Skip to content

Technical and organizational measures (TOM)

How ensures compliance with data protection laws

Last update: 09-10-2021

Classification & Delimitation collects personal data in order to be able to implement the registration of users, the notification of users and the optimization of the user experience, the security of the overall platform and the auditability of the customer environment. In doing so, we pay close attention to data minimization. Moreover, we do not collect any personal data in the course of operating the platform!

In the context of the use of by customers, he imports data into, which are stored here. This may also be personal data. has no influence on this, so that the customer himself is responsible for the data protection of his imported and possibly personal data. However, offers functionalities in the import process to delete or make data unrecognizable before processing and storage.


Office access control

Measures suitable for preventing unauthorized persons from gaining access to office in which data processing systems with which personal data are processed or used.

Technical measures Organizational measures
Manual locking system Key regulation and list
Security locks Visitors only accompanied by employees
Doors with knob outside Care in selection cleaning services
Video surveillance of entrances

System access control

Measures suitable for preventing data processing systems (computers) from being used by unauthorized persons.

Technical measures Organizational measures
Login with username and password or SSL certificate Guideline for secure passwords
Anti virus software desktop Guideline clean desk
Firewall office network Guideline privacy policies and security
Usage of virtual privat network (VPN) Guideline manuel desktop lock
Automatic desktop lock Minimal number of administrators
Password safe usage

Disconnection control

Measures to ensure that data collected for different purposes can be processed separately. can be processed separately. This can be ensured, for example, by logical and physical separation of the data.

Technical measures Organizational measures
Separation of productive and test environment Control via authorization concept
Physical separation (systems, databases, data carriers) Database separated users
Multi-client capability of applications


Forwarding control

Measures to ensure that personal data is protected from unauthorized access during electronic transmission or during transport or storage on data media, and that personal data cannot be read, copied, altered, or removed without authorization, and that and that it is possible to verify and identify the entities to which personal data is personal data is intended to be transmitted by data transmission equipment.

Technical measures Organizational measures
Virtual privat networks usage (VPN) No data transfer to third parties
Monitoring of backup activities and times No production copies for test systems

Input control

In progress!

Availability and resilience

Measures to ensure that the SaaS application is available without interruption and can be restored in the event of a total failure.

Technical measures Organizational measures
Execution load tests Operation guideline concept
Full-stack application performance monitoring Bi-annual recovery tests
IT monitoring enrichment (configurations, database schema, ssl certificates etc.) Backup concept
Daily automated multi-client backup Pure database backup is performed at a separate physical location. Strict organizational separation from server hard disk backup.
USV for backup storage system and router
RAID system for storage system (RAID level 5)

Procedures for periodic review, assessment and evaluation

Data protection measures

In progress!

Incident response management

Measures that ensure security issues are prevented or identified and communicated to users.

Technical measures Organizational measures
User option for notification of identified security issues Security oriented product release strategy
Use of firewalls Time-limited token for resetting the user password
Use of API token Security issue notification guideline
Storage of hashed user passwords Defaults for setting strong user passwords
Technology version detection events for creating and deleting users and environments
Product release strategy verification
Application performance monitoring

Data protection-friendly default settings based on privacy by design and privacy by default.

Technical measures Organizational measures
No more personal data is collected than is necessary for the respective purpose are
Data sovereignty and easy access for the data subjects through technical measures

Job control (outsourcing to third parties) use for the SaaS instance virtual machines, firewalls and network ressources of Hetzner datacenter. All resources used are located in the European Union.

A data processing agreement (DPA) for Art. 28 of the GDPR is available. The technical and organizational measures of Hetzner itself you find here: