Technical Organizational Measures
This document lists the technical-organizational measures (TOMS) that we employ to protect personal information (as well as any non-personal sensitive data) in accordance with the GDPR.
We develop our software with privacy by design & default and employ security & privacy engineering best practices, which include:
- Data Minimisation: We minimize collection and logging of unnecessary information and employ the shortest possible log retention periods.
- Zero Trust Approach: We secure and authenticate all communication in our network using end-to-end encryption and do not assign special privileges or trust based on network segments.
- Defense In Depth: We aim to authenticate and secure access to individual system components with at least two independent security mechanims to ensure that failure of a single security mechanism will not lead to data loss or system compromise.
- Infrastructure, Privacy & Security As Code: We systematize and automate all possible aspects of our systems. This includes defining infrastructure declaratively as software code and minimizing manual administration and intervention to a minimum.
- Minimal External Dependencies: Whenever possible we host and manage our own infrastructure services in order to minimize third-party vendor risk.
- Open-Source: Whenever possible we rely on auditable, proven open-source software solutions to build our infrastructure and services. We also publish our own software as open-source wherever possible.
- Simplicity: We strive to minimize complexity and build simple, understandable software systems that are easy to understand, optimize and analyze.
Common best practices and requirements that are directly implied by the GDPR are not explicitly listed here.
The following measures aim to ensure confidentiality of personal and non-personal data that we process for our customer and users.
The following measures apply to both our internal and public IT services.
- Log Centralization & Audit Logging: We employ log collection and centralization to create auditable logs of all relevant activities happening in our IT infrastructure.
- Automated Alerting: We employ automated alerting (via e-mail, SMS, app) based on manually defined triggers in order to ensure timely reaction to server issues and potential incidents.
- Functional Minimisation: We systematically strip non-essential functionality from our software systems in order to reduce complexity and potential attack surface.
Internal IT Services
The following measures aim to secure out internal IT services, which include e.g. our e-mail infrastructure, our version control systems, logging and auditing services as well as personal computing devices.
- Access To IT Services: Internal IT services are accessible only through a separate end-to-end encrypted network channel and are secured by at least two indepedent authentication mechanisms (e.g. a VPN based on a personal certificate, and a password-protected SSH key or a password & second-factor protected user account).
- Personal Computing Devices: Storage on all personal computing devices is encrypted at rest. Users need to enable password-based authentication and automated locking. Credentials that provide elevated access to our IT infrastructure (e.g. SSH keys) need to be protected by auto-generated passwords, which are in turn protected by a password manager with an encrypted database (e.g. KeepassXC). All services processing personal data are protected using at least one second factor (e.g. a Yubikey and/or a TOTP-based one-time codes).
Public IT Services
The following measures aim to secure our public IT services, which include customer-facing web services and associated infrastructure services such as databases, message queues and server infrastructure.
- Physical Access To Server Infrastructure: No one in our organization has any form of physical access to our server infrastructure.
- Automated Software Updates: We automatically apply security patches to all servers at least once per day. Additional measures such as log centralization and alerting are taken to ensure automatic updates cause only minimal breakage.
- Automated Deployment: We automate all regular deployment tasks and minimize manual access to server infrastructure in order to reduce the risk of data exposure.
The following measures aim to ensure the integrity of personal and non-personal data that we process in our infrastructure.
- Regular Backups: We perform at least daily backups of all relevant databases and other storage artefacts in order to ensure our ability to restore data upon loss. We regularly test data recovery from backups to ensure their correctness.
- Extensive Data Validation: All user-submitted data gets passed through a strict, form-based data validation pipeline to ensure it is well-formed.
- Audit Logging: We keep logs of all data accesses and modification operations.
- Data Retention: We automate data retention and delete data that is no longer necessary.
The following measures aim to ensure availability of services and data to our customers and users.
- Redundancy: We strive to operate all stateless services (e.g. web APIs or workers) with at least simple redundancy to ensure service continuity in the event of a single server failure. We also strive to maintain geographic redundancy by hosting individual replicas in different data centers.
- Failover: We employ master-slave or master-master replication with automated failover for our databases to ensure service continuity in the event of a server failure.
- Graceful Degradation: Our services are designed to gracefully handle the failure of individual infrastructure components. For example, Klaro can fall back to a local backup configuration when the server-hosted configuration is not available. It is also possible to self-host the Klaro script for such cases.
Evaluation of Measures
- Regular Self-Audits: We regularly self-audit our security and privacy measures and set aside development capacity for maintenance, refactoring and improvement of system components and software.
- External Audits Of High-Risk Components: We work with external parties to audit high-risk components of our software infrastructure for security and privacy issues.
- Privacy & Security Triage: Every new process that has implications for data security or privacy goes through an internal triage process that identifies and minimizes possible risks right at the start.
- Evaluation Against Best Practices: We regularly self-evaluate our measures and practices against relevant industry standards and best practices such as the "BSI IT Grundschutz" catalogue.
- Open-Sourcing Of Software: We publish our software as open-source to ensure auditability and allow the general public to inspect and audit the software. Furthermore, we employ reproducible build mechanisms to ensure binary artefacts match source code input of our open-source software.