Technical and organizational measures (TOM)

Version: 01.11.2022

This documentation contains the technical and organizational measures according to Art. 24, 32 (1) GDPR. The categories of measures are subordinated to the protection requirement goals of confidentiality, availability, integrity and resilience, whereby resilience is considered a subcategory of availability.

1. confidentiality

1.1 Access control

Measures office space:

  • Video surveillance
  • Automatic access control system
  • Electronic locking system with authorization management
  • Doors with knob outside
  • Bell system with camera
  • Visitor regulation
  • Visitor escort by employees
  • Contractual protection of service personnel (cleaning)

Measures Data Centers:

  • Video surveillance
  • Automatic access control system
  • Electronic locking system with authorization management
  • Biometric access barriers
  • Restrictive access policies
  • Security guards
  • Visitor escort exclusively by authorized employees
  • Alarm system inputs
  • Contractual safeguarding with service providers (maintenance)
  • Security locks

1.2 Access control


  • strict remote access policies
  • Two-factor authentication where possible
  • Firewall
  • Regular verification of authorizations
  • Mandatory encryption of data connections
  • Conduct guidelines for employees in dealing with sensitive data
  • Password policy
  • Central password management
  • Restrictive authorization rules for data requiring special protection
  • Mobile and Telework Policy

1.3 Access control


  • professional, external destruction of data media
  • Logging of accesses to applications, specifically when entering, changing and deleting data
  • Deployment authorization concepts
  • Minimum number of administrators
  • Behavioral Guidelines Administrators
  • Management of user policies by administrators

1.4 Separation control


  • Separation of productive and test environment
  • Physical separation (systems / databases / data carriers)
  • Multi-client capability of relevant applications
  • Control via authorization concept
  • Setting database rights
  • restrictive authorization concept

1.5 Pseudonymization


  • Internal instruction to anonymize / pseudonymize personal data as far as possible in the event of disclosure or even after expiry of the statutory deletion period.
  • Pseudonymization of personal data for analytical purposes in cooperation with third parties

2. integrity

2.1 Transfer control


  • Deployment VPN
  • Logging of accesses and retrievals
  • Encrypted transmission of data
  • Documentation of the data recipients and the duration of the planned transfer or deletion periods.
  • Disclosure in anonymized or pseudonymized form
  • Supplier management according to ISO 27001

2.2 Input conrole


  • Technical logging of data entry, modification and deletion
  • Traceability of input, modification and deletion of data through individual user names (not user groups)
  • Assignment of rights to enter, change and delete data on the basis of an authorization concept
  • Clear responsibilities for deletions

3. availability and resilience

3.1 Availability control


  • Additional security standard through ISO 27001 certification
  • Fire and smoke detection system
  • Automatic fire extinguishing system
  • Climate monitoring server rooms
  • UPS
  • Emergency generator
  • Redundant power supply
  • RAID systems
  • Video surveillance
  • Alarm system
  • Backup and recovery concept (business continuity policy)
  • Monitoring systems
  • Offsite backups
  • Existence of an emergency plan
  • Redundant power supply line
  • Regular review and testing of emergency plans
  • Incident Management Policy

4. procedures for regular review, assessment and evaluation.

4.1 Data protection measures


  • Central documentation of all procedures and regulations on data protection with access for employees according to need / authorization
  • ISO 27001 security certification
  • Regular review of the effectiveness of technical protection measures
  • Internal data protection officer
  • Data privacy policy for employees and awareness training
  • Sensitization of employees
  • CISO / internal information security officer
  • External audits
  • The organization complies with the information obligations according to Art. 13 and 14 DSGVO

4.2 Incident response management


  • Firewall use
  • Regular update
  • Regular check for security vulnerabilities
  • Risk Management
  • Spam filter
  • Virus scanner
  • Documented process for detecting and reporting security incidents / data breaches (also with regard to reporting obligation to supervisory authority)
  • Documented procedure for handling security incidents
  • Incident Management Policy

4.3 Privacy-friendly default settings


  • No more personal data is collected than is necessary for the respective purpose

4.4 Order control


  • Prior review of the safety measures taken by the contractor and their documentation.
  • Selection of the contractor under due diligence aspects (especially with regard to data protection and data security)
  • In the case of longer cooperation: Ongoing review of the contractor and its level of protection.
  • Care in the selection of suppliers
Search this page...

Learn more.

Learn more about your options with Netstream Cloud. Leave your contact details and we'll get back to you.

Or call us at:
058 058 40 00