations

Standard / Regulation Applicability
ISO/IEC 27001:2022 Full compliance — certification target September 2026
SOC 2 Type II Compliance planned — readiness target Q4 2026
GDPR / DSGVO Mandatory — processing personal data of EU residents
BDSG Mandatory — German federal data protection law
EU AI Act (2024/1689) Applicable — Quick-ID uses AI for document verification; risk classification assessment required
eIDAS 2.0 Future — for EU digital identity market expansion
TTDSG Applicable — German telemedia data protection (cookie consent, telecommunications privacy)

8. Interested Parties (Clause 4.2)

Party Expectations
API customers Secure, reliable API; data protection; compliance certifications
Employees Secure working environment; clear policies; training
Regulators (BfDI) GDPR compliance; breach notification; accountability
Certification body Conformity with ISO 27001:2022 requirements
Shareholders / Management Business continuity; reputation protection; market access
Suppliers (Azure, GitHub, Google) Contractual compliance; responsible use of services

9. Review

The ISMS scope is reviewed annually or when significant changes occur to:

  • Business operations or services
  • Organisational structure
  • Technology infrastructure
  • Legal or regulatory requirements
  • Interested party expectations

Approved by: Jan Marc Castlunger, CEO / Information Security Officer, CTW Data Solutions GmbH Date: March 2026