Annex II – Technical and Organizational Measures (TOMs)

This Annex describes the technical and organizational measures implemented by the Processor in accordance with Articles 28 and 32 of the GDPR.

A high-level description is available at https://trust.excalidraw.com/.

1. Information Security Program

The Processor maintains a documented information security program designed to protect Customer Personal Data against unauthorized access, loss, or disclosure.

The program is regularly reviewed, updated, and aligned with recognized industry practices and SOC 2 requirements.

2. Access Controls

• Access to production systems is restricted to authorized personnel based in the EU, using role-based access controls.
• Authentication includes strong password requirements and multi-factor authentication where applicable.
• Least-privilege principles are applied, and access is periodically reviewed.

3. Data Encryption

• Customer Personal Data is encrypted in transit using industry-standard TLS.
• Customer Personal Data is encrypted at rest using encryption provided by the hosting provider.
• Secrets, credentials, and keys are managed securely.

4. Physical Security

• The Processor uses secure cloud infrastructure provided by reputable third-party vendors with industry-standard physical security controls (e.g., access control, surveillance, protection against fire or environmental damage).

5. Application and Development Security

• The Processor follows secure development practices, including code review, testing, and vulnerability remediation.
• Dependencies are monitored for known vulnerabilities.
• Changes to production systems follow a controlled deployment process.

6. Monitoring and Logging

• Systems are monitored for anomalous behavior, performance issues, and security-related events.
• Logging is implemented for relevant system activities to support incident detection and investigation.

7. Backup and Recovery

• Customer Personal Data is backed up according to internal schedules to support service continuity and recovery.
• Backups are stored securely and encrypted.

8. Incident Response

• The Processor maintains an incident response process to detect, respond to, and mitigate security incidents.
• In the event of a Personal Data Breach, the Processor will notify the Controller in accordance with the DPA.

9. Vendor and Subprocessor Management

• Subprocessors are assessed for security practices before engagement and monitored thereafter.
• A current list of subprocessors is available at https://trust.excalidraw.com/subprocessors.