Technical and Organisational Measures (TOM)

Physical access control. Production systems are hosted at Hetzner Online GmbH data centres in Germany (Falkenstein / Nürnberg). Hetzner's physical-access controls (24/7 access logging, multi-factor entry, ISO 27001 certified facilities) apply.

Logical access control. Production access requires SSH key authentication; password-based login is disabled. Database access is restricted to authenticated dashboard sessions or role-restricted admin operations. API endpoints require session cookies or scoped API keys.

Authorisation control. Role-based access (RBAC) separates customer-facing operations from administrative functions. Admin operations (account deletion, billing override, sub-processor configuration) are logged for audit.

Transport encryption. All customer-facing endpoints and inter-service traffic use TLS 1.2+ (HTTPS) with TLS 1.3 preferred. HSTS is enabled on compliancelint.dev / compliancelint.com.

Encryption at rest. The application database (SQLite) is stored on a LUKS2-encrypted ext4 volume on the production server. Master passphrase is held under a documented key-management procedure on the Processor side and is not auto-loaded at boot.

Input control. All state-changing operations are logged in the audit_logs table with user ID, timestamp, request route, and event type. Logs are tamper-evident through append-only access patterns.

Backups. Application data is backed up daily to a separate Hetzner storage volume. Backups are encrypted at rest and rotate on a 30-day window. Restore tests are run quarterly.

Disaster recovery. Recovery procedures are documented internally. Recovery time objective: 24 hours. Recovery point objective: 24 hours (matching backup cadence).

Restore-from-backup procedures are tested quarterly. Production deploys use rolling-restart with health checks to prevent service disruption.

The Processor reviews these technical and organisational measures at least annually and after any material change to the architecture, sub-processor list, or applicable legal framework. Reviews are documented internally.

Pseudonymisation. Operational logs use IP-prefix truncation (final octet zeroed) and salted SHA-256 hashes for consent records. Full IP addresses are not stored in operational logs.

Data minimisation. Customer source code is not transmitted to or stored on ComplianceLint infrastructure (scanner runs locally in the customer's IDE). Browser-side error tracking transmits only stack traces with email addresses and IPs scrubbed.

Environment separation. Production and development environments are network-isolated and run from separate Hetzner servers.

The Processor engages a limited number of sub-processors under Art. 28 GDPR contracts; the current list is maintained at /legal/sub-processors.

A documented incident-response procedure aligned to Art. 33 GDPR covers detection, triage, notification to the Controller without undue delay, remediation, and post-incident review. Customers are notified via the email address on the account.

This page is the current statement of TOMs as required by the DPA/AVV § 7. Material changes will be reflected here. Questions regarding TOMs may be sent to info@compliancelint.com with subject line “TOM inquiry”.