Skip to content

fix(trust-portal): sync iso 27001 certification mapping with vendor-risk task#3315

Merged
tofikwest merged 1 commit into
mainfrom
tofik/cs-688-bug-trust-centre-subprocessor-badge
Jul 1, 2026
Merged

fix(trust-portal): sync iso 27001 certification mapping with vendor-risk task#3315
tofikwest merged 1 commit into
mainfrom
tofik/cs-688-bug-trust-centre-subprocessor-badge

Conversation

@tofikwest

@tofikwest tofikwest commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Problem

The Trust Centre subprocessor page shows incomplete compliance badges for Scaleway, displaying only GDPR while missing ISO/IEC 27001 certification that is verified in the Vendors tab. This misleads auditors and prospective customers about the vendor's security posture.

Root cause

The certification-to-badge mapping in trust-portal.service.ts normalizes cert names by stripping non-alphanumeric chars, turning "ISO/IEC 27001:2022" into "isoiec270012022". The check then looks for 'iso27001' or 'iso 27001' (the latter impossible post-normalization), so the cert is not recognized and gets dropped. The parallel code path in vendor-risk-assessment-task.ts was hardened in April to handle this (bare '27001' substring check), but trust-portal was left behind, creating an asymmetry.

Fix

Update the mapCertificationToBadgeType logic in trust-portal.service.ts to include a '27001' substring check, matching the vendor-risk-assessment-task implementation. This recognizes the normalized cert string and maps it correctly to the ISO 27001 badge type.

Explicitly NOT touched

Data in the Vendors tab (Capawesome) remains unchanged. The fix only corrects the mapping logic to properly recognize existing cert data. HDS badge handling is out of scope for this PR.

Verification

✅ Scaleway vendor card now displays ISO 27001 badge alongside GDPR on Trust Centre Subprocessors page
✅ Badge set matches verified certifications from Vendors tab
✅ No regression on other vendor mappings

Fixes CS-688


Summary by cubic

Fixes the Trust Centre badge mismatch by recognizing ISO/IEC 27001:2022 and similar formats so Scaleway now shows the ISO 27001 badge alongside GDPR. Addresses Linear CS-688.

  • Bug Fixes
    • Updated mapCertificationToBadgeType to detect numeric standards (27001, 42001, 9001) so variations like "ISO/IEC 27001:2022" map correctly.
    • Added a unit test for the Scaleway scenario to prevent regressions.
    • Synced mapping logic with the vendor risk assessment task for consistency.

Written for commit 9f944a0. Summary will update on new commits.

Review in cubic

…isk task

## Problem
The Trust Centre subprocessor page shows incomplete compliance badges for Scaleway, displaying only GDPR while missing ISO/IEC 27001 certification that is verified in the Vendors tab. This misleads auditors and prospective customers about the vendor's security posture.

## Root cause
The certification-to-badge mapping in trust-portal.service.ts normalizes cert names by stripping non-alphanumeric chars, turning "ISO/IEC 27001:2022" into "isoiec270012022". The check then looks for 'iso27001' or 'iso 27001' (the latter impossible post-normalization), so the cert is not recognized and gets dropped. The parallel code path in vendor-risk-assessment-task.ts was hardened in April to handle this (bare '27001' substring check), but trust-portal was left behind, creating an asymmetry.

## Fix
Update the mapCertificationToBadgeType logic in trust-portal.service.ts to include a '27001' substring check, matching the vendor-risk-assessment-task implementation. This recognizes the normalized cert string and maps it correctly to the ISO 27001 badge type.

## Explicitly NOT touched
Data in the Vendors tab (Capawesome) remains unchanged. The fix only corrects the mapping logic to properly recognize existing cert data. HDS badge handling is out of scope for this PR.

## Verification
✅ Scaleway vendor card now displays ISO 27001 badge alongside GDPR on Trust Centre Subprocessors page
✅ Badge set matches verified certifications from Vendors tab
✅ No regression on other vendor mappings
@linear

linear Bot commented Jul 1, 2026

Copy link
Copy Markdown

CS-688

@vercel

vercel Bot commented Jul 1, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
comp-framework-editor Ready Ready Preview, Comment Jul 1, 2026 11:39am
2 Skipped Deployments
Project Deployment Actions Updated (UTC)
app Skipped Skipped Jul 1, 2026 11:39am
portal Skipped Skipped Jul 1, 2026 11:39am

Request Review

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cubic analysis

No issues found across 2 files

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

Linked issue analysis

Linked issue: CS-688: [Bug] Trust Centre subprocessor badge mismatch - Scaleway missing ISO 27001 badge

Status Acceptance criteria Notes
Trust Centre shows ISO 27001 badge for Scaleway (in addition to GDPR) PR updates badge mapping to recognize '27001' and includes a unit test that asserts the Scaleway vendor's complianceBadges contain 'iso27001' and 'gdpr'.
Mapping logic updated to detect numeric ISO standard variants (e.g., 'ISO/IEC 27001:2022') The mapping now matches numeric substrings (27001, 42001, 9001) rather than relying on fragile literal 'iso27001' matches, addressing the normalization issue described in the ticket.
Added test coverage to prevent regression for the reported Scaleway scenario A new unit test reproduces the reported data (ISO/IEC 27001:2022, HDS, GDPR) and verifies the Trust Centre sync yields both iso27001 and gdpr badges.

Re-trigger cubic

@tofikwest tofikwest merged commit 3dd9163 into main Jul 1, 2026
11 checks passed
@tofikwest tofikwest deleted the tofik/cs-688-bug-trust-centre-subprocessor-badge branch July 1, 2026 14:05
tofikwest added a commit that referenced this pull request Jul 1, 2026
…n-cubic-3315

fix(trust-portal): precise, bounded ISO cert badge matching (cubic review, #3315)
claudfuen pushed a commit that referenced this pull request Jul 1, 2026
## [3.94.2](v3.94.1...v3.94.2) (2026-07-01)

### Bug Fixes

* **auth:** honor explicit ?inviteCode= before the offboard guard on the root page ([ab7ba22](ab7ba22))
* **auth:** let invite flows take precedence over the offboard guard at /setup ([afb759e](afb759e))
* **auth:** stop offboarded users from looping into a spurious new org ([2aa20e6](2aa20e6))
* **trust-portal:** bound ISO cert regex so a number can't match a longer one ([514e0e5](514e0e5)), closes [#3318](#3318)
* **trust-portal:** sync iso 27001 certification mapping with vendor-risk task ([9f944a0](9f944a0))
* **trust-portal:** tighten ISO cert badge matching to require the ISO prefix ([3b426f7](3b426f7)), closes [#3315](#3315) [#3315](#3315)
@claudfuen

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 3.94.2 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants