Naar de inhoud

Factsheet Security

Version 1.8 – 3 February 2026 
[Click here for Dutch version]

Lefebvre Sdu Lefebvre Sdu General

General principles of Lefebvre Sdu’s security policy:

  • Information security is an important area of focus within Lefebvre Sdu;
  • Day-to-day responsibility lies with the Chief Information Security Officer (CISO);
  • Lefebvre Sdu has a general security policy, which is elaborated for various areas, including Disaster Recovery;
  • There is a procedure for handling and recording security incidents. Incidents are evaluated and investigated to determine the root cause;
  • Lefebvre Sdu is certified under the NIS2 Quality Mark at level QM30 (High). In addition, Lefebvre Sdu operates in accordance with the principles of ISO 27001. Formal certification is planned for mid-2026.

Lefebvre Sdu Employees:

  • Work in a secured environment;
  • Are aware of their responsibilities in the field of information security, supported by a security awareness programme;
  • Are knowledgeable in their own domain and, where necessary, in the field of information security;
  • Both internal and external staff are bound by a confidentiality clause as laid down in their employment contracts. A similar clause is included in contracts with third parties that have access to our systems.

Lefebvre Sdu’s physical and logical access policy includes:

  • Electronic access control for the building and floors; all visitors are registered;
  • An authorisation matrix covering all employees;
  • Role-based access to data, structured according to the principles of “need-to-know” and “least privilege”;
  • Requirements regarding password usage;
  • All employees use Multi-Factor Authentication (MFA).

Other General Security Measures

  • All Lefebvre Sdu applications are registered in an Asset Management Database;
  • All laptops and employees are registered in Microsoft Active Directory;
  • For endpoint security, an XDR application is used on all devices. This application provides extended detection and response capabilities;
  • Lefebvre Sdu uses a Security Operations Center (SOC) provided by its French parent company, Lefebvre Sarrut;
  • All applications and websites are monitored for availability.

DevOps system development within Lefebvre Sdu has the following characteristics:

  • We follow an Agile and DevOps approach, in which development and operations collaborate closely and software is tested, deployed and monitored in short cycles;
  • Our platform runs on Amazon AWS, with data storage exclusively within the European Union;
  • There are separate environments for development, testing and acceptance (DTA) and production (P);
  • In these environments, all data is stored in encrypted form;
  • Standard development guidelines apply, including OWASP guidelines;
  • Specific development guidelines are centrally enforced, such as AWS configuration, use of tools, and the set-up of logging and audit trails for applications;
  • Vulnerability scans and monitoring are used to stay up to date with software updates;
  • No customer data is used for testing.

GenIA-L | Rechtsorde is a web-based application that connects to multiple APIs. The Lefebvre Sdu platform through which the services are provided has the following characteristics:

  • Hosted in the European Union;
  • Implemented as container images in Kubernetes;
  • Infrastructure managed as code via GitOps;
  • Source code hosted on GitHub;
  • Automated builds and deployments using GitHub Actions;
  • Authorisation via OIDC (OpenID Connect);
  • APIs are secured using a JWT bearer token.

GenIA-L | Rechtsorde is part of Rechtsorde and adds generative AI functionality with the following characteristics:

  • As an AI system, GenIA-L | Rechtsorde falls within the scope of the AI Act;
  • It does not qualify as an AI system with unacceptable risk or as high-risk AI;
  • Transparency obligations apply to the chat functionality that uses generative AI;
  • Lefebvre Sdu does not offer general-purpose AI (GPAI) within the meaning of the AI Act;
  • GenIA-L | Rechtsorde is intended for conducting legal and tax research;
  • OpenAI Large Language Models (LLMs) are used;
  • The LLMs are hosted on Microsoft Azure OpenAI within the European Union;
  • Microsoft Azure does not share data with OpenAI;
  • Microsoft Azure does not train on received or generated data and does not use it to improve Microsoft products;
  • The data processed by Microsoft Azure consists only of the submitted search query, which cannot be traced back to an individual user, combined with relevant Lefebvre Sdu content and, where applicable, third-party content.