Solutions

How It Works

Case Studies

About Us

For Media

Book a meeting

Solutions

How It Works

Case Studies

About Us

For Media

Book a meeting

Trust & Security

Security and privacy are foundational to every product we build. We hold ISO 27001:2022 certification and are fully aligned with GDPR requirements, so your customer data never leaves the EU without an appropriate legal basis.

This page documents our security programme, compliance posture, and how to reach us for due-diligence requests no gatekeeping.

Compliance

Security

Privacy

Disclosure

Documents

Compliance

Security

Privacy

Disclosure

Documents

How we align

Compliance: Certifications & Standards

Independent third-party audits and certifications validate our security programme against internationally recognised frameworks.

Certified
Certified
ISO 27001:2022
ISO 27001:2022
ISO 27001:2022

Scope

Scope

Development, operation, and maintenance of a software platform for flexibility aggregation and energy asset management, including firmware development for IoT devices.

Development, operation, and maintenance of a software platform for flexibility aggregation and energy asset management, including firmware development for IoT devices.

Certifying body

Certifying body

TAYLLORCOX GCS

TAYLLORCOX GCS

Certificate no.

Certificate no.

2604301360

2604301360

Valid until

Valid until

April 29, 2029

April 29, 2029

Compliant
Compliant
GDPR
GDPR
GDPR

Delta Green processes personal data lawfully under GDPR.

We maintain a Records of Processing Activities register, a Data Subject Requests Log, an up-to-date list of sub-processors, and other GDPR-required records.

These records, along with details of our security and processing practices, are available to current and prospective customers on request.

Delta Green processes personal data lawfully under GDPR.

We maintain a Records of Processing Activities register, a Data Subject Requests Log, an up-to-date list of sub-processors, and other GDPR-required records.

These records, along with details of our security and processing practices, are available to current and prospective customers on request.

Not in scope
Not in scope
NZKB / NIS2
NZKB / NIS2
NZKB / NIS2

Delta Green is classified as an SME under the Czech cybersecurity law administered by NÚKiB and is therefore outside the scope of NIS2 and its regulated-entity obligations.

Despite not being a regulated entity, our security programme is voluntarily aligned with NZKB/NIS2 requirements as part of our ISO 27001 implementation, and we monitor regulatory changes on an ongoing basis.

Delta Green is classified as an SME under the Czech cybersecurity law administered by NÚKiB and is therefore outside the scope of NIS2 and its regulated-entity obligations.

Despite not being a regulated entity, our security programme is voluntarily aligned with NZKB/NIS2 requirements as part of our ISO 27001 implementation, and we monitor regulatory changes on an ongoing basis.

How we operate

Security Practices

Our ISO 27001:2022-aligned ISMS covers the full lifecycle of information security.
Below is a high-level overview of key control areas.

Encryption
Encryption
Encryption

All data in transit is protected by TLS 1.2 or higher. Data at rest is encrypted using AES-256. Encryption keys are managed through a dedicated key management service. Passwords are hashed using Argon2 and never stored in plain text.

All data in transit is protected by TLS 1.2 or higher. Data at rest is encrypted using AES-256. Encryption keys are managed through a dedicated key management service. Passwords are hashed using Argon2 and never stored in plain text.

Access Control
& MFA
Access Control
& MFA

Role-based access control limits data access to personnel with a documented business need. Our access management policy requires multi-factor authentication for internal systems and production environments where technically supported.

Role-based access control limits data access to personnel with a documented business need. Our access management policy requires multi-factor authentication for internal systems and production environments where technically supported.

Vulnerability Management
Vulnerability Management
Vulnerability Management

We conduct annual penetration testing by an independent third party and perform continuous automated scanning. Findings are tracked against documented SLAs based on severity.

We conduct annual penetration testing by an independent third party and perform continuous automated scanning. Findings are tracked against documented SLAs based on severity.

Incident Response
Incident Response
Incident Response

A documented incident response plan is tested at least annually. Customers are notified of security incidents affecting their data within the timelines specified in our agreements and applicable law.

A documented incident response plan is tested at least annually. Customers are notified of security incidents affecting their data within the timelines specified in our agreements and applicable law.

Business Continuity & DR
Business Continuity & DR
Business Continuity & DR

Our services are designed for high availability with documented recovery time and recovery point objectives. Backup and restoration procedures are tested regularly.

Our services are designed for high availability with documented recovery time and recovery point objectives. Backup and restoration procedures are tested regularly.

Secure Development
Secure Development
Secure Development

Security requirements are embedded in our SDLC. Code changes undergo peer review, and we run automated SAST/dependency-audit checks in our CI pipeline before every deployment.

Security requirements are embedded in our SDLC. Code changes undergo peer review, and we run automated SAST/dependency-audit checks in our CI pipeline before every deployment.

Employee Security Training
Employee Security Training
Employee Security Training

All employees complete security awareness training upon hire and annually thereafter. Personnel with access to sensitive systems receive role-specific training.

All employees complete security awareness training upon hire and annually thereafter. Personnel with access to sensitive systems receive role-specific training.

Third-Party Risk
Third-Party Risk
Third-Party Risk

Vendors and sub-processors are assessed before onboarding and reviewed periodically. We maintain a public sub-processor list and notify customers of material changes.

Vendors and sub-processors are assessed before onboarding and reviewed periodically. We maintain a public sub-processor list and notify customers of material changes.

Data Protection

Privacy & GDPR

We are committed to transparent, lawful processing of personal data.

Key Documents
Privacy Policy

How we collect, use, and protect personal data.

Cookie Policy

Which cookies we set and how to manage them.

Data Protection Contact

For privacy-related requests, right-to-erasure or any GDPR question, reach our data protection contact directly.

security@deltagreen.energy

International data transfers
Primary hosting

EU/EEA (Google Cloud Platform, Frankfurt)

Sub-processors outside EEA

Covered by Standard Contractual Clauses (SCCs) per Art. 46(2)(c) GDPR

Adequacy decisions

Applied where available (e.g. transfers to countries with EU adequacy decisions)

Commitments

Incident Notification

In the event of a security incident affecting the confidentiality, integrity, or availability of your data, we are committed to transparent and timely communication.

Processor notification

As a data processor, we notify affected customers (controllers) without undue delay upon becoming aware of a personal data breach — enabling them to meet their own obligations, including the 72-hour reporting window to supervisory authorities under GDPR Art. 33.

Post-incident review

We share a post-incident report with affected customers upon request, including root cause analysis and remediation steps.

Transparency

Security Documentation

All security and compliance documents are shared with confirmed prospects and customers. Submit a request and we'll follow up within 1–2 business days.

Security documents
ISO 27001:2022 Certificate
ISO 27001:2022 Certificate
ISO 27001:2022 Certificate

Certification scope, issuing body, and validity period.

Certification scope, issuing body, and validity period.

Penetration Test 2026 – Executive Summary
Penetration Test 2026 – Executive Summary
Penetration Test 2026 – Executive Summary

Executive summary from our annual third-party penetration test including scope, methodology, and key findings.

Executive summary from our annual third-party penetration test including scope, methodology, and key findings.

Information Security Policy
Information Security Policy
Information Security Policy

Our top-level information security policy covering governance, responsibilities, and control objectives.

Our top-level information security policy covering governance, responsibilities, and control objectives.

Sub-processor List
Sub-processor List
Sub-processor List

Full list of third-party sub-processors, data categories processed, locations, and transfer mechanisms.

Full list of third-party sub-processors, data categories processed, locations, and transfer mechanisms.

Request documents

Security contact

Responsible Disclosure

We don’t operate a formal bug bounty programme or allow unsolicited penetration testing at this time. However, if you come across a potential security issue in any of our products or services, we want to hear about it. Please reach out privately so we can investigate and address it.

Report a vulnerability

Found something?

Use our guided report form to tell us what you found, where it happens, and how to reproduce it. We take every report seriously.

Report a vulnerability

Or email us directly at

security@deltagreen.energy

Delta Green Ltd.

VAT ID: CZ02406233
Opletalova 1603/57,

110 00 Prague 1

Registered in the Commercial Register kept by the City Court in Prague, Section C, Insert 219030.

info@deltagreen.energy

Privacy Policy

Information Security Policy

Sub-Processors & DPA List

ISO/IEC 27001 certified - Delta Green operates under a certified information security management system. Your data and your customers' data are protected to international standards.

© 2026 Delta Green

Delta Green Ltd.

VAT ID: CZ02406233
Opletalova 1603/57,

110 00 Prague 1

Registered in the Commercial Register kept by the City Court in Prague, Section C, Insert 219030.

info@deltagreen.energy

Privacy Policy

Information Security Policy

Sub-Processors & DPA List

ISO/IEC 27001 certified - Delta Green operates under a certified information security management system. Your data and your customers' data are protected to international standards.

© 2026 Delta Green

Delta Green Ltd.

VAT ID: CZ02406233
Opletalova 1603/57,

110 00 Prague 1

Registered in the Commercial Register kept by the City Court in Prague, Section C, Insert 219030.

info@deltagreen.energy

Privacy Policy

Information Security Policy

Sub-Processors & DPA List

ISO/IEC 27001 certified - Delta Green operates under a certified information security management system. Your data and your customers' data are protected to international standards.

© 2026 Delta Green

Delta Green Ltd.

VAT ID: CZ02406233
Opletalova 1603/57,

110 00 Prague 1

Registered in the Commercial Register kept by the City Court in Prague, Section C, Insert 219030.

info@deltagreen.energy

Privacy Policy

Information Security Policy

Sub-Processors & DPA List

ISO/IEC 27001 certified - Delta Green operates under a certified information security management system. Your data and your customers' data are protected to international standards.

© 2026 Delta Green