About OpenSanctionsLicensing the data
Contact us
Talk to salesGet support
The teamWork with usData inclusion criteriaResearch bibliographyFAQTerms and conditionsPrivacy PolicyImpressum

Technical and Organisational Measures

ToMs (Art. 32 of the General Data Protection Regulation - GDPR): OpenSanctions Datenbanken GmbH

Confidentiality

As per Art. 32 §1 b GDPR

Building access

  • Offices: The team works in a hybrid mode, combining remote working with a shared co-working space in which OpenSanctions occupies two private offices secured by key locks and additional access controls.
  • Data centers: All customer data is processed and stored in third-party data centres operated by our sub-processors (see Subprocessors list). Where available, European data centres are selected (currently Google Cloud, HubSpot).

System access

  • Authentication using username and password
  • Multi-Factor Authentication (MFA)
  • Firewall
  • Use of a team password management software
  • Technical workstation locking upon not active
  • Encrypted notebook hard disks

Data access

  • Central staff user account management (Google Workspaces)
    • Role-based access control, need-to-know to access to storage mechanisms which contain customer information (CRM, Billing, Payments, Contracts).
  • Use of Infrastructure-as-Code (Terraform) and version control for all infrastructure configuration. Deployments are issued via short-lived OIDC-federated credentials scoped to the source repository; no long-lived service-account keys exist for the deployment pipeline. Pod-to-service authentication uses GKE Workload Identity, eliminating static credentials in workloads. Service-account permissions follow least-privilege, defined in version-controlled IAM bindings.

Data separation

  • Separation of test and production systems where customer data is being stored
  • Storage of payment information in separate, PCI-certified systems (Stripe.com)

Production network

  • Production resources run in a custom Virtual Private Cloud (VPC) with subnet segmentation per service tier; default cloud networking is disabled.
  • Default-deny network egress on production services with explicit allow-listing of database and cache endpoints.
  • Public ingress to production services is protected by Google Cloud Armor (web application firewall and DDoS mitigation) with rate limiting and bot-detection rules.
  • VPC flow logs enabled across all production subnets.
  • The production database (Cloud SQL) is reachable only via private network connectivity (no public IP); access is restricted to authorised production services and authenticated administrative use.

Pseudonymisation (Art. 32 (1) lit. a GDPR)

  • Pseudonymisation is applied where appropriate to the processing operation, as part of our data minimisation practices.
  • For the public OpenSanctions dataset, source-authority identifiers are reproduced as published; pseudonymising them would be incompatible with the transparency purpose of the processing.

Large language model (LLM) services

  • We use LLM services from external providers (Anthropic Claude API, Google Gemini via Vertex AI) to assist with internal processes including support request handling, customer analytics, and commercial outreach. The corresponding disclosures to data subjects are made in section 17 of our Privacy Policy.
  • Use of these services is restricted to commercial API tiers under contracts that exclude the use of submitted data for model training or improvement.
  • Retention at the provider is limited to the period necessary to provide the service.
  • Cross-border transfers to the United States take place on the basis of EU standard contractual clauses (Art. 46 (2) lit. c GDPR).
  • LLM outputs are reviewed by a staff member before any action is taken vis-à-vis a data subject; we do not use LLM-based automated decision-making within the meaning of Art. 22 GDPR.

Integrity

As per Art. 32 (1) lit. b GDPR

Data transmission, storage and destruction (Art. 32 (1) lit. a GDPR)

  • Comprehensive use of transport layer security (TLS) for data in transit; load balancers configured with a minimum TLS 1.2 (MODERN profile).
  • At-rest encryption of staff laptops (LUKS, FileVault) and of all cloud storage and managed-database resources under provider-managed encryption keys.
  • Backup data is additionally encrypted server-side (AES-256).
  • Application secrets are managed via Google Secret Manager with versioning and access auditing; no secrets are committed to source control.
  • Application and access logs are centrally retained via Cloud Logging and BigQuery sinks, supporting post-incident investigation and audit.
  • Secure destruction of records and printed matter not subject to legal retention obligations.

Data integrity controls

  • Data quality assurance via monitoring systems and programmatic verification of data with the ability to cancel publication when inconsistencies are discovered.
  • Regular and automated execution of integration tests against development and production environments.
  • Data processing code used for products is open source and subject to public scrutiny.
  • Data processing generates extensive logging output, which is available to the public.
  • Ability to revert to previous data product releases.

Availability and Resilience

As per Art. 32 (1) lit. b GDPR

Availability

  • Backup architecture combining provider-managed backups, object versioning, and cross-provider mirroring: Cloud SQL configured for multi-zone (REGIONAL) availability with deletion protection and daily automated backups retained for 30 days within the EU; object storage (GCS) buckets configured with versioning and lifecycle policies; secondary backup mirror on AWS S3 in eu-central-1 (Frankfurt) with public access blocked, object versioning, and a tiered cold-archive lifecycle (transition to GLACIER and DEEP_ARCHIVE).
  • Production resources pinned to GCP europe-west3 (Frankfurt); both primary and secondary backup locations are within the European Union.
  • Automated patch management on staff devices and on cluster nodes (auto-repair and auto-upgrade enabled).
  • Comprehensive Cloud Monitoring alert coverage (more than 20 defined policies) for API latency (P95 thresholds), HTTP 5xx rates, database connection health, Kubernetes pod failures, and scheduled-job failures, routed to engineering email and to BetterStack for on-call escalation. BetterStack heartbeat monitoring on critical scheduled jobs.
  • Use of security monitoring platforms (Vanta, Google Security Command Center).
  • Disaster Recovery Plan in place including recovery time objectives (RTO) and recovery point objectives (RPO).

Rapid recovery and restoration (Art. 32 (1) lit. c GDPR)

  • Tested ability to restore files from backup.
  • Tested ability to programmatically re-generate data used in products.
  • Cloud SQL point-in-time recovery available via managed automated backups.
  • Object versioning on production storage buckets retains prior versions for recovery.
  • The AWS S3 backup mirror provides a recovery path independent of the primary cloud provider.

Procedure for regular testing, assessing and evaluating

As per Art. 32 (1) lit. d GDPR; Art. 25 (1) GDPR

  • The Information Security Management (ISM) at OpenSanctions has been ISO 27001:2022 certified since June 2024 by independent auditors.
  • The OpenSanctions ISM board is meeting at regular intervals to assess and evaluate the effectiveness of the ISM policies and measures.
  • Annual disaster recovery test, including a test of backup restoration processes (covering GCP storage buckets and daily SQL database backups).
  • Annual penetration test conducted by independent auditors.
  • Continuous vulnerability scanning of dependencies (Dependabot) and of container images (Artifact Registry container scanning) integrated into the development and deployment pipeline.

Organisational Control

  • Records of processing activities (Art. 30 GDPR)
  • Security of Processing (Organisational and Technical Measures) (Art. 32 GDPR)
  • Risk Analysis (Art. 32 GDPR) as per ISO 27001
  • Business continuity planning and disaster recovery planning
  • Employees and contractors are required to sign and comply with confidentiality agreements
  • Structured and documented process for the handling, processing and response to information and deletion requests.
  • Structured and documented incident response process: a weekly engineering on-call rotation, defined severity classification (Critical / Major / Minor), a target first response within 30 minutes, and customer communication via status.opensanctions.org for Major and Critical incidents. Quarterly fire drills exercise the procedure.
  • Regular employee training on ISM principles and asset management policy in place.

Data Protection by Design and Default

  • Use of transport and at-rest encryption
  • Use of Infrastructure as Code (IaC) techniques for environment management
  • Customer information is only collected and processed as needed for specific business purposes.

Last updated: 7 May 2026

Got questions? Our support is here to help.
You can also join the discussion forum to meet the community.
On this page
OpenSanctions · Supreme Data on Supreme Leaders
OpenSanctions Datenbanken GmbH · info@opensanctions.org · https://opensanctions.org/meeting