ANNEX 4 – Technical and Organizational Measures (TOMs)
ANNEX 4 – Technical and Organizational Measures (TOMs)
General
Risk-based management, principle of least privilege; primary placement of data in the EU/EEA where technically feasible; for international transfers and subprocessors, GDPR Chapter V safeguards (e.g., SCCs, EU–US DPF where applicable).
Organizational Measures
• Security management model and annual review; DPO processes; DPIA when needed.
• Personnel NDA, onboarding, role-based access; training.
• Vendor and subcontractor management (DPAs, audit rights).
Technical Measures
Encryption
TLS 1.3 in transit; AES-256 at rest.
Access Control
SSO/IdP (Clerk), MFA, principle of least privilege; reviews.
Organizational Isolation
Workspaces and customer data are isolated at the organizational level.
Logging & Monitoring
Application and audit logs; all content actions are traceable; alerts; retention ≥ 180 days.
Vulnerabilities
Regular scans; risk-based remediation; dependency scans.
Backups
Daily encrypted; restore tests.
DR/BCP
RPO ≤ 24 h, RTO ≤ 24 h.
Network
WAF/DDoS, firewalls, segmentation.
Development
Code reviews, CI/CD checks, dev/test/prod separation.
Data Location and Transfers
Application data is stored in the EU and data routing occurs within European borders in compliance with GDPR. Any international transfers (e.g., for AI or cloud services) are carried out using GDPR Chapter V safeguards, such as SCCs and/or the EU–US DPF where applicable.
AI Data Processing (Zero Data Retention)
Lyyli uses exclusively AI model providers operating under Zero Data Retention policies. Customer content is not stored by AI providers and is not used for model training; data is processed in memory in real time and destroyed immediately after the API response is returned. AI requests are anonymized, and individual users cannot be linked to specific AI requests.
Maintenance and Testing
Annual penetration testing or equivalent third-party assessment.
Maintenance Windows
Notification at least 3 business days in advance.