Back to list
Annexes

ANNEX 4 – Technical and Organizational Measures (TOMs)

Version v1.2Last updated June 9, 2026

ANNEX 4 – Technical and Organizational Measures (TOMs)

General

Risk-based management, principle of least privilege; primary placement of data in the EU/EEA where technically feasible; for international transfers and subprocessors, GDPR Chapter V safeguards (e.g., SCCs, EU–US DPF where applicable).

Organizational Measures

• Security management model and annual review; DPO processes; DPIA when needed.

• Personnel NDA, onboarding, role-based access; training.

• Vendor and subcontractor management (DPAs, audit rights).

Technical Measures

Encryption

TLS 1.3 in transit; AES-256 at rest.

Access Control

SSO/IdP (Clerk), MFA, principle of least privilege; reviews.

Organizational Isolation

Workspaces and customer data are isolated at the organizational level.

Logging & Monitoring

Application and audit logs; all content actions are traceable; alerts; retention ≥ 180 days.

Vulnerabilities

Regular scans; risk-based remediation; dependency scans.

Backups

Daily encrypted; restore tests.

DR/BCP

RPO ≤ 24 h, RTO ≤ 24 h.

Network

WAF/DDoS, firewalls, segmentation.

Development

Code reviews, CI/CD checks, dev/test/prod separation.

Data Location and Transfers

Application data is stored in the EU and data routing occurs within European borders in compliance with GDPR. Any international transfers (e.g., for AI or cloud services) are carried out using GDPR Chapter V safeguards, such as SCCs and/or the EU–US DPF where applicable.

AI Data Processing (Zero Data Retention)

Lyyli uses exclusively AI model providers operating under Zero Data Retention policies. Customer content is not stored by AI providers and is not used for model training; data is processed in memory in real time and destroyed immediately after the API response is returned. AI requests are anonymized, and individual users cannot be linked to specific AI requests.

Maintenance and Testing

Annual penetration testing or equivalent third-party assessment.

Maintenance Windows

Notification at least 3 business days in advance.