Login Get started

Annex B - Technical and Organizational Measures (TOMs) #

(Art. 32 GDPR – Security of Processing)

1. Governance and Policies #

  • Internal data-protection policy, employee confidentiality agreements.
  • Security training and access-control awareness for staff.
  • Designated privacy contact: [email protected].

2. Access Control #

  • Role-Based Access Control (RBAC) with roles (owner, admin, member, viewer).
  • Authentication via bcrypt-hashed passwords + JWT tokens (HS256 ≥ 32 chars).
  • API keys with scoped permissions.
  • Principle of least privilege; access reviews quarterly.

3. Physical and Hosting Security #

  • Hosting in ISO 27001/27017/27018-certified data centers (e.g., DigitalOcean EU).
  • 24/7 facility monitoring, controlled entry, redundant power and networking.
  • Backups encrypted and stored separately.

4. Encryption and Data Transmission #

  • In transit: TLS 1.2+ for all web, API, and DB connections.
  • At rest: Provider-level database encryption; optional volume encryption for self-managed DBs.
  • Secrets stored in environment variables; rotation recommended every 6 months.

5. Application Security #

  • Secure SDLC; code review and dependency scanning (npm audit, Dependabot).
  • CSRF and XSS protection via framework defaults (Nuxt 3).
  • Rate limiting (100 req/min default).
  • Input validation and output escaping for chat/user data.

6. Network Security #

  • Firewalls and VPC segmentation between web, app, and DB layers.
  • SSH access restricted to authorized personnel via key-based auth.
  • No inbound DB access from public internet.
  • Optional IP allowlists for admin areas.

7. Logging and Monitoring #

  • Audit logs of admin actions (login, config change, DSAR, API key use).
  • LLM usage logs (token counts, model IDs) → retained 90 days.
  • Security alerts for failed logins and abnormal export activity.
  • Logs stored separately, immutable, and time-stamped.

8. Data Retention and Deletion #

  • Automated jobs enforce configured retention (default 90 days inactivity).
  • Cascade deletion across related entities; embeddings removed with source data.
  • Anonymization pipeline for historic records.
  • Backup retention 30–90 days, overwritten on rotation.

9. Incident Response and Breach Notification #

  • Incident-response playbook aligned with Art. 33 GDPR.
  • Detection triggers: failed-auth spikes, export anomalies, error rates.
  • 72-hour notification SLA to Controllers upon confirmed breach.
  • Breach register maintained for 5 years.

10. Vendor and Subprocessor Management #

  • Due-diligence review before onboarding any subprocessor.
  • Written DPA and SCC/DPF verification for non-EEA vendors.
  • Annual reassessment and update of Subprocessors List.

11. Testing and Audits #

  • Regular vulnerability scanning and dependency updates.
  • Optional annual pen test by independent provider.
  • Internal review of TOMs and policies at least once per year.

12. Business Continuity and Disaster Recovery #

  • Daily encrypted backups with restore tests.
  • Recovery Time Objective ≤ 24 h; Recovery Point Objective ≤ 1 day.
  • Redundant hosting regions available (EU preferred).

13. Privacy by Design / Default #

  • Multi-tenant isolation by organization_id enforced in all queries.
  • Minimal telemetry (no 3rd-party analytics by default).
  • Opt-in anonymization features.
  • Configurable data-retention settings exposed in admin UI.

14. Employee and Contractor Management #

  • Access granted only on documented business need.
  • Off-boarding procedure removes access within 24 h.
  • Background checks per Portuguese employment law.