ANNEX 4 – Technical and Organisational Measures (TOMs)

Overview: Security based on risk management, least privilege and EU/EEA data residency.

- Security governance and annual reviews; DPO processes; DPIA when required.

- Employee NDA, onboarding and role-based access; periodic training.

- Vendor & subprocessor management (DPAs, audit rights).

- Encryption: TLS 1.2+ in transit; AES-256 at rest.

- Access control: SSO/IdP (Clerk), MFA, least privilege; periodic access reviews.

- Logging & monitoring: application and audit logs with alerts; retention ≥ 180 days.

- Vulnerability management: regular scans and risk-based remediation; dependency scanning.

- Backups: daily encrypted backups; restoration tests.

- DR/BCP: RPO ≤ 24 h, RTO ≤ 24 h.

- Network & edge: WAF/DDoS, firewalls, segmentation.

- Secure development: code reviews, CI/CD checks, separated dev/test/prod.

- Annual penetration test or equivalent third-party assessment.

- Planned maintenance announced at least 3 business days in advance.

More info: https://lyyli.ai/fi/security