TOM

Technical and Organisational Measures of secjur GmbH  

‍Version: December 19, 2025

The following measures provide an overview of the technical and organizational measures implemented in accordance with Art. 32 GDPR to protect the integrity, confidentiality, and availability of personal data at SECJUR GmbH. The measures are always selected considering the existing risk of unauthorized disclosure, unauthorized alteration, or loss of personal data and are regularly reviewed for effectiveness. The current state of the art is considered in the regular review so that no outdated protection mechanisms are implemented.

‍Physical Access Control

- Electronic locking system  
- Security locks  
- Lockable server cabinets  
- Visitor badge  
- Key control  
- Access concept  
- Alarm system  
- Reception  
- Accompanying guests    

‍System Access Control  

- End-device encryption  
- Data carrier encryption  
- Password policy  
- Blocking of unused accounts  
- At least 8 characters length  
- Minimum complexity  
- Regular change periods  
- Single passwords  
- Antivirus software  
- Regular updating of antivirus software  
- Firewall  
- Regular updating of the firewall  
- Automatic screen lock  
- Intrusion detection system  
- Locking external interfaces    


‍Data Access Control  
‍
- Authorization concept  
- Review granting and withdrawal of the authorizations  
- Differentiated assignment of rights  
- Definition of user groups  
- Deletion of personal data after the purpose has been achieved or the legal retention period has expired  
- Secure overwriting of disks after hard disk formatting  
- Regular evaluation of the protocols  
- Logging accesses  
- Minimum number of administrator accesses    

‍Separation Control  

- Client separation  
- Various databases  
- Development, test, and production system  
- System-side separation  
- Logical separation    

‍Transfer Control  

- Documentation of data transfers  
- Anonymization  
- TLS 1.2 Encryption  
- Regulation during physical transport    

‍Input Control
‍
- Logging of inputs  
- Protection of log data against manipulation  
- Protection of log data against unauthorized viewing    


‍Availability Control  

- Data backup concept  
- Recovery concept  
- Testing the recovery  
- Emergency plan/emergency concept  
- Encryption of the data backups   
- Backup intervals: Daily  UPS  Air conditioners  
- Fire alarm system  
- Smoke detection system  
- RAID system  
- Backup strategy  
- Hard disk mirroring  
- Moisture detector  
- Twin system  
- Spam filter    


‍Data Protection Managemen

- Employees: Confidentiality obligation  
- Employee training on data protection  
- Data breach notification process  
- Data processing in EU or EEA  
- Compliance with Art. 28 and Art. 44 et seq. GDPR  
- Designated Data Protection Officer  
- Processes for exercising data subject rights    

‍Data Processing on Behalf Control  

-Procedure for the selection of Subprocessors  
- Written Agreements (DPAs)  
- Checks and controls    

‍Further  

- Pseudonymization: Measures are implemented that enable the pseudonymization of personal data, if necessary. This is done, for example, by using hash values or Client numbers and restricting the allocation table.  
- Incident-Response Management: Incident response management is implemented on the process side.  
- Privacy-Friendly Default Settings: SECJUR GmbH systems are selected and developed in such a way that the default settings comply with the principles of Article 5 of the GDPR, in particular purpose limitation.  
- Regular execution of updates  
- Deletion concept  
- Remote maintenance