Technical and Organisational Measures (TOMs)

Production processing of personal data takes place exclusively within the EU:

• Application servers and PostgreSQL database: Hetzner Online GmbH, data centre Falkenstein/Nuremberg, Germany
• Storage of uploaded evidence documents: AWS S3, EU region
• No production data processing outside the EU. US sub-services (Resend for transactional email, xAI for optional AI prefill) only process the data necessary for their function.

• Transport encryption: TLS for all connections to the platform (HTTPS)
• Encryption at rest: AWS S3 server-side encryption (AES256, set explicitly on every upload via PutObject); PostgreSQL data on Hetzner infrastructure
• Credentials and API keys are managed via server environment variables, not stored in source or databases

Measures ensuring confidentiality:

• Physical access control: data centres of the hosting providers (Hetzner, AWS) hold ISO 27001 certifications
• Authentication: exclusively via Google OAuth 2.0; no passwords stored on the platform. MFA for users is provided through their Google account
• Role-based permissions: admin, reviewer, member; enforced in the application layer via tRPC middleware
• Multi-tenant isolation: every data-bearing query filters at the database layer on the company ID of the authenticated user; no shared data pools between customers
• No plaintext passwords on the platform - authentication is exclusively OAuth-based

• Input control: audit trail of all mutations capturing user ID, action, entity type, timestamp, IP address, user agent, and before/after values
• Audit trail tamper detection: every audit row carries a SHA-256 checksum over its contents so changes to a row are detectable
• Transfer control: data transmission only via TLS; all authenticated endpoints require a valid session
• Evidence documents: storage location and metadata are written on upload; an optional client-supplied SHA-256 hash can be stored alongside the file
• Sign-off mechanism: at the moment of approval, the requirement state is snapshotted into a sign-off history table whose entries form a SHA-256 chain (each entry's checksum covers the previous one) - tampering with the history is detectable end-to-end

• Database backups according to the Hetzner Cloud service defaults; details on the current backup configuration are available on request
• Storage of evidence documents in AWS S3 with the object durability guarantees provided by AWS
• Rate limiting on login attempts, public endpoints (applicability check, supplier portal), and resource-heavy authenticated endpoints (PDF exports, certificate generation)
• Uploaded files are limited to 50 MB per file

• These TOMs are reviewed when triggered by an event and at least once per year
• Updates of dependencies and security-relevant libraries: Dependabot is enabled to surface security patches and version updates as pull requests on a weekly cadence
• Reporting obligations: personal data breaches will be reported to the competent supervisory authority within 72 hours per Art. 33 GDPR
• Development practice: code changes go through pull requests; TypeScript strict-mode type checks are enforced; targeted automated tests cover security-critical logic (e.g. applicability classification)

All sub-processors are bound by Art. 28 GDPR contracts. The full list is in the DPA document.

See full sub-processor list (DPA)

Questions about these TOMs or our data processing should be sent to:

contact@nisd2.eu