Annexes
ANNEX 4 – Technical and Organizational Measures (TOMs)
Version v1.0Last updated November 23, 2025
ANNEX 4 – Technical and Organizational Measures (TOMs)
General
Risk-based management, principle of least privilege, EU/EEA data location.
Organizational Measures
• Security management model and annual review; DPO processes; DPIA when needed.
• Personnel NDA, onboarding, role-based access; training.
• Vendor and subcontractor management (DPAs, audit rights).
Technical Measures
Encryption
TLS 1.2+ in transit; AES-256 at rest.
Access Control
SSO/IdP (Clerk), MFA, principle of least privilege; reviews.
Logging & Monitoring
Application and audit logs; alerts; retention ≥ 180 days.
Vulnerabilities
Regular scans; risk-based remediation; dependency scans.
Backups
Daily encrypted; restore tests.
DR/BCP
RPO ≤ 24 h, RTO ≤ 24 h.
Network
WAF/DDoS, firewalls, segmentation.
Development
Code reviews, CI/CD checks, dev/test/prod separation.
Maintenance and Testing
Annual penetration testing or equivalent third-party assessment.
Maintenance Windows
Notification at least 3 business days in advance.