Technical & Organisational Measures (TOMS)

We implement a wide range of Technical and Organisational Measures (TOMS) to protect the data you entrust to us, in line with our responsibilities under Article 32 of the GDPR. These measures ensure the ongoing confidentiality, integrity, availability, and resilience of our processing systems and services.

Confidentiality

  • Physical Access Control: We prevent unauthorized access to our data processing facilities by hosting our infrastructure in secure, certified data centres with multi-layered physical security controls.

  • Logical Access Control: Access to our systems is strictly controlled. We enforce strong password policies, mandate the use of Two-Factor Authentication (2FA) for our employees, and operate on the principle of least privilege, ensuring users only have access to the data necessary for their roles.

  • Data Separation: Customer data is logically separated within our multi-tenant architecture to prevent any unauthorized access or disclosure between different accounts.

  • Encryption: We protect data in transit using strong Transport Layer Security (TLS) encryption. Data at rest, including databases and backups, is also encrypted using industry-standard algorithms.

Integrity

  • Data Entry Control: The integrity of data within the platform is protected through a granular permissions system. Account administrators can define user roles to control who can view, add, modify, or delete data, maintaining a clear separation of duties.

  • Data Transmission Control: All data transmitted between you and the MessageFlow platform, as well as between our internal systems, is protected by TLS encryption and our Web Application Firewall (WAF) to prevent unauthorized interception or alteration.

Availability and Resilience

  • Backup and Recovery: We maintain a robust backup strategy, including regular, encrypted backups stored in geographically separate locations with our cloud partners. Our documented Business Continuity Plan ensures that we can restore service availability and access to data in a timely manner in the event of a physical or technical incident.

  • System Resilience: Our infrastructure is designed for high availability, utilizing redundant hardware, load balancing, and failover mechanisms to ensure continuous service operation.

Procedures for Regular Testing and Evaluation

  • Regular Assessments: We regularly test, assess, and evaluate the effectiveness of our technical and organisational measures. This includes conducting periodic internal reviews and engaging independent third-party firms to perform penetration tests. You can find more information in our Security & Penetration Testing section. View our full list of procedures for more details.

Last updated