Technical and organizational measures (TOMs) pursuant to Art. 32 GDPR

Note

This document contains information available to business partners, customers, and other external parties with legal or other access rights. The text might have chosen the masculine form for readability reasons, but the information nevertheless refers to members of all genders.

Preamble

The responsible party has implemented suitable measures for confidentiality, integrity, availability, and resilience and procedures for regular review, assessment, and evaluation. The general section (Basic Measures) describes technical and organizational measures that apply regardless of the respective services, locations, and customers. The following sections describe measures beyond those documented in the general part.

Certificates

Lumiform has the following official certifications in the area of information security:

CertificateComment
ISO27001via AWS
ISO27017via AWS
ISO27018via AWS
Other / NotesOur data security standards are designed to align with recommended best practices in recognized standards such as ISO 27001. Our objective is to continually expand our security program and pursue formal certification.

Basic measures

Fundamental measures that serve to safeguard the rights of data subjects, respond immediately in emergencies, meet the requirements of technology design, and protect data at the employee level:

  • There is an internal data protection management system, compliance with which is systematically monitored and evaluated on an ad hoc basis and at least semi-annually.
  • A concept in place ensures an immediate response to personal data breaches following legal requirements (review, documentation, reporting). It includes forms, instructions, and all necessary implementation procedures.
  • A concept is in place to ensure that the rights of data subjects (access, rectification, erasure or restriction of processing, data transfer, revocation, and objection) are safeguarded within the statutory time limits. It includes forms, instructions, and established implementation procedures.
  • Authorizations issued to employees concerning the processing of personal data, as well as issued keys, access cards, or codes of any kind, will be withdrawn or revoked after they depart from the company or change responsibilities following an authorization concept.
  • All service providers used to perform ancillary business tasks (e.g., cleaning staff, security guards, etc.) are carefully selected, ensuring they comply with personal data protection. In the case of service providers who are not engaged in ancillary business activities, the protection of personal data and the safeguarding of the rights and obligations of clients/contractors of Data Processing are ensured. This also applies to comparable situations with a data transfer to so-called third countries.
  • Employees are trained, instructed, and briefed concerning data privacy, must maintain confidentiality, and are made aware of possible liability consequences. Special regulations exist or are planned for employees working outside the company’s premises or using private devices for business activities. Data protection in these constellations is guaranteed.
  • The protection of personal data shall be taken into account, taking into account state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons associated with the processing, already during the development or selection of hardware, software as well as procedures, following the principle of data protection by design of technology and by data protection-friendly default settings (Art. 25 GDPR).
  • The software used is constantly updated, as are virus scanners and firewalls.

Access control

All measures are suitable for preventing unauthorized persons from accessing the data processing facilities.

Measures implemented:

  • Alarm system
  • Automatic access control system
  • Manual closing system
  • Security locks
  • Protection of the building shafts
  • Doors with knob outside
  • Window lock
  • Permanent staff present
  • Bell system with camera
  • Regulation of key issuance
  • Visitors’ book / Visitors’ log
  • Access regulations for visitors
  • Visitors accompanied by employees
  • Care in the selection of cleaning services

System access control

All suitable measures prevent the use of data processing systems by unauthorized persons and ensure that those authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, modified, or removed without authorization during processing, use, and storage.

Measures implemented:

  • Login with username + password
  • Login with biometric data
  • Always up-to-date virus protection
  • Always current software versions
  • Encrypted data transfer via https/TLS or comparable protection systems
  • Network firewall
  • Mobile Device Management
  • Encryption of data carriers
  • Encryption smartphones
  • Locking external interfaces (USB etc.)
  • Use of intrusion detection systems
  • Automatic desktop lock
  • Encryption of notebooks/tablet
  • Manage user permissions
  • Create user profiles
  • Directory and regulations for mobile data carriers
  • Secure Password Policy
  • Delete / Destroy Policy
  • Clean desk policy
  • Screen lock policy
  • General policy data protection and/or security
  • Mobile Device Policy
  • Manual desktop lock” instructions
  • Shredder
  • Physical deletion of data carriers
  • Logging of accesses to applications, specifically when entering, changing, and deleting data
  • Deployment authorization concepts
  • Minimum number of administrators
  • Management of user rights by administrators
  • Personal firewall
  • Guideline for the use of USB sticks

Transfer control

All measures to ensure that personal data cannot be read, copied, altered, or removed by unauthorized persons during electronic transmission or their transport or storage on data media and that it is possible to verify and determine to which entities personal data are intended to be transmitted by data transmission equipment.

Measures implemented:

  • Email encryption (S/MIME, PGP, TLS, comparable)
  • Logging of accesses and retrievals
  • Data is only passed on to authorized third parties
  • Pseudonymization
  • Encryption of data carriers and connections
  • Dedicated sharing permissions
  • Provisioning over encrypted connections such as sftp, https
  • Use of signature methods

Input control

All measures ensure that it is possible to check and determine retrospectively whether and by whom personal data has been entered into, modified, or removed from data processing systems.

Measures implemented:

  • Logging of data entries, changes, and deletions
  • Manual or automated control of the logs
  • Overview of which programs can be used to enter, change, or delete which data
  • Traceability of input, modification, and deletion of data through individual user names (not user groups)
  • Assignment of rights to enter, change, and delete data based on an authorization concept
  • Retention of forms from which data have been transferred to automated processing operations
  • Clear responsibilities for deletions
  • Administrator and deputy concept

Order control

All measures ensure that personal data processed on behalf of the client can only be processed by the client’s instructions.

Measures implemented:

  • Prior review of the safety measures taken by the contractor and their documentation
  • Selection of the contractor from the point of view of due diligence (especially concerning data protection and data security).
  • Conclusion of the necessary Data Processing Agreement or EU Standard Contractual Clauses.
  • Written instructions to the contractor
  • Obligation of the contractor’s employees to maintain data secrecy
  • Obligation to appoint a data protection officer by the contractor if the obligation to appoint exists
  • Agreement on effective control rights vis-à-vis the contractor
  • Regulation on the use of further subcontractors
  • Ensuring the destruction of data after the completion of the order

Availability control/integrity

All measures are taken to protect personal data against accidental destruction or loss.

Measures implemented:

  • Fire and smoke detection systems
  • UPS (uninterruptible power supply)
  • Data protection safe (S60DIS, S120DIS, other suitable standards with swell seal, etc.)
  • RAID system / hard disk mirroring
  • Backup & recovery concept (formulated)
  • Constantly controlled backup and recovery concept
  • Emergency concept through own IT and external service provider
  • Carrying out resilience tests
  • Technical protection against data loss and unauthorized access through virus protection, anti-spyware, and spam filters
  • Separate overvoltage protection
  • Additional backup copies with storage in specially protected locations
  • Differential and full/complete backup, cloud-based and through NAS system
  • Regular data recovery tests and logging of results
  • Existence of an emergency plan (e.g., BSI IT Grundschutz 100-4)
  • Separate partitions for operating systems and data

Guarantee of the earmarking/separation requirement

All measures that ensure data collection for different purposes can be processed separately.

Measures implemented:

  • Separation of productive and test environment
  • Physical separation (systems/databases/data carriers)
  • Control via authorization concept
  • Setting database rights
  • Data sets are provided with purpose attributes
  • Installation of a multitenant system