Technical and Organizational Measures

Technical and Organisational Measures (TOMs)

Scope: These measures apply to all processing of Customer Personal Data by Event Temple in connection with providing its services.

1. Confidentiality (Article 32(1)(b) GDPR)
   
   

• Access Control: Role-based access to systems and data based on least privilege. Strong authentication (minimum 8-character passwords, MFA for admin and privileged accounts). Regular review and removal of access for departing or role-changed personnel.
  
  
• User Training: Mandatory security awareness and GDPR training for all employees at onboarding and annually thereafter.
  
  
• Physical Security: Data centers (AWS, Heroku) have 24/7 monitored access, biometric controls, and visitor logs. Office locations protected by access control systems and alarm monitoring.
  
  

2. Integrity (Article 32(1)(b) GDPR)
   
   

• Data Transmission Protection: TLS 1.2+ encryption for all data in transit. Encrypted VPN tunnels for system administration.
  
  
• Data Storage Protection: AES-256 encryption for all data at rest. Encrypted backups stored separately.
  
  
• Change Management: Code changes require peer review and automated CI/CD testing before deployment.
  
  

3. Availability and Resilience (Article 32(1)(b) GDPR)
   
   

• System Redundancy: Cloud-hosted infrastructure with automated failover. Load balancing across multiple availability zones.
  
  
• Backups: Daily encrypted backups of all customer data. Regular restoration testing to ensure backup integrity.
  
  
• Disaster Recovery: Documented disaster recovery plan with defined RTO and RPO targets. Annual DR testing.
  
  

4. Regular Testing and Evaluation (Article 32(1)(d) GDPR)
   
   

• Security Testing: Annual third-party penetration tests. Regular vulnerability scans with documented remediation processes.
  
  
• Audit Logging: Logging of administrative and sensitive data access. Log retention for at least 90 days in a tamper-evident format.
  
  
• Policy Review: Annual review of security policies, procedures, and TOMs.
  
  

5. Incident Response
   
   

• Security Incident Management: 24/7 monitoring for potential incidents. Incident response plan with defined escalation and notification procedures. Customer notification without undue delay, in compliance with GDPR.
  
  

6. Data Minimisation & Purpose Limitation
   
   

• Only collect and process data necessary for providing the agreed services. Automatic deletion of personal data after subscription termination unless legally required to retain.

‍