Technical and organizational measures (TOMs) to protect your data. All controls are regularly reviewed and updated.
Encryption in Transit
TLS 1.3 for all external and internal connections. HSTS enabled.
Encryption at Rest
AES-256 encryption for all stored data (database, object storage, backups).
Network Segmentation
Kubernetes cluster with dedicated namespaces and network policies. Workloads are isolated from each other.
Firewall & Network Protection
Restricted network access. Only required ports are open. Regular review of firewall rules.
Automatic Backups
Daily automatic database backups with point-in-time recovery. Object storage with versioning.
Intrusion Detection
Monitoring of suspicious activities at infrastructure level. Automatic alerts on anomalies.
Patch Management
Regular updates of infrastructure components. Automated container image updates.
Logging & Monitoring
Centralized logging of all system events. Real-time monitoring with alerting.
DDoS Protection
Protection against distributed denial-of-service attacks at network and application level.
Container Security
Minimal base images. No root containers. Security contexts in Kubernetes pods.
Secrets Management
Encrypted storage of all credentials and API keys. SOPS-encrypted secrets in version control.
High Availability
Multi-node Kubernetes cluster. Automatic pod recovery on failures. Target availability 99.5%.
Multi-Tenant Isolation
Strict data separation at database level. Every query is automatically filtered to the respective tenant.
JWT Authentication
Token-based authentication with tenant scoping. Tokens have limited validity periods.
Role-Based Access Control
RBAC system with configurable roles and permissions. Principle of Least Privilege.
SSH Key-Based Infrastructure Access
No password login on servers. Exclusively SSH key authentication for administrators.
Access Revocation on Offboarding
Immediate revocation of all access rights upon termination of employment. Documented offboarding process.
API Key Management
Secure generation and rotation of API keys. No hardcoded credentials.
Session Management
Automatic session timeout. Secure session tokens with HttpOnly and Secure flags.
BFF Proxy Architecture
Tokens are never exposed to the browser. Backend-for-Frontend proxy injects authentication server-side.
EU Data Residency
All application data is exclusively processed and stored in the EU (Germany).
Data Minimization
Only data required for the respective processing purpose is collected and processed.
Data Deletion at Contract End
30-day export period, then complete deletion of all customer data. Backups cleaned within 90 days.
Data Classification
Documented policies for classification of personal and confidential data.
Retention Policies
Defined retention periods for different data categories. Automatic cleanup.
AI Zero-Retention
Contractual agreements with AI providers: No storage, no training with customer data.
Pseudonymization in Logs
Technical IDs instead of real names in logs. No directly identifying data in error reports.
Right to Data Portability
Export of all customer data in common, machine-readable formats available at any time.
Data Processing Agreement
Standardized DPA pursuant to Art. 28 GDPR, automatically part of the terms of service.
Subprocessor Transparency
Publicly accessible list of all subprocessors with advance notification of changes.
Confidentiality Agreements
All employees and contractors sign confidentiality agreements (NDAs).
Security Training
Regular data protection and security training for all employees.
Incident Response Plan
Documented plan with defined escalation levels. Customer notification within 24 hours.
Disaster Recovery
Documented recovery plans. Regular testing of backup-restore processes.
Change Management
Code reviews, automated tests, and staged deployment (staging → production).
Secure Development (SDLC)
Security by Design. Dependency scanning. Automated security tests in the CI/CD pipeline.
Vendor Management
Careful selection and regular review of all third-party providers. Contractual data protection obligations.
Documentation
Complete documentation of all processing activities, policies, and procedures.
Physical Security
Data centers with ISO 27001 certification. Access controls, video surveillance, fire protection.