Annex 2 - Technical and Organisational Measures (TOMs)

  1. Home
  2. Data Processing Agreement
  3. Annex 2

Version 1.0
October 10th, 2025

The Processor implements the following technical and organisational measures, taking into account the state of the art, implementation costs and the processing risks, to ensure an appropriate level of security pursuant to Art. 32 GDPR.

1. Encryption (Art. 32(1)(a) GDPR)

  • Personal data is encrypted in transit (TLS 1.2 or higher) and at rest where applicable (AES-256 or equivalent).
  • Encrypted backups with restricted access.

2. Confidentiality, Integrity, Availability and Resilience (Art. 32(1)(b) GDPR)

  • Access to the IT and cloud infrastructure is restricted through individual user accounts, role-based access control (principle of least privilege), monitoring for unauthorized access attempts, enforced password policies, and multi-factor authentication for privileged administrative accounts. These measures apply to the management of the infrastructure itself; end users are responsible for implementing and managing their own authentication methods (e.g., passwords, two-factor authentication) for access to their accounts.
  • Separation and environment control: Separate production, test and development environments.
  • Logging & integrity: Audit logging of administrative and security-relevant actions; change management for releases; centralized logging of system activities.
  • Physical & infrastructure security: Use of certified data centres (ISO 27001 / equivalent), physical access controls, fire protection and environmental monitoring.

3. Availability & Restorability (Art. 32(1)(c) GDPR)

  • Backups: Regular automated backups of customer data and critical systems; retention and secure storage policies.
  • Availability: Defined SLAs, Continuous external availability monitoring and alerting. Automated recovery where applicable.
  • Resilience: Redundant infrastructure, firewalls, intrusion detection/prevention systems.

4. Regular Review, Evaluation and Continuous Improvement (Art. 32(1)(d) GDPR)

  • Continuous monitoring and vulnerability scanning; regular patch management.
  • Regular internal audits and review of access permissions.
  • Periodic staff training on data protection and security.
  • External audits or certifications are used as evidence of compliance where available.

5. Organisational Measures & Sub-processor Governance

  • Confidentiality obligations for staff and contractors; contractual obligations for sub-processors mirroring contractual TOM obligations.
  • Written procedures for onboarding new sub-processors, including pre-selection review of their TOMs and contractual DPA.
  • Due diligence and risk assessment before onboarding vendors.
  • Established incident response team.