C5 Attestation: Insiders Delivers Measurable Compliance Relief for Cloud Customers
The C5 attestation confirms the continuously audited operation of Insiders‘ cloud services. Customers save on audit effort, accelerate approval processes, and sustainably reduce their compliance costs.
Insiders now holds the C5 Type 2 attestation for our cloud services for the use of innovative AI technologies in automated document processing (IDP). This confirms that defined security measures have been effectively implemented over an extended period of time. For customers, this significantly reduces the effort required for their own audits and internal review processes.
C5 Attestation as a Recognised Audit Standard for Cloud Services
The C5 attestation is based on the Cloud Computing Compliance Controls Catalogue — C5 for short — developed by the German Federal Office for Information Security (BSI). It defines binding minimum requirements for secure cloud computing and serves as a recognised benchmark for companies and public sector clients when assessing the security of cloud services.
The audit evaluates more than 120 criteria by independent auditors. These include robust access controls, role-based permission concepts, encrypted data transmission and storage, GDPR-compliant processing of personal data, documented emergency and recovery plans, redundant system architectures to ensure availability, and structured processes for incident management and security reporting. Transparency obligations towards customers and clear rules on data localisation are also part of the audit. For users, this means a security level in line with the highest German standards.
The Type 2 audit is considered particularly rigorous because it does not merely describe the design of security measures — it verifies their continuous operation. This makes it a credible form of evidence for regulatory authorities, data protection bodies, and internal audits.
Since 1 July 2025, a C5 Type 2 attestation has been mandatory when cloud services in Germany process social or health data. In regulated sectors such as financial services, public administration, or critical infrastructure operators, the attestation is increasingly required as a prerequisite.
Less Audit Effort, Lower Costs, Faster Approvals
For Insiders customers, the C5 attestation has an immediate economic impact. In regulated environments, companies are obliged to regularly audit and document the security of their service providers. Without a standardised proof, this generates substantial internal workload for risk analyses, supplier assessments, audit interviews, and documentation requirements.
The C5 Type 2 attestation for Insiders‘ AI cloud services significantly reduces this burden. Customers can rely on a recognised, audited security credential instead of conducting their own time- and cost-intensive individual audits.
„Regulatory requirements generate considerable indirect costs in many organisations,“ says Dr. Alexander Swienty, Head of Channel Management at Insiders. „With the C5 Type 2 attestation, we take on a large share of that audit effort. Our customers benefit from clear proof of compliance, shorter coordination cycles with regulatory authorities, and a significantly reduced burden on internal resources.“
A Complement to ISO 27001 Certification
Insiders already holds ISO 27001 certification for its information security management system. While this confirms the structured management of information security, the C5 attestation additionally verifies the secure operation of the specific cloud services. Together, they provide customers with a robust security and compliance foundation.
Read more about the differences between the C5 attestation and ISO 27001 certification.
Integrated Compliance Proof Without Additional Effort
Insiders integrates the C5 attestation into its business model through a transparent assurance fee. This means customers do not need to initiate a separate audit project — they receive a ready-made, audited security credential that can be used directly to meet their own compliance requirements.
The attestation is renewed annually, ensuring continuously verifiable security standards. For customers, this means regulatory stability, predictable costs, and significantly less administrative overhead in day-to-day operations.
FAQs
What does the C5 Type 2 attestation mean for Insiders‘ cloud services?
The C5 attestation (Cloud Computing Compliance Controls Catalogue) is a standard developed by the German Federal Office for Information Security (BSI) that defines minimum requirements for secure cloud computing. The Type 2 attestation confirms not only that security measures have been planned, but that they have been continuously and effectively implemented in operation over an extended period of time. At Insiders Technologies, this covers the AI cloud services for automated document processing (IDP).
What specific security criteria were audited?
As part of the audit conducted by independent auditors, more than 120 criteria were evaluated. These include, among others:
- Robust access controls and role-based permission concepts.
- Encrypted data transmission and storage, as well as GDPR-compliant processing.
- Redundant system architectures for high availability and documented emergency response plans.
- Structured processes for incident management and transparency regarding data localisation.
Why is the attestation so important for regulated industries?
For companies in regulated sectors such as financial services, public administration, or critical infrastructure (KRITIS) operators, such proof of compliance is often a prerequisite for collaboration. Of particular note: since 1 July 2025, a C5 Type 2 attestation has been mandatory in Germany when cloud services process social or health data.
How long is a C5 attestation valid?
A C5 attestation certifies conformity for a defined audit period in the past. In practice, it is often only accepted for a limited timeframe by regulatory authorities and auditors, which is why cloud providers typically conduct annual re-audits. Continuous attestation ensures that security measures are not only effective on a one-time basis, but remain so on an ongoing basis.
What is the difference from the existing ISO 27001 certification?
Insiders is already ISO 27001 certified, which confirms a structured information security management system. The C5 Type 2 attestation goes beyond this by additionally verifying the specific secure operation of the concrete cloud services. Together, both credentials form a robust compliance foundation for customers.
How do customers gain access to this security credential?
Insiders integrates the attestation directly into its business model through a transparent assurance fee. This gives customers a documented proof of compliance without the need for a separate audit project — one that is renewed annually and provides lasting regulatory stability.