demi
+49 176 4294 8750

Technical and Organisational Measures (TOMs)

demi Technologies GmbH | Annex to Co-Development Agreement | As of: 3 May 2026

1. Processing Activities

Processing ActivityPurpose
Platform Operations & High Availability
  • - Hosting & storage (DB, files, back-ups)
  • - Execution of application/backend logic (incl. AI inference, API requests)
  • - Email, calendar & other API integrations
  • - Transactional messaging services (system emails, webhooks, push notifications)
  • - Data replication & regional failover
Ensuring platform functionality, performance, high availability, and debugging
Security, Authentication & Compliance
  • - User auth / SSO / token handling
  • - Logging & monitoring (logs, metrics)
  • - Encryption & key management (KMS, TLS, key rotation)
  • - Content/malware scanning, abuse/rate-limiting logs
  • - Consent/email preferences management
Access control, IT security, fraud prevention, evidence of technical/organisational measures & marketing compliance
Support & Data Subject Rights
  • - Support/ticket system
  • - DSAR workflow logging
  • - Data export & API provision (JSON/CSV, webhooks)
Troubleshooting, user support, data portability, fulfilment/documentation of data subject rights (Art. 15–20 GDPR)
Billing & Contract Performance
  • - Invoice & usage data aggregation (API metering, session counters)
  • - Licence & role management
Consumption-based billing, audit trails, contract performance
Product Development & Analytics
  • - Usage & telemetry analysis (aggregated/anonymised)
  • - Usability tests, benchmarking, AI model training
Product improvement, capacity planning, quality assurance
Incident Response & Legal Evidence
  • - Incident/forensic snapshots, log copies
  • - Passively encrypted back-ups
Investigation of security incidents, legal defence, evidence provision (Art. 33/34 GDPR)
Database, File & Backup Hosting and StorageOperation of platform services, data security, debugging
Research & Analysis Functions (Customer Search, Channel Search)
  • - Querying publicly available sources
  • - AI-assisted aggregation and preparation
  • - Temporary storage within the platform instance
Market and company research; support of the co-development partner's sales activities
Data Enrichment
  • - Transmission of contact and company data uploaded by the co-development partner to specialised third-party services (sub-processors)
  • - Supplementation with contact details, job titles, company affiliations, and validation results
  • - Return of enriched data to the platform instance
Qualification and enrichment of business contacts; support of the co-development partner's sales and marketing activities; email validation to prevent failed deliveries

2. TOMs pursuant to Art. 32 GDPR

Measure CategoryDescription
Physical Access ControlMeasures to prevent unauthorised physical access to data processing facilities (data centres, server rooms)
System Access ControlMeasures to prevent unauthorised use of data processing systems (authentication, password policies, MFA, SSO)
Data Access ControlMeasures to ensure that authorised users can only access the data assigned to them (RBAC, least privilege, audit logs)
Transfer ControlMeasures to prevent unauthorised reading, copying, altering, or deletion during electronic transmission (TLS 1.2+, VPN, encryption)
Input ControlMeasures to ensure traceability of who entered, modified, or deleted which data and when (audit trails, versioning)
Job ControlMeasures to ensure that personal data is only processed in accordance with the controller's instructions (DPA, sub-processor controls)
Availability ControlMeasures to protect personal data against destruction or loss (backups, redundancy, disaster recovery, regional failover)
SeparabilityMeasures for the separate processing of data collected for different purposes (tenant separation, logical data separation per tenant)
PseudonymisationWhere possible: processing of personal data in such a way that it can no longer be attributed to a specific person without the use of additional information
EncryptionEncryption of personal data at rest (AES-256) and in transit (TLS 1.2+); key management via KMS
System ResilienceThe ability of systems to promptly restore availability of and access to personal data in the event of a technical incident
Regular ReviewProcedures for the regular review, assessment, and evaluation of the effectiveness of technical and organisational measures (penetration tests, security audits)