ANNEX 4 – Technical and Organisational Measures (TOMs)
Overview: Security based on risk management, least privilege and EU/EEA data residency.
Organisational measures
- Security governance and annual reviews; DPO processes; DPIA when required.
- Employee NDA, onboarding and role-based access; periodic training.
- Vendor & subprocessor management (DPAs, audit rights).
Technical measures
- Encryption: TLS 1.2+ in transit; AES-256 at rest.
- Access control: SSO/IdP (Clerk), MFA, least privilege; periodic access reviews.
- Logging & monitoring: application and audit logs with alerts; retention ≥ 180 days.
- Vulnerability management: regular scans and risk-based remediation; dependency scanning.
- Backups: daily encrypted backups; restoration tests.
- DR/BCP: RPO ≤ 24 h, RTO ≤ 24 h.
- Network & edge: WAF/DDoS, firewalls, segmentation.
- Secure development: code reviews, CI/CD checks, separated dev/test/prod.
Maintenance & testing
- Annual penetration test or equivalent third-party assessment.
Maintenance windows
- Planned maintenance announced at least 3 business days in advance.
More info: https://lyyli.ai/fi/security