The Processor implements the following technical and organisational measures, taking into account the state of the art, implementation costs and the processing risks, to ensure an appropriate level of security pursuant to Art. 32 GDPR.

1. Encryption (Art. 32(1)(a) GDPR)

- Personal data is encrypted in transit (TLS 1.2 or higher) and at rest where applicable (AES-256 or equivalent).

- Encrypted backups with restricted access.

- Encryption keys are subject to secure key management and limited access.

2. Confidentiality, Integrity, Availability and Resilience (Art. 32(1)(b) GDPR)

- Access control: Access to the IT and cloud infrastructure is restricted through individual user accounts, role-based access control (principle of least privilege), monitoring for unauthorized access attempts, enforced password policies, and multi-factor authentication for all accounts. These measures apply to the management of the infrastructure itself; end users are responsible for implementing and managing their own authentication methods (e.g., passwords, two-factor authentication) for access to their accounts.

- Separation and environment control: Separate production, test and development environments.

- Physical & infrastructure security: Use of certified data centres (ISO 27001 / equivalent), physical access controls, fire protection and environmental monitoring.

3. Availability & Restorability (Art. 32(1)(c) GDPR)

- Availability: Defined SLAs, Continuous availability monitoring and alerting. Automated recovery where applicable.

- Backups: Regular automated backups of customer data and critical systems; retention and secure storage policies.

- Recovery testing: Periodic restoration tests; documented disaster recovery and incident response plans with defined recovery time (RTO) and recovery point objectives (RPO).

- Resilience: Redundant infrastructure, firewalls, intrusion detection/prevention systems.

4. Regular Review, Evaluation and Continuous Improvement (Art. 32(1)(d) GDPR)

- Continuous monitoring and vulnerability scanning; regular patch management.

- Regular internal audits and review of access permissions.

- Periodic staff training on data protection and security.

- External audits or certifications are used as evidence of compliance where available.

5. Organisational Measures & Sub-processor Governance

- Confidentiality obligations for staff and contractors; contractual obligations for sub-processors mirroring contractual TOM obligations.

- Written procedures for onboarding new sub-processors, including pre-selection review of their TOMs and contractual DPA.

- Vendor management: Due diligence and risk assessments are conducted prior to onboarding vendors to ensure appropriate security and data protection measures are in place.

- Incident response: An established incident response team monitors, investigates, and manages security incidents to ensure timely mitigation and communication.

→ Data Processing Agreement (DPA)