Passa al contenuto

TOM

Overview of Technical and Organisational Measures (TOM)


This document provides an overview of the technical and organisational measures (TOM) that ixicare has implemented to protect personal data in accordance with the GDPR.


Domain

Measures

Purpose

1. Data transfer
  • Encryption during transfer (TLS 1.2/1.3)
  • Internal: Devices → Gateway → EU cloud
  • Outside: ixi Pro (SIM+GPS) → Mobile network → EU cloud
  • Secure push notifications

Confidentiality and integrity of data during transfer

2. Data storage
  • Encryption at rest (AES-256)
  • EU-hosted cloud (AWS, with protection against DDoS, SOC2/ISO certifications)
  • Audit logging with timestamps and tamper resistance
  • Separation of access to systems and backups

Protection of stored data and full traceability

3. Access management & authentication
  • Role-based access control (RBAC, need-to-know, in line with least privilege)
  • Availability of multi-factor authentication (MFA) for ixicare administrators
  • Controlled support access only after formal request from the Controller

Access restriction, abuse prevention and accountability

4. Data deletion & retention
  • Manual deletion by authorised administrators
  • Limited backup retention, then overwriting
  • Secure wipe & reset at end of device life (including stop transmit/reset upon deprovisioning)

Compliance with retention policy and secure deletion of personal data

5. Network & Device Security
  • Secure firmware and configuration updates (OTA)
  • Firewalls and segmentation of cloud and application environments
  • Protection via AWS high availability and DDoS mitigation

Protection against unauthorised access and cyber threats

6. Availability & Continuity
  • Redundant servers and failover for 24/7 operation
  • Hosting in EU data centres (AWS, high availability)
  • Monitoring of platform and devices with incident notifications
  • Backup and restore procedures

Uninterrupted service and recovery in the event of incidents

7. Security monitoring & Change Management
  • External penetration testing
  • Regular vulnerability scans
  • Intrusion detection on cloud platform
  • Peer review and logging of manual actions (code, server access)
  • Controlled development and release process

Early detection and mitigation of security risks

8. Legal & Compliance
  • Privacy and security policy
  • Data Processing Agreements (DPAs) with customers and subcontractors
  • Privacy risk assessments with re-evaluation cycle
  • Supplier management with audit rights and due diligence (ISO 27001, SOC 2)
  • Terms of Use and privacy notice

Governance, compliance and chain responsibility

9. Employees & Awareness
  • Periodic GDPR and security training
  • Confidentiality clauses (NDAs) for staff and contractors

Promotion of awareness and compliance by employees

10. Incident & Data breach management
  • Procedure in accordance with the 72-hour GDPR reporting obligation
  • Crisis and escalation protocol with communication to customers
  • Evaluation and follow-up of incidents

Rapid response, transparency and recovery in the event of data breaches

11. Rights of data subjects
  • Procedure for access, correction, data portability and deletion of personal data
  • Contact point for GDPR requests from customers and data subjects
  • Transparency via privacy notice

Strengthening the rights of data subjects and GDPR compliance

12. Data minimisation & R&D
  • Location data only during active alarms or necessary monitoring (no continuous tracking as standard)
  • Use for R&D only with appropriate safeguards (notice, anonymisation)

Minimising data processing and secure use for innovation