Skip to main content

Our Security Measures (Technical and Organisational Measures – TOMs)

Security is not just a feature — it is the foundation of everything we build. Our technical and organisational measures are designed to protect your data at every level.

Encryption & Access Controls

  • TLS/SSL for all data in transit; AES-256 for all data at rest
  • Strict role-based access following the principle of least privilege
  • Multi-factor authentication (MFA) for all internal systems
  • Tenant-level data separation and isolated runtime environments

SOC 2 & ISO 27001 Alignment

  • We are committed to SOC 2 compliance, continuously aligning our security controls with SOC 2 standards for security, availability, and confidentiality
  • Hosted in ISO 27001-certified EU data centers (e.g., Azure, Hetzner)
  • Security management aligned with ISO 27001 principles — regular reviews, risk analysis, and control assessments

Logging, Monitoring & Alerting

  • Comprehensive audit logs tracking all access and changes
  • Continuous monitoring with automated alerts for anomalies
  • DDoS protection and rate limiting
  • Incident detection through Microsoft Sentinel / Azure Security Center

Employee Training & Access Principles

  • Confidentiality commitments for all employees
  • Recurring privacy and security training
  • Need-to-know and dual-control principles in sensitive areas
  • Regular security awareness programs

Data Masking for AI Processing

  • All personal data is masked before it reaches any LLM — names, email addresses, and other identifiers are replaced with anonymized placeholders
  • The AI processes only masked content; original data is restored within our secure infrastructure
  • This ensures no personally identifiable information ever enters the language model

Data Protection by Design & by Default

  • Data minimisation — we collect only what is necessary
  • Pseudonymisation and encryption as standard
  • Data masking before all AI/LLM processing
  • EU-only processing with customer-controlled retention and deletion
  • No AI training on customer data; no processing for our own business purposes

Full details are provided in Appendix 1 (TOMs) of the DPA.