Netstream Logo White

Technical and organizational measures (TOM)

Version: 01.08.2023

This documentation contains the technical and organizational measures in accordance with Art. 8 revDSG and Art. 24, 32 (1) DSGVO. The categories of measures are subordinated to the protection requirement objectives of confidentiality, availability, integrity and resilience, whereby resilience is considered a subcategory of availability.

1. confidentiality

1.1 Access control

Measures office space:

  • Video surveillance
  • Automatic access control system
  • Electronic locking system with authorization management
  • Doors with knob outside
  • Bell system with camera
  • Visitor regulation
  • Visitor escort by employees
  • Contractual protection of service personnel (cleaning)

Measures Data Centers:

  • Video surveillance
  • Automatic access control system
  • Electronic locking system with authorization management
  • Biometric access barriers
  • Restrictive access policies
  • Security guards
  • Visitor escort exclusively by authorized employees
  • Alarm system inputs
  • Contractual safeguarding with service providers (maintenance)
  • Security locks

1.2 Access control


  • strict remote access policies
  • Two-factor authentication where possible
  • Firewall
  • Regular verification of authorizations
  • Mandatory encryption of data connections
  • Conduct guidelines for employees in dealing with sensitive data
  • Password policy
  • Central password management
  • Restrictive authorization rules for data requiring special protection
  • Mobile and Telework Policy

1.3 Access control


  • professional, external destruction of data media
  • Logging of accesses to applications, specifically when entering, changing and deleting data
  • Deployment authorization concepts
  • Minimum number of administrators
  • Behavioral Guidelines Administrators
  • Management of user policies by administrators

1.4 Separation control


  • Separation of productive and test environment
  • Physical separation (systems / databases / data carriers)
  • Multi-client capability of relevant applications
  • Control via authorization concept
  • Setting database rights
  • restrictive authorization concept

1.5 Pseudonymization


  • Internal instruction to anonymize / pseudonymize personal data as far as possible in the event of disclosure or even after expiry of the statutory deletion period.
  • Pseudonymization of personal data for analytical purposes in cooperation with third parties

2. integrity

2.1 Transfer control


  • Deployment VPN
  • Logging of accesses and retrievals
  • Encrypted transmission of data
  • Documentation of the data recipients and the duration of the planned transfer or deletion periods.
  • Disclosure in anonymized or pseudonymized form
  • Supplier management according to ISO 27001

2.2 Input conrole


  • Technical logging of data entry, modification and deletion
  • Traceability of input, modification and deletion of data through individual user names (not user groups)
  • Assignment of rights to enter, change and delete data on the basis of an authorization concept
  • Clear responsibilities for deletions

3. availability and resilience

3.1 Availability control


  • Additional security standard through ISO 27001 certification
  • Fire and smoke detection system
  • Automatic fire extinguishing system
  • Climate monitoring server rooms
  • UPS
  • Emergency generator
  • Redundant power supply
  • RAID systems
  • Video surveillance
  • Alarm system
  • Backup and recovery concept (business continuity policy)
  • Monitoring systems
  • Offsite backups
  • Existence of an emergency plan
  • Redundant power supply line
  • Regular review and testing of emergency plans
  • Incident Management Policy

4. procedures for regular review, assessment and evaluation.

4.1 Data protection measures


  • Central documentation of all procedures and regulations on data protection with access for employees according to need / authorization
  • ISO 27001 security certification
  • Regular review of the effectiveness of technical protection measures
  • Internal data protection officer
  • Data privacy policy for employees and awareness training
  • Sensitization of employees
  • CISO / internal information security officer
  • External audits
  • The organization complies with the information obligations according to Art. 13 and 14 DSGVO

4.2 Incident response management


  • Firewall use
  • Regular update
  • Regular check for security vulnerabilities
  • Risk Management
  • Spam filter
  • Virus scanner
  • Documented process for detecting and reporting security incidents / data breaches (also with regard to reporting obligation to supervisory authority)
  • Documented procedure for handling security incidents
  • Incident Management Policy

4.3 Privacy-friendly default settings


  • No more personal data is collected than is necessary for the respective purpose

4.4 Order control


  • Prior review of the safety measures taken by the contractor and their documentation.
  • Selection of the contractor under due diligence aspects (especially with regard to data protection and data security)
  • In the case of longer cooperation: Ongoing review of the contractor and its level of protection.
  • Care in the selection of suppliers
Netstream Logo White
Search this page...
Netstream Logo White



New products are being created in this section. Be patient for a moment or contact us for more information.

Netstream Logo White


Netstream Logo White