Login /
0
Cart (0)
$0.00 USD
Home > Technical and Organizational Measures (TOMs)

Technical and Organizational Measures (TOMs)

 

Technical and Organizational Measures (TOMs)

All technical and organizational measures ("TOMs") we adopt for the secure operation of our service can be found here.

1. Data Protection Management, Data Subject Rights, Privacy by Design, and Employee Data Protection

Fundamental measures aimed at safeguarding data subject rights, immediate reaction in emergencies, privacy by design requirements, and data protection with regard to employees:

  • An **internal data protection management system** is in place, compliance with which is constantly monitored and evaluated case-by-case and at least every six months.
  • A **security procedure** is in place that ensures the protection of data subjects' rights (information, rectification, erasure, restriction of processing, data portability, withdrawal of consent, and objection) within statutory deadlines.
  • A **security procedure** is in place that ensures an **immediate reaction to data breaches** (assessment, documentation, notification) in accordance with legal requirements.
  • The protection of personal data is already incorporated into the development or selection of hardware, software, and processes, taking into account the state of the art and the principles of **Data Protection by Design and by Default (Art. 25 GDPR)**.
  • The software used, including **antivirus and firewalls**, is kept **permanently up-to-date**.
  • Cleaning staff, security guards, and other service providers involved in performing auxiliary business tasks are carefully selected, and their compliance with personal data protection is ensured.

2. Physical Access Control

Measures to prevent unauthorized persons from gaining access to the data processing facilities with which personal data is processed:

  • A **"paper-free office"** is maintained, and documents are only stored digitally, and only in exceptional cases on paper.
  • Except for workstations and mobile devices, no data processing systems are maintained on the company's own premises. Controller data is stored with **external hosting providers** in compliance with specifications for processing on behalf of other Controllers.
  • **Server Location:** Electronic access control system (personal transponder, zoning, boarding process, electric door opener on the entrance door and self-closing exterior doors; in the data center, additionally, separation lock and alarm for unclosed doors).
  • **Server Location:** Group-specific access rules (visitor registration at reception, support for visitors by internal employees, additional access to the computer center after prior personal registration, as well as locked server rooms with access authorization only for authorized personnel).
  • **Server Location:** Surveillance and alarm system (use of an alarm system and connection of security guards; in case of alarm, surveillance is carried out by security guards on-site; in the data center, additionally, video surveillance of corridors by its operator).

3. System Access Control

Measures to prevent unauthorized persons from using the data processing systems:

  • A **rights management procedure** is in place to define and limit the access authorizations of employees and other persons to what is required for the specified purpose.
  • All data processing systems are **password-protected**.
  • A **password policy** is in place that stipulates length and complexity corresponding to the state of the art and security requirements.
  • Log-ins to the processing systems are **recorded**.
  • Antivirus software and hardware/software firewalls are implemented.
  • The website and/or online software services access are protected by up-to-date **TLS/SSL encryption**.
  • Internal systems are protected against unauthorized access by firewalls, username and password, and/or client certificates.
  • There is a **limitation of failed login attempts** on internal systems (e.g., by blocking logins or IP addresses).
  • Server systems and services with **intrusion detection systems** are used.
  • **Two-factor authentication** is used if technically compatible.
  • **Server Location:** Access to internal systems is restricted by firewall or VPN systems.
  • **Server Location:** Encryption techniques are used to secure user authentication and administration processes via the internet.
  • **Server Location:** Remote access to production device data requires a VPN-protected connection to the company network.

4. Data Access and Data Entry Control

Measures to ensure that authorized persons using a data processing system can only access the data covered by their access authorization, and that personal data cannot be entered, inserted, read, copied, modified, or deleted without authorization during processing, use, and subsequent storage; and measures that allow the processing operations to be reconstructed subsequently:

  • An **access rights management concept** defines and limits access authorizations to what is necessary for the specified use.
  • **Logging of every step of data processing**, especially access to applications, particularly during data entry, modification, and deletion.
  • Data containers are **securely stored**.
  • A **deletion and destruction concept** (according to DIN 66399 or an adequate level of erasure) is in place with defined responsibilities and reporting obligations. Employees are informed about legal requirements, deletion periods, and specifications for data/equipment disposal.
  • The processing of Data that is not deleted (e.g., as a result of legal archiving obligations) is **restricted** by restriction notes and segregation.
  • **Server Location:** Access via personalized accounts based on a rights management concept and **logging of access**.
  • **Server Location:** System and application log files are stored, and administrative activities are recorded for access control (logging).

5. Transfer Control

Measures to ensure that personal data cannot be read, copied, altered, or deleted without authorization during electronic transmission or during transport or storage on data media, and that it is possible to check and establish to which points personal data are to be transmitted by means of data transmission facilities:

  • **Authorized persons** for handing over and receiving data media are determined.
  • For **physical transport**, secure transport containers or packaging are chosen, and data security is ensured by personal supervision, provided this is sufficient considering the risks to the data.
  • In the case of **remote data access**, protocol measures ensure that transmissions or disclosures are accountable.
  • If necessary, possible, and reasonable, data is transmitted **anonymously or in pseudonymized form**.
  • **Email encryption** is used if possible, reasonable, and desired by the communication partner, or if considered necessary and/or appropriate.

6. Order and Assignment Control

Measures to ensure that personal data processed on behalf of the Controller can only be processed in accordance with the Controller's instructions:

  • Obligation for employees and representatives to **comply with the Controller's instructions**.
  • **Written and documented specification** of instructions.
  • Contractual and legal requirements for engaging sub-processors are met by concluding **Data Processing Agreements (DPAs)** and obtaining and monitoring necessary safeguards.
  • It is ensured that data is **returned or deleted** after the completion of the assignment.

7. Availability and Integrity Control

Measures to ensure that personal data is protected against accidental destruction or loss:

  • **Fault-tolerant server systems** and services are used (designed in duplicate or multiple instances, subjected to load and hardware tests, have DDoS protection, and provide an uninterruptible power supply, e.g., RAID, HA power supplies).
  • Server systems and services offering a **backup system in other locations** (or at least other fire sections) are used, where current data is stored, thus providing an operational system even in the event of a disaster.
  • Server systems and services are used that have **humidity detectors, fire and smoke detection systems**, and corresponding fire extinguishing devices in the EDP room.
  • Server systems and services are used that offer a reliable and controlled **backup and recovery procedure**. Backups are performed **daily and are encrypted**.
  • The availability of data processing systems is **permanently monitored**.

8. Guarantee of the Principle of Purpose / Data Segregation

Measures to ensure that data collected for different purposes can be processed separately:

  • Measures to ensure that Data collected for different purposes can be processed separately. Data is separated **physically** (e.g., using different servers) or **logically** (e.g., in different databases or by marking with suitable purpose attributes).
  • Unauthorized access to Data is prevented by an **access rights management concept**.
  • In the case of pseudonymized storage, the **identification keys are stored separately** from the Data and protected against unauthorized or involuntary linking during processing.
  • **Production and test systems are separated**.

9. Authorized Persons

  • Only **administrators established by the Controller** are authorized to access all systems.
  • **Customers** using kartha.com.mx have non-administrative access to their customer area and the data processed for them within the scope of a user authorization. Scaled authorizations may also exist for customers according to the DPA.