Technical Due Diligence FAQ

Our vulnerability management program implements continuous automated scanning using industry-standard tools integrated into our CI/CD pipeline:

• Tools: OWASP ZAP, Snyk, npm audit
• Frequency: Every code commit triggers dependency vulnerability checks against the National Vulnerability Database
• Penetration Testing: Quarterly by independent certified testers

Remediation Timelines (CVSS v4 scoring):

Severity	CVSS Score	Remediation
Critical	≥9.0	24 hours
High	7.0-8.9	7 days
Medium	4.0-6.9	30 days
Low	<4.0	90 days

Results documented in Security Register, available for GOVCERT.LU audit. Coordinated Vulnerability Disclosure policy aligned with NC3 guidelines.

Next.js and Payload CMS are actively maintained open-source projects with transparent security advisories:

• Subscribed to security bulletins from Vercel (Next.js) and Payload CMS GitHub
• package-lock.json ensures reproducible builds
• Dependabot automatically creates PRs for security patches
• Payload CMS 3.x TypeScript-first architecture eliminates vulnerability classes:
  • SQL injection prevented through Drizzle ORM parameterized queries
  • XSS prevented through React's automatic escaping
• Weekly npm audit with zero tolerance for high/critical findings in production

Category	Timeline	Process
Critical security (zero-day)	24-48 hours	Emergency change procedure
OS security updates	7 days	Staged rollout: dev→staging→production
Framework updates (Next.js, Node.js)	14 days	Full regression testing
Non-security dependencies	30 days	Monthly maintenance window

All patches tested in isolated staging environment mirroring production. Dedicated patch management log compliant with ISO 27001, available for ANSSI review.

Administrator Access (Payload CMS admin panel):

• Mandatory TOTP-based 2FA (RFC 6238) compatible with Google Authenticator, Authy, Microsoft Authenticator
• QR code setup for easy onboarding
• Session timeout: 15 minutes idle, 8 hours maximum
• IP allowlisting for admin panel access (optional)
• Failed login lockout after 5 attempts with exponential backoff
• All admin actions logged with immutable audit trail

End-User Access (BusinessTransfer.lu users):

• LuxTrust Mobile integration as primary authentication (eIDAS-compliant QES capability)
• GouvID support for Luxembourg electronic identity card authentication
• eIDAS cross-border support for EU citizens with national eID
• Fallback: email/password with optional TOTP 2FA for users without LuxTrust

Note: LuxTrust integration requires signing a contract with LuxTrust S.A. - we will assist in the onboarding process.

We implement LuxTrust integration via official SAML 2.0/OIDC Connect protocols following eIDAS Regulation (EU) No. 910/2014:

• LuxTrust Mobile authentication with QES (Qualified Electronic Signature)
• eID card authentication via LuxTrust middleware
• GouvID mobile authentication for PC/tablet sessions
• Token lifecycle management respecting LuxTrust certificate validity periods

Security: Only authenticated user reference (matricule hash) stored in PostgreSQL, never raw credentials. Session tokens are JWT-based with RS256 signing, 1-hour expiry, and secure HttpOnly cookies.

Log Categories Captured:

• Security events: Authentication attempts, authorization failures, privilege escalations
• Administrative actions: All CRUD operations with actor identification
• User activity: Listing creation, contact exchanges, profile modifications
• System events: Application errors, performance metrics, infrastructure health

Technical Implementation:

• Structured JSON logging with correlation IDs
• PostgreSQL audit tables with updated_by, created_at timestamps
• Tamper-evident storage
• Retention: Security logs 5 years (CNPD aligned), operational logs 1 year

SIEM Readiness:

• CEF (Common Event Format) export for government SIEM integration
• Real-time alerting on suspicious patterns
• Log format compliant with NCSS IV requirements

Data in Transit:

• TLS 1.3 mandatory (TLS 1.2 minimum with forward secrecy)
• HSTS enforced with 2-year max-age
• Certificate: ECDSA P-384 or RSA 4096-bit from EU-qualified CA
• Perfect Forward Secrecy using ECDHE
• OCSP stapling enabled

Data at Rest (PostgreSQL):

• AES-256-GCM transparent data encryption
• Application-layer encryption for sensitive fields using libsodium (XChaCha20-Poly1305)
• Encryption keys stored in HSM or dedicated secrets manager
• Key rotation: annual, immediate upon suspected compromise

Backup Encryption:

• AES-256 with separate key from production
• Backup keys in geographically separate location within Luxembourg

Phase 1 - Detection & Triage (0-4 hours):

• Automated alerting triggers incident assessment
• Severity classification: Critical, High, Medium, Low
• Incident commander appointed

Phase 2 - Containment & Notification (4-24 hours):

• GOVCERT.LU notified within 24 hours for Critical/High incidents (NIS2)
• Evidence preservation initiated
• Affected systems isolated if necessary

Phase 3 - Eradication & Recovery (24-72 hours):

• Root cause analysis
• System restoration from verified clean state

Phase 4 - Post-Incident (72+ hours):

• Lessons learned documentation
• Final report to GOVCERT.LU

GDPR: CNPD notified within 72 hours for personal data breaches (Article 33).

All infrastructure hosted exclusively within Luxembourg:

Environment	Provider	Location	Certification
Production	LuxConnect S.A.	Bettembourg DC1	Tier IV
Staging	LuxConnect S.A.	Bettembourg DC1	Tier IV
Disaster Recovery	LuxConnect S.A.	Bissen DC2	Tier IV
Backups	LuxConnect S.A.	Roost DC3	Tier III+

Why LuxConnect:

• Government preferred: Manages infrastructure for CTIE (Centre des Technologies de l'Information de l'État)
• Tier IV certified: 99.995% uptime guarantee, fully redundant
• 100% Luxembourg owned: State-backed company, no foreign shareholders
• ISO 27001 certified for information security management
• Green energy: 100% renewable energy powered

Legal jurisdiction: All hosting agreements subject exclusively to Luxembourg law, courts of Luxembourg City as exclusive venue. No data leaves Luxembourg territory at any point in processing, backup, or disaster recovery.

PostgreSQL runs on dedicated virtual machines within Luxembourg datacenter with strict controls:

• Network isolation: Database servers on private VLAN with no public IP addresses
• Firewall rules: Ingress allowed only from application servers within same datacenter
• Connection encryption: SSL/TLS required for all database connections
• No cloud-managed databases: We explicitly avoid AWS RDS, Azure SQL, Google Cloud SQL to prevent any data routing through non-Luxembourg infrastructure
• Replication: PostgreSQL streaming replication to DR site uses encrypted private network links entirely within Luxembourg
• Backup destination: pg_dump outputs encrypted and stored only on Luxembourg-based storage

Technical architecture diagram available demonstrating complete data flow containment.

Backup Strategy (3-2-1-1 rule):

• 3 copies of data (production + 2 backups)
• 2 different media types (SSD production, HDD backup archive)
• 1 offsite (within Luxembourg, different datacenter)
• 1 immutable (write-once storage for ransomware protection)

Data Type	Frequency	Retention
Full database	Daily 02:00 CET	30 days
Incremental/WAL	Continuous (streaming)	7 days
Weekly archives	Sunday 03:00 CET	12 months
Monthly archives	1st of month	7 years

Recovery Testing:

• Monthly automated restoration to test environment
• Quarterly full DR failover exercise
• RTO: 4 hours (production restoration)
• RPO: 1 hour (maximum data loss)

No Vendor Lock-in by Design:

• Payload CMS: Open-source (MIT license), self-hosted, no SaaS dependency
• Next.js: Open-source (MIT license), standard Node.js deployment
• PostgreSQL: Open-source, industry-standard SQL
• Local-First: Data sync based on open CRDTs, not proprietary services

Exit Strategy Documentation:

1. Complete database schema export (pg_dump, SQL standard)
2. All CMS content exportable as JSON/Markdown
3. Media assets as standard files (no proprietary format)
4. Full source code handover (TypeScript, documented)
5. Infrastructure-as-Code (Terraform/Ansible)
6. 30-day transition support included in contract

Data portability guarantee: Successor vendor can replicate complete system within 10 business days.

DPO Appointment:

• DPO appointed and contactable at dpo@[contractor].lu
• DPO registered with CNPD as required
• DPO independence guaranteed per Article 38
• Annual data protection training for all team members

Data Protection Governance:

• Privacy by Design implemented per Article 25
• DPIA completed for BusinessTransfer.lu operations
• ROPA maintained per Article 30
• Data Subject Rights procedures documented

Minimal subprocessor footprint by design:

Subprocessor	Service	Data Access	Location
LuxConnect S.A.	Infrastructure / Hosting	Full (encrypted at rest)	Luxembourg
LuxTrust S.A.	User Authentication	Auth tokens only	Luxembourg
POST Luxembourg / Mailjet EU	Transactional email	Name, email address	Luxembourg / EU

No US-based subprocessors. No data processing outside EU. Self-hosted analytics via Matomo (Luxembourg instance) or Plausible EU.

Our development process fully integrates Renow methodology (renow.public.lu):

Renow Phases Adopted:

1. Vision: Stakeholder alignment, strategic fit with government web ecosystem
2. Information Architecture: Card sorting, user journey mapping, content audit
3. Prototyping: Figma wireframes tested with real users
4. Final Product: Accessibility built-in, not bolted-on

Quality Gates:

• Design mockups: Accessibility review before development
• Pre-launch: Full RAWeb audit by certified auditor
• Post-launch: Each new feature audited before publication

Compliance target: Full RAWeb 1 compliance (136 criteria), which includes and exceeds WCAG 2.1 Level AA.

Phase	Testing Type	Tools/Method
Development	Automated	axe-core, WAVE, Lighthouse CI
Integration	Semi-automated	Pa11y CI in deployment pipeline
Pre-launch	Manual expert audit	Third-party (Idéance, Atalan)
Post-launch	Continuous monitoring	Automated weekly scans
User testing	Real users	Screen reader users, mobility impaired

Screen readers tested: NVDA (Windows), VoiceOver (macOS/iOS), TalkBack (Android)

Browsers tested: Chrome, Firefox, Safari, Edge (2 most recent versions per Renow)

Issue Severity	Timeline	Process
Blocker (prevents task completion)	48 hours	Emergency fix
Critical (major functionality impact)	5 business days	Priority sprint
Major (significant inconvenience)	15 business days	Scheduled fix
Minor (cosmetic, workaround exists)	30 business days	Maintenance window

Accessibility declaration: Updated within 5 business days of any compliance status change, listing non-accessible content with explanations per legal requirements.

Full multilingual support per Luxembourg administrative language law (24 February 1984):

Languages Supported:

1. French - Primary administrative language (default)
2. German - Full translation
3. Luxembourgish (Lëtzebuergesch) - Full translation
4. English - Full translation (international business users)

Technical Implementation:

• Next.js internationalized routing (App Router i18n)
• Payload CMS localized fields for all content
• URL structure: /fr/, /de/, /lb/, /en/
• HTML lang attribute correctly set per page
• hreflang meta tags for SEO

NIF Principle	Implementation
Openness	Open-source stack (Next.js MIT, Payload MIT, PostgreSQL)
Transparency	Open API specification, published data schemas
Reuse	Component library shareable, API for ecosystem integration
Technical neutrality	Standard formats (JSON, REST), no proprietary dependencies
User-centred	UX research-driven design, user testing throughout
Accessibility	RAWeb compliance
Security/Privacy	GDPR by design, encryption, audit trails
Multilingualism	Four-language support

Interoperability layer: REST API with OpenAPI 3.0 enables future integration with MyGuichet.lu, Luxembourg Business Registers, and other government systems.

Availability Commitment:

Metric	Target
Uptime	99.9% (max ~8.7 hours downtime/year)
Planned maintenance	Sunday 02:00-06:00 CET (excluded from SLA)
Unplanned downtime notification	Within 15 minutes

Performance Targets:

Metric	Target
Time to First Byte (TTFB)	< 200ms (95th percentile)
Largest Contentful Paint (LCP)	< 2.5s
First Input Delay (FID)	< 100ms
Cumulative Layout Shift (CLS)	< 0.1
API response time	< 500ms (95th percentile)

Next.js Selection:

• Enterprise adoption: Used by governments worldwide (Netherlands, UK)
• Security: Active security team at Vercel, rapid CVE response
• Accessibility: Built-in a11y linting, React ecosystem tools
• Performance: Static generation for government performance requirements

Payload CMS Selection:

• Open-source: MIT license, no vendor lock-in
• Self-hosted: Complete data sovereignty
• TypeScript: Type-safe codebase reduces bugs
• Active development: Regular releases, growing community

PostgreSQL Selection:

• Government standard: Used by Luxembourg government systems
• Mature: 25+ years production use, proven reliability
• Compliance: Extensive audit logging capabilities

Local-First Architecture:

• Offline capability for connectivity issues
• Data sovereignty: processed locally before sync
• Resilience: graceful degradation if server unavailable

Note: These are estimates based on market research. Final costs require direct quotes from providers.

1. Hosting - LuxConnect S.A. (Luxembourg)

Option	Specs	Est. Monthly	Est. Annual
Option A: Managed VPS	8 vCPU, 32GB RAM, 500GB NVMe	€200-350	€2,400-4,200
Option B: Dedicated Server	Xeon, 64GB RAM, 1TB NVMe	€400-600	€4,800-7,200
Option C: Half Rack Colocation	Own hardware, 3kW power	€800-1,200	€9,600-14,400

Recommendation: Option A or B sufficient for initial launch. Contact: luxconnect.lu

2. LuxTrust Integration (Authentication)

Item	Cost Type	Estimated Cost
Integration Setup	One-time	€5,000 - €15,000
Annual License/Subscription	Per year	€2,000 - €5,000
Per Authentication (if volume-based)	Per auth	€0.05 - €0.15

Note: Pricing not public - requires direct contact with LuxTrust S.A. at questions@luxtrust.lu or +352 24 550 550

3. SMS for OTP Fallback (Twilio)

Destination	Cost per SMS	1,000 SMS/month	5,000 SMS/month
Luxembourg	€0.068 ($0.074)	€68/month	€340/month
EU Average	€0.05-0.08	€50-80/month	€250-400/month

Alternative: POST Luxembourg SMS Gateway (contact for business rates)

4. Transactional Email (Mailjet EU)

Plan	Emails/month	Monthly Cost
Free	6,000	€0
Essential	15,000	€16
Premium	50,000	€25-50

GDPR compliant, EU-hosted. mailjet.com/pricing

5. Domain & SSL

Item	Annual Cost
Domain businesstransfer.lu	€30-50 (via DNS.lu)
SSL Certificate (EV/OV)	€100-300 (DigiCert, GlobalSign)
SSL Certificate (Let's Encrypt)	€0 (free, automated)

Total Estimated Annual Costs

Scenario	Annual Estimate
Minimum (VPS + basic services)	€5,000 - €8,000
Recommended (Dedicated + LuxTrust)	€12,000 - €20,000
Enterprise (Full redundancy)	€25,000 - €40,000

Note: These costs are for infrastructure only. Does not include development, maintenance, or support contracts.

Methodology: Agile/Scrum adapted for government requirements:

• 2-week sprints with defined deliverables
• Sprint reviews with government stakeholders
• Definition of Done includes accessibility check, security review, documentation update
• Change control board for scope changes

Quality Assurance:

• Code review required for all changes (minimum 2 reviewers)
• Automated testing: unit tests (>80% coverage), integration tests, E2E tests (Playwright)
• Accessibility testing at each sprint
• Security testing before each release
• Performance regression testing

Document	Content
Technical Architecture Document	System design, data flows, integrations
API Specification	OpenAPI 3.0 + interactive docs
Operations Manual	Deployment, monitoring, troubleshooting
Security Documentation	Controls, procedures, incident response
User Manual	End-user guide (multilingual)
Admin Manual	Payload CMS administration guide
Accessibility Conformance Report	RAWeb audit results + VPAT
Source Code	Fully commented, TypeScript
Infrastructure-as-Code	Terraform/Ansible for reproducible deployment
Data Model	ERD + field-level documentation

All documentation in French with English technical appendices; delivered in editable formats (Markdown/DOCX).