Technnical and Organizational Measures

First published: Dec 2nd 2025

The company maintains internal information-security policies covering data handling, access, incident response, and vendor management.
Security responsibilities are assigned to designated personnel, including oversight of infrastructure security and data protection compliance.

Production systems are accessible only to authorized personnel using unique user accounts.
Administrative access follows the principle of least privilege (access is limited to what is required for a job role).
Critical internal tools require Multi-Factor Authentication (MFA) (e.g., authenticator app or secure token).
Customer access to the platform can be protected with MFA, strong passwords, and role-based permissionswhere supported by the product plan.

All customer data is encrypted in transit using TLS (HTTPS).
Primary data stores and backups are encrypted at rest using industry-accepted encryption standards.
Passwords are stored using secure one-way hashing algorithms and are not logged or stored in plaintext.

Security-relevant events (e.g., admin access, authentication failures, data export, system errors) are logged.
Systems are monitored for abnormal access trends, login anomalies, and potential security threats.
Security logs are limited to necessary diagnostics and do not include private client content unless required for troubleshooting a support case.

Hosting is provided by professional cloud infrastructure vendors using certified and physically secure data centers.
Data center providers restrict physical access, maintain environmental security, redundancy, and 24/7 facility monitoring.
Application environments are logically segmented to prevent cross-customer data access.

Regular encrypted backups of production databases are performed.
Restore procedures exist and are tested at reasonable intervals to ensure service resilience.
Backups are not used for any purpose other than disaster recovery or legally required retention.

The platform is developed using version control, peer review of code changes, and separate staging/production environments.
Security patches and critical updates are applied on an ongoing basis.
Third-party code dependencies are sourced from widely recognized package repositories and monitored for critical security advisories.

A list of infrastructure providers and subprocessors is maintained and made available to customers upon request.
New subprocessors are onboarded only when bound by data-protection and confidentiality duties at least equivalent to the commitments in the DPA.
The company remains responsible for subprocessors processing personal data under its instructions.

A documented incident-response process is in place for identifying, triaging, mitigating, and investigating security incidents.
Confirmed Personal Data Breaches involving customer data are reported to affected customers without undue delay and within 24 hours of verification.
Breach notifications include: nature of breach, likely impact, mitigation steps taken or planned, and a point of contact.

The company does not respond to data subject requests directly unless instructed by the Controller.
The company provides reasonable technical support to controllers to fulfill verified data-subject rights requests (including export, deletion, restriction, or portability), where supported by the service plan.
Additional support for DPIAs or formal audits may be scoped separately and invoiced only if legally permissible and communicated in advance.

Customer data is deleted from active environments following account termination.
Backup copies may persist until overwritten through routine secure backup rotation, but are not actively processed during that period.
Where legally required retention applies, data is archived securely and processed solely to satisfy that obligation.

All staff members and contractors with system access are contractually bound by confidentiality and data-protection duties.
The company shall not attempt to re-identify individuals from anonymized datasets used for benchmarking or analytics.