ISO/IEC 27001:2022 CERTIFIED

Enterprise trust, engineered into every layer.

Develab delivers conversational AI with enterprise execution — secure, scalable, and intelligent. Our products and services operate under an Information Security Management System certified to ISO/IEC 27001:2022, so the platforms you build your business on are built on standards.

View certified scope

ISO/IEC 27001 : 2022

Certified ISMS

Information Security Management System

Rideum — Hospitality Software
Bleustay · Bleudine · Bleudash
FonderieX — AI Platform
FonderieX · AgentFonderieX · OpsFonderieX
Software Development & IT Consulting Services
Including supporting systems, assets & operational processes

27001:2022

Certified ISMS standard

Product & service lines in scope

24×7

Production monitoring

Regional offices: SG · MY · ID

COMPLIANCE POSTURE

Certifications & standards

Independent, accredited assurance that Develab operates a mature, risk-based information security program — verified through annual external audits.

STANDARD	COVERAGE	DEVELAB SCOPE	STATUS
ISO/IEC 27001:2022 Information Security Management System	Certified ISMS implementing risk-based controls to protect the confidentiality, integrity, and availability of information across people, processes, and technology.	Rideum, FonderieX, Software Development & IT Consulting Services — including supporting systems, assets, and operational processes.	Certified Annual surveillance
GDPR EU data protection	EU data protection regulation governing lawful processing, data subject rights, and cross-border data transfer requirements.	Customer and personal data handled across all certified products and services.	Security controls implemented under ISO/IEC 27001 to support GDPR-related security requirements and best-practice data protection principles.
PDPA Singapore & Malaysia personal data laws	Personal data protection laws applicable to Develab Pte Ltd (SG) and Develab Sdn Bhd (MY), covering obligations such as consent, purpose limitation, and data protection safeguards.	Develab Pte Ltd (SG) and Develab Sdn Bhd (MY) operations.	Security controls implemented under ISO/IEC 27001 to support applicable PDPA security requirements and data protection principles.
PDP Indonesia UU No. 27/2022 – Personal Data Protection Law	Indonesia’s personal data protection law governing lawful processing, data subject rights, data controller obligations, and cross-border data transfer requirements.	PT Develab Mitra Indonesia(ID) operations.	Security controls implemented under ISO/IEC 27001 to support PDP Indonesia security requirements and data protection principles.
APPI Japan — Act on the Protection of Personal Information	Japan’s personal data protection framework governing handling, use, and cross-border transfer of personal information.	All operations involving Japanese personal information.	Security controls implemented under ISO/IEC 27001 to support APPI-related security and data protection requirements.

Need formal documentation? Customers and qualified prospects under NDA can request the ISO/IEC 27001:2022 certificate, Statement of Applicability (SoA), and the latest internal audit summary at [email protected]

IN SCOPE

What our certification covers

The certified scope covers our entire core product line — together with all the systems, assets, and operational processes that support them.

Rideum

Hospitality Software Suite

AI-powered platform for hotels, restaurants, and hospitality groups — covering reservations, guest data, operations, and revenue workflows across the Bleustay, Bleudine, and Bleudash product lines.

Bleustay — hotel management & channel mgmt
Bleudine — restaurant ops & inventory
Bleudash — workforce & task allocation
Multi-tenant SaaS with regional residency
Payments via PCI-compliant providers

FonderieX

AI Platform

AI-platform for enterprise use — covering customer prompts, outputs, and LLM pipelines
FonderieX — conversational AI platform
AgentFonderieX — AI-powered chatbot
OpsFonderieX — AI-powered devops tool
On-premise and private-cloud deployment supported

Software Development & IT Consulting

Custom software delivery for enterprise, and AI-adjacent use cases
All supporting systems, assets, and operational processes
Identity, access, and HR security processes
Physical office across SG, MY, and ID

...including supporting systems, assets, and operational processes. The certified scope extends beyond the products themselves to encompass all corporate IT, identity and access infrastructure, source code repositories, build & deployment pipelines, monitoring, vendor management, HR security processes, and physical office controls — everything that materially affects the security of our products and services.

HOW WE PROTECT

Security practices

Our controls map directly to ISO/IEC 27001:2022 Annex A and are implemented across organisational, people, physical, and technological domains.

Organisational controls

Documented policies, defined roles and responsibilities, risk management, and an incident response program reviewed by leadership.

People controls

Background screening, signed confidentiality agreements, security awareness training at onboarding, privacy training, role-based access on separation.

Physical controls

Secure offices with access control and clean desk policy, social media handling, and facility asset controls for production workloads.

Identity & access

SSO with MFA and privileged access provisioning. Quarterly access reviews, just-in-time access, and full audit trail of all admin actions.

Encryption & data protection

TLS in transit, AES-256 at rest, customer-managed key options for Enterprise tier, encrypted data and cloud backup strategy.

Secure development

Secure SDLC with static analysis, OWASP testing of all applications, dependency and container scanning, and git-based fully auditable coding.

Monitoring & detection

Centralised logging, SIEM-based alerting, vulnerability scanning, intrusion detection. Container health monitoring for major audit events.

Incident response

Defined SLAs, on-call rotation, runbooks, customer notifications within 24h of critical incidents, and post-incident reviews.

Business continuity

Business continuity plans with defined RPO & RTO. Daily backups, geo-replication for critical data, and tested recovery procedures across critical systems.

DATA & PRIVACY

Privacy & data handling

Develab processes customer data only for the purposes defined in our agreements. We do not sell customer data, and we do not use customer data or content to train AI models.

TOPIC	DEVELAB COMMITMENT
Data ownership	Customers retain full ownership of their data, source code, and any artifacts derived from our services and platforms.
Use of customer data	Used only to deliver, secure, and support the contracted service. No secondary use without explicit customer consent.
AI model training	Customer source code, prompts, and outputs in FonderieX are not used to train shared or foundation models.
Data residency	Singapore, Japan, and EU regions available; on-premise and private-cloud deployment supported for FonderieX.
Subprocessors	Maintained list available under NDA. Customers receive advance notice of material changes.
Data subject rights	Processes in place for access, correction, deletion, and portability requests under GDPR, APPI, and PDPA.
Retention & deletion	Defined retention periods per service tier; secure deletion within contractually agreed timelines after termination.
International transfers	Standard Contractual Clauses (SCCs) and equivalent safeguards used where required.

OPERATE WITH CONFIDENCE

Operational transparency

We publish meaningful operational signals so customers can verify, not just trust.

Status & uptime

Maintains a public-facing Rideum-and-FonderieX compliance dashboard for real-time system status, with defined uptime SLAs and incident history.

Change management

Formal change control for all software releases. Changes proceed with peer review, tested through staging, and documented in audit log. All changes require security review before deployment.

Vulnerability management

Vendor security bulletins, dependency scanning, automated detection frameworks. Critical issues resolved within defined SLAs. All findings documented in the vulnerability management dashboard.

Audit & assurance

External ISO/IEC 27001:2022 audits conducted annually across all scope entities. Full management review, internal audits, and risk management reviews at least annually.

Customer audits

Support formal customer security questionnaires, assurance packages, and documentation review for enterprise clients — all handled under our framework.

Shared responsibility

Develab manages security of the underlying infrastructure and operations. Customers are responsible for their own application configuration, user and role access, and configuration choices.

QUESTIONS, ANSWERED

Frequently asked questions

Quick answers to the questions security and procurement teams ask most often.

What security is covered by Develab's ISO/IEC 27001:2022 certification?

The certification covers Rideum (Hospitality software), FonderieX (AI Platform), and our Software Development & IT Consulting services — including all supporting systems, assets, and operational processes that materially affect the security of these products and services.

How does Develab's integrated approach benefit our business?

A single certified ISMS covers your entire engagement with Develab — whether you use Rideum, FonderieX, or our consulting services. You get consistent security controls, shared audit evidence, and a single point of contact for security assurance rather than managing separate vendor relationships.

Can you use our data or source code to train AI models?

No. Customer source code, prompts, and outputs processed through FonderieX are never used to train or fine-tune shared AI foundation models. Your data remains yours and is used solely to deliver the contracted service.

Where is customer data hosted?

By default, customer data is hosted in Singapore and APAC cloud regions. Enterprise customers can request specific data residency arrangements to meet regulatory or contractual requirements. Contact us to discuss your requirements.

How do you handle security incidents?

We maintain a documented incident response plan with defined SLAs, on-call rotation, and runbooks for common incident types. Affected customers are notified within 24 hours of a confirmed critical incident. All incidents go through a post-incident review process.

How can I report a security vulnerability?

Please email [email protected] with details of the vulnerability. We follow responsible disclosure practices and will acknowledge your report within 48 hours. We ask that you give us reasonable time to investigate and remediate before public disclosure.

Talk to our trust team

For security questionnaires, due diligence, certificates, or audit support — reach out and we'll respond within two business days.

[email protected]