Skip to content

Technical and organizational measures (TOM)

How ensures compliance with data protection laws

Last update: 29-02-2024

Classification & delimitation collects personal data in order to be able to implement the registration of users, the notification of users and the optimization of the user experience, the security of the overall platform and the auditability of the customer environment. In doing so, we pay close attention to data minimization. Moreover, we do not collect any personal data in the course of operating the platform!

In the context of the use of by customers, he imports data into, which are stored here. This may also be personal data. has no influence on this, so that the customer himself is responsible for the data protection of his imported and possibly personal data. However, offers functionalities in the import process to delete or make data unrecognizable before processing and storage.


Office access control

Measures suitable for preventing unauthorized persons from gaining access to office in which data processing systems with which personal data are processed or used.

Technical measures Organizational measures
Manual locking system Key regulation and list
Security locks Visitors only accompanied by employees
Doors with knob outside Care in selection cleaning services
Video surveillance of entrances

System access control

Measures suitable for preventing data processing systems (computers) from being used by unauthorized persons.

Technical measures Organizational measures
Login with username and password or SSL certificate Guideline for secure passwords
Anti virus software desktop Guideline clean desk
Firewall office network Guideline privacy policies and security
Usage of virtual privat network (VPN) Guideline manuel desktop lock
Automatic desktop lock Minimal number of administrators
Password safe usage

Disconnection control

Measures to ensure that data collected for different purposes can be processed separately. can be processed separately. This can be ensured, for example, by logical and physical separation of the data.

Technical measures Organizational measures
Separation of productive and test environment Control via authorization concept
Physical separation (systems, databases, data carriers) Database separated users
Multi-client capability of applications


Forwarding control

Measures to ensure that personal data is protected from unauthorized access during electronic transmission or during transport or storage on data media, and that personal data cannot be read, copied, altered, or removed without authorization, and that and that it is possible to verify and identify the entities to which personal data is personal data is intended to be transmitted by data transmission equipment.

Technical measures Organizational measures
Virtual privat networks usage (VPN, Wireguard) No data transfer to third parties
Monitoring of backup activities and times No production copies for test systems

Input control

Measures that ensure that it is possible to check and establish retrospectively whether and by whom personal data has been entered into, modified or removed from data processing systems. Input control is achieved through logging, which can take place at various levels (e.g., operating system, network, firewall, database, application).

Technical measures Organizational measures
Audit log for entry, modification and deletion of configurations Assignment of rights to enter, change and delete data on the basis of an authorization concept
Manual or automated control of the logs (unsuccessful logins, unvalid API token, request at unknown environments) Clear responsibilities for deletions
Information security policy
Work instruction for IT user regulations

Availability and resilience

Measures to ensure that the SaaS application is available without interruption and can be restored in the event of a total failure.

Technical measures Organizational measures
Execution load tests Operation guideline concept
Full-stack application performance monitoring Bi-annual recovery tests
IT monitoring enrichment (configurations, database schema, ssl certificates etc.) Backup concept
Daily automated multi-client backup Pure database backup is performed at a separate physical location. Strict organizational separation from server hard disk backup.
USV for backup storage system and router
RAID system for storage system (RAID level 5)

Procedures for periodic review, assessment and evaluation

Data protection measures

Technical measures Organizational measures
Central documentation of all data protection regulations with access for employees Staff trained and obliged to confidentiality/data
A review of the effectiveness of the TOMs is carried out at least annually and TOMs are updated Regular awareness trainings at least annually
Data protection checkpoints consistently implemented in tool-supported risk assessment
Data protection aspects established as part of
corporate risk managemen

Incident response management

Measures that ensure security issues are prevented or identified and communicated to users.

Technical measures Organizational measures
User option for notification of identified security issues Security oriented product release strategy
Use of firewalls Time-limited token for resetting the user password
Use of API token Security issue notification guideline
Storage of hashed user passwords Defaults for setting strong user passwords
Technology version detection events for creating and deleting users and environments
Product release strategy verification
Application performance monitoring

Data protection-friendly default settings based on privacy by design and privacy by default.

Technical measures Organizational measures
No more personal data is collected than is necessary for the respective purpose are
Data sovereignty and easy access for the data subjects through technical measures

Job control (outsourcing to third parties) use for the SaaS instance virtual machines, firewalls and network ressources of Hetzner Cloud datacenter. All resources used are located in the European Union.

A data processing agreement (DPA) for Art. 28 of the GDPR is available. The technical and organizational measures of Hetzner itself you find here: