--- title: "Technical and Organizational Measures (TOM) | Minds" canonical_url: "https://getminds.ai/legal/tom" last_updated: 2026-02-20 meta: description: "Last Updated: February 20, 2026" "og:description": "Last Updated: February 20, 2026" "og:title": "Technical and Organizational Measures (TOM) | Minds" "twitter:description": "Last Updated: February 20, 2026" "twitter:title": "Technical and Organizational Measures (TOM) | Minds" --- February 20, 2026·Minds Team # **Technical and Organizational Measures (TOM)** Last Updated: February 20, 2026 # Technical and Organizational Measures (TOM) **Last Updated: February 20, 2026** Art of X UG (haftungsbeschränkt) ("Minds") implements the following technical and organizational measures pursuant to Art. 32 GDPR to ensure a level of security appropriate to the risk involved in the processing of personal data. --- ## 1. Access Control ### Physical Access Control Minds infrastructure is hosted exclusively with certified cloud providers: - **DigitalOcean** – Frankfurt, Germany data center (EU). Certifications: SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018. - **Supabase** – Stockholm, Sweden data center (EU), hosted on AWS. Certifications: SOC 2 Type II. Physical security (biometric access controls, 24/7 surveillance, access logging) is fully managed by the cloud providers. ### Logical Access Control - Role-based access control (RBAC) for all internal systems and administration interfaces. - Multi-factor authentication (MFA) required for all employee access to production systems. - Individual user accounts – no shared credentials. - Regular review and revocation of access rights following the principle of least privilege. - API keys and credentials are managed in encrypted secrets managers. --- ## 2. Encryption ### Encryption in Transit - All data transmissions are secured via TLS 1.2 or higher. - HSTS (HTTP Strict Transport Security) is enabled for all public endpoints. - Internal service-to-service communication is also encrypted. ### Encryption at Rest - Databases (Supabase/PostgreSQL) use AES-256 encryption for data at rest. - File storage (DigitalOcean Spaces / Supabase Storage) uses server-side AES-256 encryption. - Backups are stored in encrypted form. --- ## 3. Data Separation (Tenant Isolation) - Strict logical separation of customer data at the database level through tenant isolation (Row-Level Security in PostgreSQL). - Each customer can only access their own data – enforced at both the database and API level. - Automated tests ensure no cross-tenant data leakage occurs. --- ## 4. Availability and Resilience ### Hosting Architecture - Application runs on DigitalOcean App Platform with automatic scaling and health checks. - Database on Supabase with high-availability configuration. ### Backup and Recovery - Daily automatic database backups with a retention period of at least 7 days. - Point-in-Time Recovery (PITR) for the PostgreSQL database. - Regular testing of recovery procedures. - Recovery Time Objective (RTO): as defined in SLA. - Recovery Point Objective (RPO): maximum 24 hours. --- ## 5. Incident Response - Documented incident response process for security incidents. - Notification of the Controller (customer) within **48 hours** of becoming aware of a personal data breach, in accordance with the Data Processing Agreement (DPA). - Logging and tracking of all security-relevant incidents. - Regular review and update of the incident response plan. --- ## 6. Confidentiality and Employee Obligations - All employees and contractors are bound by confidentiality agreements (NDAs). - Regular data protection training for all employees. - Obligation to maintain data secrecy in accordance with GDPR. - Access to personal data is granted only on a need-to-know basis. --- ## 7. Subprocessor Management - Careful selection of sub-processors based on data protection and security criteria. - Contractual obligation of all sub-processors to GDPR-compliant data processing. - Regular review of sub-processors. - Current list of sub-processors is available at [Subprocessors](https://getminds.ai/legal/subprocessors). - Advance notice to customers of any changes as per the DPA. --- ## 8. Logging and Monitoring - Centralized logging of system events and access. - **Langfuse** for monitoring and tracing AI model interactions (hosted in the EU). - **PostHog** for product analytics – used only with explicit user consent (consent-based). - Monitoring of critical system metrics with automated alerts. - Regular review of logs for anomalies. --- ## 9. Data Minimization and Pseudonymization ### Data Minimization - Collection and processing of only those personal data that are necessary for the respective processing purpose. - Regular review of processed data categories for necessity. - Automatic deletion of data no longer needed in accordance with defined retention periods. ### Pseudonymization - Where technically feasible and appropriate, personal data is processed in pseudonymized form. - Internal processing primarily uses UUIDs rather than real names. - Analytical evaluations are performed on an aggregated or pseudonymized basis. --- ## 10. Regular Review and Assessment - Regular security assessments of infrastructure and applications. - Dependencies are regularly checked for known vulnerabilities (dependency scanning). - Review and update of these TOMs at least annually or upon significant changes to processing activities. - Continuous improvement of security measures based on current threat landscape. --- ## 11. Additional Measures ### Input Control - Logging of changes to personal data (audit trail). - Traceability of who entered, modified, or deleted which data and when. ### Transfer Control - Data transfers are exclusively encrypted. - No transfer of personal data to third countries without an adequate level of protection (adequacy decision or Standard Contractual Clauses). ### Processing Control - Processing of personal data exclusively in accordance with the Controller's instructions. - Contractual regulation of commissioned processing in the DPA. --- _These technical and organizational measures are reviewed regularly and updated as necessary to ensure a level of protection consistent with the current state of the art._ **Art of X UG (haftungsbeschränkt)** Managing Directors: Friedrich von Borries and Alexander Doudkin