A provider claiming to be “secure” and one displaying an accredited certificate with a verifiable public number seem to be saying the same thing. They are not. The first asks you to trust them; the second allows you to verify. During due diligence, this is the only distinction that truly protects the decision-maker.
That’s why it’s useful to clarify one point immediately: regarding certifications and regulatory compliance, the four pillars we’re discussing—security, sustainability, open source, and accessibility—are not initiatives that started yesterday. They are processes we have been carrying out for years and which now have external proof instead of an internal statement. SparkFabrik’s ISO certifications and scientific validations make this commitment inspectable. All evidence is gathered on the page bringing these four commitments together, designed specifically so that anyone can check instead of taking our word for it.
These are four different lenses focused on the same idea. The first, where verification is most codified, is security.
Why SparkFabrik’s ISO certifications are fundamental for security
SparkFabrik’s ISO certifications (27001:2022, 27017:2015, 27018:2025) guarantee that information security and cloud data are managed through documented processes verified by third parties. Valid from 2026 to 2029 (certificate ITA-10325, issued by Scandinavian Certification, accredited by Norwegian Accreditation), they ensure risk management, operational continuity, and structured support for GDPR compliance.
An ISO certification doesn’t certify a product, but a management system. It’s a distinction that changes everything, and one that many corporate communications often blur.
When an accredited body issues an ISO/IEC 27001:2022, it isn’t saying that a single piece of software is secure at a given moment. It is attesting that there is a documented and repeatable process for managing information security: how risks are identified, how incidents are handled, and how continuity is guaranteed. Security, in other words, is not an occasional behavior but a verified method.
SparkFabrik has achieved three complementary certifications, which together cover the levels on which a client exposes their data when entrusting a project to an external partner:
ISO/IEC 27001:2022, for information security;
ISO/IEC 27017:2015, for cloud-specific security;
ISO/IEC 27018:2025, for personal data protection in the cloud.
For those evaluating a provider, this translates into three concrete guarantees: documented risk management, service continuity even in the event of an incident, and structured support for GDPR compliance—the European regulation that imposes specific obligations on personal data processing. A certified management system doesn’t make compliance automatic, but it provides the framework on which to build it.
A crucial, often overlooked detail concerns accreditation. Our certifications were issued by an accredited body, with a certificate identified by a unique code and a precise validity period. Those references are not decoration.
A statement on a website cannot be checked. A certificate number issued by an accredited body can.
Anyone—a security officer during evaluation or a procurement manager—can trace back to the accrediting body and verify that the certification is real and active. This is the substance: not having written “we are secure,” but having made that statement verifiable by an independent third party. The technical and methodological meaning of relying on a partner with ISO-certified management systems lies entirely in this possibility of inspection.
Security is verified through periodic audits. But there is a field where verification is even more stringent because the numbers don’t end up in a confidential report: they end up on a public registry, validated using a scientific method.
How to recognize a real corporate sustainability commitment
A real commitment is recognized by independent scientific validation and presence on public registries. SparkFabrik’s emission reduction targets are validated by the Science Based Targets initiative (SBTi ID 40017722), classified as 1.5°C-aligned, with a 2024 base year and a 2030 target. This makes the commitment measurable and verifiable.
In sustainability, greenwashing is the rule, not the exception. “Carbon neutral,” “green,” “zero impact” are statements that cost nothing to say and that almost no one can disprove because a point of comparison is missing.
The difference between a real commitment and a declared one boils down to a single element: validation by an independent scientific body and presence on a searchable public registry. To credibly evaluate the sustainability of a software company, there are no shortcuts alternative to this.
SparkFabrik’s emission reduction targets are validated by the Science Based Targets initiative through the simplified pathway dedicated to SMEs, and are classified as 1.5°C-aligned—consistent with the Paris Agreement’s goal of limiting global warming to 1.5°C. The base year is 2024, the target year is 2030, and the public identifier is SBTi ID 40017722.
The targets, in official wording, are these: Scope 1 emissions at zero until 2030; Scope 2 absolute reduction of 42% by 2030 from the 2024 base year; Scope 3 measure and reduce.
There is one figure that, more than any statement, tells the story of what serious measurement means. 97% of our total emissions fall under Scope 3, the hardest category to control because it includes indirect activities. The main items are:
commuting and remote work (38%);
business travel (22%);
IT purchases (20%);
capital goods (19%).
Declaring that 97% is uncomfortable. It means publicly admitting that the largest part of your impact escapes direct control. It is the exact opposite of greenwashing, which tends to showcase easy numbers and hide difficult ones.
Submitting to a scientific methodology with a base year, target year, and a public ID means accepting being measured. And being able to fail publicly.
This is what gives value to the number. Anyone can check ID 40017722 on the official registry of companies that have taken a validated climate commitment and compare targets with progress. The same applies to the full overview of the journey, documented on the page dedicated to our reduction strategy. A number that can be disproven by a third party is more reliable than a slogan that no one can contest.
At this point, a skeptical reader has every right to object. Aren’t certifications and validations ultimately just “badges” to show off in tenders? It’s a serious objection, and it deserves a serious answer.
Are certifications just marketing badges?
No, if supported by continuous verification and inspectable contributions. A failed ISO audit results in the revocation of the certificate, proving that processes must be maintained. Furthermore, seventeen years of public open source contributions (since 2008) offer a radical and non-falsifiable transparency that no marketing badge can replicate.
Let’s take it in its strongest version, without softening it. Many companies collect certifications like marketing trophies. They get them once, put the logo on their homepage, and meanwhile, the actual processes remain identical to before. The certificate becomes decoration, not a guarantee. The annual audit turns into a formal exercise to be passed with minimum effort.
This criticism is legitimate. A certification obtained and then ignored is indeed just a badge, and pretending otherwise would be dishonest. Maintaining certification requires rigorous periodic audits: if serious non-conformities emerge during these checks and processes are not followed, the accredited body revokes the certificate. It is not a goal achieved forever, but a continuous examination.
However, a further proof of seriousness is needed—one that cannot be obtained as a one-off, cannot be bought, and cannot be faked over time. That proof exists, and it is verifiable public contribution. Open source code is the most transparent form of reliability, because every commit is dated, public, and traceable by anyone, forever. There is no way to simulate it retroactively.
SparkFabrik has been making public open source contributions since 2008, following a precise principle: build it, don’t just use it. It’s a substantial difference compared to those who adopt free software only to save on licenses. This choice is reflected in concrete technical credentials: we are a Drupal Certified Partner Gold, Kubernetes Certified Service Provider, and members of CNCF, Linux Foundation Europe, and OpenSSF—the foundations that govern cloud-native standards and open source software security. The modules we publish are inspectable by anyone on the official SparkFabrik profile on drupal.org.
There’s more, and it directly touches on the security we mentioned at the beginning. Participation in OpenSSF and the risk mapping of software dependencies—at the heart of the software supply chain security best practices we have documented—respond to the same logic of verifiable transparency required by regulations like the Cyber Resilience Act, which from 2027 will impose stringent and documented security requirements for all software placed on the European market.
And here is the heart of the thesis. An ISO certification and seventeen years of public commits demonstrate the same thing from two opposite directions:
certification is a top-down verification, where a third party checks your processes;
open source is a bottom-up verification, where anyone can inspect your work, line by line.
Together, they make the “it’s just a badge” objection unsustainable. Because you don’t keep a badge public for seventeen years. The full verification of this approach is gathered on the page documenting our work in free software.
There remains one pillar that tests this philosophy exactly where companies cheat the most: accessibility, too often added at the end.
What does it mean to treat accessibility as a project requirement?
It means integrating accessibility from day one of design and development, respecting WCAG 2.2 AA and EN 301 549 standards. This methodological approach guarantees real compliance with the European Accessibility Act (in force from June 2025), avoiding makeshift and superficial solutions applied just before launch.
Imagine a site made “accessible” the week before launch, with a script added on top of the site that promises to fix everything automatically. It’s the digital equivalent of a company collecting badges: a patch applied over work designed without any attention to those who navigate with a screen reader or without using a mouse.
Accessibility is the ultimate testing ground for the thesis, because it’s the pillar where the gap between “declared” and “done” is most visible to the naked eye. A poorly built page doesn’t become accessible by applying an external layer: only the appearance for automatic scanning tools changes, not the actual experience of people.
At SparkFabrik, we treat accessibility as an initial project requirement, not a final addition. Design complies with the WCAG 2.2 AA standard, the international reference for web content guidelines, and the European EN 301 549 standard, in line with the requirements of the European Accessibility Act.
It’s worth explaining what these acronyms mean for those who don’t handle them every day. The European Accessibility Act is the European directive that, starting from June 2025, obliges a wide range of digital products and services—from e-commerce to banking services—to be accessible to people with disabilities. EN 301 549 is the technical standard that translates that obligation into verifiable requirements, and in turn, relies on WCAG. These are not recommendations: they are criteria against which a service can be judged compliant or non-compliant.
Designing according to these standards from the beginning is the equivalent of public commits: a method, not a patch. It means that semantic structure, color contrasts, keyboard navigation, and focus management are design decisions made on day one, not corrections chased at the last minute. The regulatory context that makes this approach no longer postponable is reconstructed in the analysis of the European Accessibility Act deadlines.
Thus the circle closes. The four pillars are four ways of making the same choice: making work verifiable rather than simply declared. An ISO audit checks processes. An SBTi registry checks emissions. A public repository checks code. An accessibility standard checks the interface. In each case, someone external can verify what we claim.
The thread connecting audits, emissions, code, and interfaces
Third-party verifiability is not bureaucracy. It is how trust stops being a matter of a given word and becomes measurable.
For those selecting a technology partner, the practical criterion is simple and can be applied to any provider. Ask for the certificate number. Ask for the ID on the public registry. Ask for the link to the repositories. If the answer is a marketing page instead of a verifiable reference, the difference between those who declare and those who prove has already emerged, even before signing a contract.
The bar for what a client can legitimately expect is rising. It’s good for the whole industry because it narrows the space where simply stating something is enough to be believed. This movement is part of a broader methodological vision, the same one that leads us to support our ISO 27001, 27017, and 27018 certifications with verifiable evidence rather than statements.
The meaning of our work on the four pillars is exactly this: transforming daily care into something a client can check without having to take our word for it. All evidence is gathered and available on the page bringing our commitments together.
