ISMS Compliance
CyFun BasicProtect

PR.DS-3: Asset disposal

Assets are formally managed throughout removal, transfers, and disposition

PROTECTPR.DS-3

Requirement

Assets and media shall be disposed of safely.

Our Implementation

As a cloud-native organisation, there are no physical servers or storage media to dispose of — all infrastructure is managed by cloud providers who handle hardware lifecycle and disposal under their own security certifications.

For digital assets, customer data can be deleted on request within GDPR-mandated timeframes. Supabase supports data deletion at the row and project level. When cloud provider accounts or projects are decommissioned, data is deleted according to the provider's data retention and disposal policies.

Gaps / Planned improvements:

  • Formal data retention and disposal policy not yet documented (NEX-352)
  • No automated data lifecycle management — deletions are manual on request (NEX-352)
Partially ImplementedL1 — Initial

PR.DS-2: Data-in-transit protection

Data-in-transit is protected

PR.DS-7: Dev/test separation

The development and testing environment(s) are separate from the production environment

On this page

RequirementOur Implementation