Logo
instaview.
Book a Demo

Technical and Organizational Measures

Last Updated: 18.10.2025

Technical and Organizational Measures adopted by the Processor

I. LIST OF TECHNICAL AND ORGANIZATIONAL MEASURES (TOMS)

1. Information Security Governance and Organization:

  • Implementation of internal policies and procedures for information security and personal data protection, subject to regular review.
  • Assignment of responsibility for overseeing data protection compliance.
  • Mandatory confidentiality agreements and regular data protection and security training for all personnel with access to Personal Data.
  • Regular risk assessments concerning the processing of Personal Data and implementation of mitigation measures.
  • Due diligence processes for the selection and engagement of Sub-processors, including contractual data protection obligations.

2. Physical Access Control:

  • Reliance on physical security measures implemented by cloud service providers (as specified in Annex No. 4) for their data centers (e.g., multi-layered access control, surveillance, environmental controls).
  • Security measures for Processor's own office premises to prevent unauthorized physical access to systems or data (e.g., controlled entry, alarms).

3. System Access Control (Logical Access):

  • Use of unique user identifiers and strong password policies for access to systems processing Personal Data.
  • Implementation of multi-factor authentication (MFA) for administrative access and access to critical systems.
  • Application of the principle of least privilege through role-based access control (RBAC).
  • Logging of system access, administrative actions, and access attempts for monitoring and auditing.
  • Formalized procedures for user account management (creation, modification, revocation).

4. Data Access Control:

  • Measures to ensure that authorized personnel can only access Personal Data to the extent necessary for their tasks.
  • Encryption of Personal Data at rest (e.g., for databases and cloud storage).
  • Use of pseudonymization techniques for Personal Data used in analytics or AI model training where feasible.

5. Data Transfer Control (Disclosure Control):

  • Encryption of Personal Data in transit using strong, current encryption protocols (e.g., TLS/HTTPS) for all external communications and data transfers.
  • Security of internal network communications within the cloud infrastructure.
  • Strict controls over the use of portable storage media.

6. Data Entry Control:

  • Implementation of audit trails or logging mechanisms to track, where relevant and feasible, when and by whom Personal Data has been entered, modified, or deleted within the systems.

7. Availability Control and Resilience:

  • Utilization of redundant and resilient infrastructure provided by cloud hosting partners.
  • Regular automated backup procedures for Personal Data, with encrypted storage of backups and tested recovery capabilities.
  • Deployment of multi-layered security measures against malicious software (e.g., firewalls, IDS/IPS) within the cloud infrastructure.
  • Maintenance of Disaster Recovery and Business Continuity Plans.

8. Separation Control:

  • Logical separation of Personal Data processed for the Controller from other data sets.
  • Strict separation of production, testing, and development environments, with no use of production Personal Data in non-production environments without appropriate safeguards.

9. Application and Development Security (if applicable for custom-developed components):

  • Application of secure coding practices (e.g., OWASP guidelines) and security considerations throughout the software development lifecycle (security by design).
  • Regular updating and patching of software, operating systems, and system components.
  • Security testing of new releases or significant changes.

10. Monitoring, Testing, and Evaluation:

  • Regular monitoring of systems, network traffic, and security logs to detect suspicious activities and potential threats.
  • Periodic internal review and evaluation of the effectiveness of implemented TOMs, with updates as necessary to address evolving risks.

Note: The Processor continuously reviews and updates these measures to adapt to new threats and technological advancements and to maintain a high level of data security.