The English version is the legally binding original. Convenience translations may be provided for information only.
Technical and Organizational Measures (TOM) Reference
Effective Date: May 19, 2026 Document Version: May 2026 Legally Binding Original Language: English
This TOM Reference describes how PaperOffice documents technical and organizational measures under Article 32 GDPR as part of the Compliance Package. It is incorporated into the legal framework alongside the Master Service Agreement and the Data Processing Agreement Reference.
1. Purpose
1.1 Article 32 GDPR
PaperOffice implements and documents measures appropriate to the risk, including confidentiality, integrity, availability, and resilience of processing systems and services.
1.2 Authoritative Source
The customer-specific TOM is generated on demand through the in-platform Compliance Package generator (Trust Center). The generated PDF is the authoritative version for Customer's records and audits.
This public page provides a live summary of measure categories and titles. Detailed descriptions appear in the generated Compliance Package.
2. TOM Categories
PaperOffice structures TOM documentation using standard GDPR control categories, including:
- Access control (physical and logical)
- Separation control (tenant isolation per Customer account)
- Transfer control (encryption in transit)
- Input control (logging and traceability)
- Availability and resilience
- Order control (processor instructions and sub-processor management)
The live table below is synchronized from the Compliance generator source.
3. Relationship to Other Documents
| Document | Role |
|---|
| Compliance Package PDF | Authoritative customer-specific TOM |
| DPA Reference | How to generate the Compliance Package |
| Sub-Processor List | Sub-processors engaged by PaperOffice |
| Device Fingerprint Compliance Guide | Integrator obligations for Fingerprint AI API |
4. Updates
TOM measures are continuously improved. Updates are reflected in newly generated Compliance Packages. Material changes follow the modification and notification rules in the MSA and DPA.
PaperOffice Enterprise Operations, S.L.U. Privacy: privacy@paperoffice.ai Legal: legal@paperoffice.ai
Last updated: May 19, 2026
© 2002–2026 PaperOffice Enterprise Operations, S.L.U. All rights reserved.
Live TOM Summary
Measure titles below reflect the current Compliance generator catalog (English). Full descriptions are included in the generated Compliance Package PDF.
Generated at: 2026-06-03T18:04:24Z
Entry Control (Art. 32 (1) lit. b GDPR)
Measures for protection against unauthorized entry to data processing facilities
- Secured access to the data center — Access only for authorized personnel; multi-stage authentication at all locations.
- Video surveillance of all access areas — Continuous video surveillance with legally compliant recording.
- Air-conditioned and monitored server rooms — Controlled environmental conditions (temperature, humidity) to ensure stable operation.
- Logging of all entries — Entries are documented; visitors are only admitted when accompanied.
- Fire and intrusion alarm systems — Permanent monitoring of all operating rooms including 24/7 alerting.
Access Control (System) (Art. 32 (1) lit. b GDPR)
Measures for protection against unauthorized system use
- Token-based API authentication — Programmatic access exclusively with individual access tokens via TLS.
- Strong password policies — Minimum length, complexity requirements, and server-side checks for compromised passwords.
- Optional two-factor authentication (TOTP) — Additional security layer for end-users and administrators can be activated upon request.
- Automatic session logout — Sessions expire after inactivity and can be revoked server-side at any time.
- Optional IP access restriction — Customers can restrict access to their own account to defined IP ranges.
Access Control (Data) (Art. 32 (1) lit. b GDPR)
Measures to ensure authorized data access
- Multi-tenancy separation — Data of different customer accounts is strictly logically separated; no cross-account access possible.
- Role and rights concept — User rights are managed via roles and fine-grained permissions (need-to-know principle).
- Workspace-based permissions — Documents, workflows, and data are isolated per Workspace and individually authorized.
- Comprehensive access logging — All API and application accesses are logged in an audit-proof manner.
- Minimal permissions for internal staff — Employees have access only to what is necessary for their task; regular reviews.
Separation Control (Art. 32 (1) lit. b GDPR)
Measures for separate processing of data from different controllers
- Logical separation of customer data — Data of each customer is processed and stored using unique identifiers.
- Separate data areas per customer — Documents and indices are isolated in separate data areas per customer.
- Separated processing environments — Production, test, and development environments are completely separated from each other.
- Purpose-bound processing — Customer data is processed exclusively for the commissioned purpose — no misuse, no AI training.
Transmission Control (Art. 32 (1) lit. b GDPR)
Measures for protection during data transmission
- Transport encryption TLS 1.3 — All data transmissions between client, API, and infrastructure are encrypted.
- Storage encryption AES-256 — Documents and databases are stored encrypted at rest using AES-256.
- Processing within the EU — Core processing takes place exclusively on own infrastructure in the EU; no third-country transfer of document content.
- Metadata edge with safeguards — To defend against attacks, only metadata (e.g., IP, TLS headers) passes through an edge provider under EU Standard Contractual Clauses.
- No disclosure to third parties — No disclosure of customer data to third parties outside the documented sub-processors.
Input Control (Art. 32 (1) lit. b GDPR)
Measures for traceability of data input
- Audit-proof logs — All inputs, changes, and deletions are logged with a timestamp and user reference.
- Immutable event trail — Audit entries cannot be changed after being written (WORM principle).
- Traceability of processing — Every processing operation is uniquely assignable to a Controller, a source, and a time.
Instruction Control (Art. 28 GDPR)
Measures for processing according to instructions
- Instruction-based processing — Data processing is carried out exclusively on the basis of documented instructions from the Controller.
- Data Processing Agreement (DPA) — Legal basis pursuant to Art. 28 GDPR — can be concluded directly via the Trust Center.
- Transparent sub-processor list — All sub-processors are viewable in the Trust Center, including service, location, and transfer basis.
- Confidentiality obligation of all employees — All personnel entrusted with processing are contractually bound to confidentiality in writing.
- Assistance with data subject rights — The Processor assists the Controller in fulfilling requests for information, rectification, and erasure.
Availability Control (Art. 32 (1) lit. c GDPR)
Measures for protection against accidental destruction or loss
- High-availability system architecture — Redundant systems to ensure the availability of commissioned services.
- Uninterruptible power supply — UPS-supported supply and emergency power concept ensure operation during power outages.
- Redundant internet connection — Multiple redundant connections to prevent failures of individual lines.
- Load balancing and auto-scaling — Automated load distribution across available systems to absorb peaks.
- Geo-redundant EU failover — Encrypted mirroring to a second EU location for failover.
Resilience (Art. 32 (1) lit. b GDPR)
Measures to ensure system resilience
- DDoS protection at the edge level — Active protection against overload attacks before requests reach the internal infrastructure.
- Self-healing workflows — Failed processing steps are automatically retried or redirected to redundant resources.
- Controlled overload defense — Automatic throttling and shutdown of individual components under critical load to maintain overall availability.
- Continuous monitoring — 24/7 monitoring of all relevant services with alerting in case of incidents.
Recoverability (Art. 32 (1) lit. c GDPR)
Measures for recovery after incidents
- Automatic deletion of temporary processing data — Intermediate files are automatically deleted after a short, purpose-bound retention period.
- Timely cleanup of job data — Order-related processing states are automatically removed after completion.
- Redundant data storage — Productive data is kept redundantly to exclude loss due to single-point failures.
- Defined recovery processes — Documented processes for restoring normal operation after incidents.
- Final deletion after contract end — After termination of the contract, customer data is demonstrably deleted within the agreed period.
