Technical and Organizational Measures (TOMs)

Version: 1.0
Effective Date: October 1, 2025

This document describes the technical and organizational measures implemented by HR Online Consulting LLC ("Processor") to ensure the security of Personal Data processed on behalf of customers ("Controllers") in accordance with Article 32 GDPR.

1. Information Security Governance

1.1 Responsibility

• Overall responsibility for data protection and information security lies with the Processor.
• Access to Personal Data is restricted to authorized personnel on a need-to-know basis.

1.2 Policies and Training

• Internal policies define secure data handling, access control, and incident response.
• Personnel with access to Personal Data are subject to confidentiality obligations.

2. Access Control

2.1 User Authentication

• Secure authentication mechanisms are enforced for all users.
• Authentication is handled via trusted identity providers.
• Session management prevents unauthorized reuse of credentials.

2.2 Role-Based Access Control (RBAC)

• Access rights are granted based on predefined roles.
• Users can only access data required for their assigned role.
• Administrative privileges are restricted and logged.

3. Data Access and Authorization

3.1 Logical Data Separation

• Customer data is logically isolated by organization.
• Sensitive patient identifiers are processed in isolated system components.

3.2 Least Privilege Principle

• Database and application access follow the principle of least privilege.
• Runtime systems operate with restricted permissions.

4. Encryption and Data Security

4.1 Encryption in Transit

• All data transmitted between clients and servers is encrypted using industry-standard transport encryption (TLS).

4.2 Encryption at Rest

• Stored data is protected using encryption mechanisms provided by the hosting infrastructure.

5. Logging and Auditability

5.1 Audit Logs

• Access to sensitive data and critical system actions are logged.
• Audit logs include timestamp, user reference, and action type.

5.2 Integrity

• Audit logs are protected against unauthorized modification.
• Logs are retained in accordance with operational and legal requirements.

6. Data Integrity and Availability

6.1 Data Integrity

• System constraints and validation mechanisms prevent unauthorized data modification.
• Critical relationships are enforced at the database level.

6.2 Backup and Recovery

• Regular backups are performed to prevent data loss.
• Recovery procedures are tested to ensure data availability.

7. Incident Management

7.1 Incident Detection

• Monitoring mechanisms detect unauthorized access and system anomalies.

7.2 Incident Response

• Documented procedures define actions in the event of a security incident.
• Incidents involving Personal Data are assessed without undue delay.

7.3 Breach Notification

• Personal Data breaches are reported to the Controller without undue delay in accordance with GDPR requirements.

8. Physical Security

8.1 Data Centers

• Data is hosted in secure data centers operated by reputable cloud service providers.
• Physical access controls are managed by the hosting provider.

9. Subprocessors

9.1 Use of Subprocessors

• Subprocessors are engaged only where necessary for service provision.
• All subprocessors are contractually bound to appropriate data protection obligations.

9.2 Oversight

• Subprocessor compliance is reviewed as part of vendor management.

10. Data Minimization and Retention

10.1 Data Minimization

• Only Personal Data necessary for the provision of the Services is processed.

10.2 Data Retention

• Personal Data is retained only for the duration required to fulfill contractual and legal obligations.
• Upon termination, data is deleted or returned as instructed by the Controller.

11. Data Subject Rights Support

• Processes are in place to assist Controllers in responding to requests for access, rectification, or deletion of Personal Data.
• The Processor does not act independently on such requests.

12. Continuous Improvement

• Security measures are reviewed periodically.
• TOMs may be updated to reflect changes in technology, risk, or regulatory requirements.

13. Applicability

These TOMs apply to all Non-US customers and form an integral part of the Data Processing Agreement (DPA).