Technical and organizational measures (TOMs) to protect your data. All controls are regularly reviewed and updated.
GDPR compliant
Full alignment with EU General Data Protection Regulation. Data processing agreement, technical/organizational measures and subprocessor list available on request.
§43e BRAO compliant
Contractual commitment to attorney-client privilege under §43e BRAO and §203 StGB — covers every employee and subprocessor.
Native beA integration
Direct integration with the German Federal Bar's secure messaging system (beA). Send, receive and archive — all in one system.
§203 StGB compliant
Personnel are explicitly bound to professional secrecy under §203 StGB. Separate confidentiality declaration available on request.
On-premise available
Optimaite Law can run in your own infrastructure on request — with full feature scope and no cloud requirement.
Cloud in Germany
Secure cloud operation in German data centers, with encryption, tenant separation and clearly documented data flows.
Solo to large firms
Scales linearly from solo practitioner to 200-attorney partnership. Same platform, same data, same workflows.
Encryption in Transit
TLS 1.3 for all external and internal connections. HSTS enabled.
Encryption at Rest
AES-256 encryption for all stored data (database, object storage, backups).
Network Segmentation
Kubernetes cluster with dedicated namespaces and network policies. Workloads are isolated from each other.
Firewall & Network Protection
Restricted network access. Only required ports are open. Regular review of firewall rules.
Automatic Backups
Daily automatic database backups with point-in-time recovery. Object storage with versioning.
Intrusion Detection
Monitoring of suspicious activities at infrastructure level. Automatic alerts on anomalies.
Patch Management
Regular updates of infrastructure components. Automated container image updates.
Logging & Monitoring
Centralized logging of all system events. Real-time monitoring with alerting.
DDoS Protection
Protection against distributed denial-of-service attacks at network and application level.
Container Security
Minimal base images. No root containers. Security contexts in Kubernetes pods.
Secrets Management
Encrypted storage of all credentials and API keys. SOPS-encrypted secrets in version control.
High Availability
Multi-node Kubernetes cluster. Automatic pod recovery on failures. Target availability 99.5%.
Multi-Tenant Isolation
Strict data separation at database level. Every query is automatically filtered to the respective tenant.
JWT Authentication
Token-based authentication with tenant scoping. Tokens have limited validity periods.
Role-Based Access Control
RBAC system with configurable roles and permissions. Principle of Least Privilege.
SSH Key-Based Infrastructure Access
No password login on servers. Exclusively SSH key authentication for administrators.
Access Revocation on Offboarding
Immediate revocation of all access rights upon termination of employment. Documented offboarding process.
API Key Management
Secure generation and rotation of API keys. No hardcoded credentials.
Session Management
Automatic session timeout. Secure session tokens with HttpOnly and Secure flags.
BFF Proxy Architecture
Tokens are never exposed to the browser. Backend-for-Frontend proxy injects authentication server-side.
EU Data Residency
All application data is exclusively processed and stored in the EU (Germany).
Data Minimization
Only data required for the respective processing purpose is collected and processed.
Data Deletion at Contract End
30-day export period, then complete deletion of all customer data. Backups cleaned within 90 days.
Data Classification
Documented policies for classification of personal and confidential data.
Retention Policies
Defined retention periods for different data categories. Automatic cleanup.
AI Zero-Retention
Contractual agreements with AI providers: No storage, no training with customer data.
Pseudonymization in Logs
Technical IDs instead of real names in logs. No directly identifying data in error reports.
Right to Data Portability
Export of all customer data in common, machine-readable formats available at any time.
Data Processing Agreement
Standardized DPA pursuant to Art. 28 GDPR, automatically part of the terms of service.
Subprocessor Transparency
Publicly accessible list of all subprocessors with advance notification of changes.
Confidentiality Agreements
All employees and contractors sign confidentiality agreements (NDAs).
Security Training
Regular data protection and security training for all employees.
Incident Response Plan
Documented plan with defined escalation levels. Customer notification within 24 hours.
Disaster Recovery
Documented recovery plans. Regular testing of backup-restore processes.
Change Management
Code reviews, automated tests, and staged deployment (staging → production).
Secure Development (SDLC)
Security by Design. Dependency scanning. Automated security tests in the CI/CD pipeline.
Vendor Management
Careful selection and regular review of all third-party providers. Contractual data protection obligations.
Documentation
Complete documentation of all processing activities, policies, and procedures.
Physical Security
Data centers with ISO 27001 certification. Access controls, video surveillance, fire protection.