> ## Documentation Index
> Fetch the complete documentation index at: https://learn.nextedy.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Compliance and Assessments

> Security assessments, certifications, and regulatory relevance for Nextedy products.

export const LastReviewed = ({date}) => {
  if (!date) return null;
  const formatted = new Date(`${date}T00:00:00Z`).toLocaleDateString("en-US", {
    year: "numeric",
    month: "long",
    day: "numeric",
    timeZone: "UTC"
  });
  return <p className="mt-10 text-sm text-gray-400 dark:text-zinc-500 not-prose">
      Last reviewed on {formatted}
    </p>;
};

## Security Assessments

Nextedy products have undergone the following security evaluations:

### Siemens IT Security Review

Nextedy products are approved for deployment on Polarion X (Siemens-managed SaaS). The Siemens IT security review evaluated the product architecture, data handling, and third-party dependencies before granting clearance.

### Cybersecurity Governance Assessment (CGAQ)

Nextedy has completed the Siemens Cybersecurity Governance Assessment Questionnaire, which covers organizational security practices, development processes, incident response capabilities, and supply chain management.

### Threat and Risk Analysis

A formal Threat and Risk Analysis identified potential attack vectors and defined over 40 security controls. These controls address areas including input validation, access control enforcement, session management, and dependency security.

### Static Analysis and Dependency Scanning

| Assessment                          | Tool            | Result                          |
| ----------------------------------- | --------------- | ------------------------------- |
| Static Application Security Testing | SonarQube       | 0 critical issues               |
| Open-source vulnerability scanning  | Snyk            | 0 high/critical vulnerabilities |
| Functional test coverage            | Automated suite | 98% pass rate                   |

These scans run continuously as part of the development pipeline. Results are reviewed before each release.

## Why No Independent ISO 27001 or SOC 2?

Nextedy products run entirely within the Polarion platform. They do not operate independent infrastructure, manage their own data stores, or provide standalone network services. The security boundaries that ISO 27001 and SOC 2 typically assess (data centers, network controls, access management systems, backup infrastructure) are all provided by the Polarion platform.

For on-premise deployments, the customer's own ISO 27001 or SOC 2 certification covers the infrastructure. For Polarion X, Siemens maintains the relevant certifications for the managed platform.

Nextedy's security assurance is demonstrated through the Siemens security review, CGAQ, threat analysis, and continuous code-level scanning described above.

## Industry Relevance

Nextedy products are used by teams working under stringent regulatory frameworks. The product security model supports compliance with:

| Standard            | Domain                         | How Nextedy Supports It                                                            |
| ------------------- | ------------------------------ | ---------------------------------------------------------------------------------- |
| ISO 26262           | Automotive functional safety   | FMEA and HARA workflows in Risksheet maintain full audit trail in Polarion         |
| DO-178C / ARP 4754A | Aerospace software and systems | Requirements traceability and risk analysis with versioned artifacts               |
| IEC 62304           | Medical device software        | Risk management and traceability matrices stored in validated Polarion environment |
| ISO/SAE 21434       | Automotive cybersecurity       | TARA workflows for threat analysis and risk assessment                             |
| IEC 61508           | Industrial functional safety   | Hazard analysis and safety integrity level tracking                                |

In all cases, the compliance evidence (versioned documents, audit trails, approval records) is stored in Polarion and benefits from the platform's validation and electronic signature capabilities.

<Info>
  Nextedy can provide security documentation packages on request, including the Threat and Risk Analysis summary, SBOM, and assessment results. Contact [security-alerts@nextedy.com](mailto:security-alerts@nextedy.com) for details.
</Info>

<LastReviewed date="2026-07-08" />
