Technical and Organisational Measures

ToM (Art. 32 of the General Data Protection Regulation - GDPR): OpenSanctions Datenbanken GmbH


As per Art. 32 §1 b GDPR

Building access

  • Offices: Campus and building secured via PIN entry, office secured via an electronic door system with access logs.
  • Data centers: All data is stored in secure data centers (see Subprocessors list). All data is stored in European data centers (where applicable and available: Google, ChargeBee, HubSpot).

System access

  • Authentication using username and password
  • Multi-Factor Authentication (MFA)
  • Firewall
  • Use of a team password management software
  • Technical workstation locking upon not active
  • Encrypted notebook hard disks

Data access

  • Central staff user account management (Google Workspaces)
    • Role-based access control, need-to-know to access to storage mechanisms which contain customer information (CRM, Billing, Payments, Contracts).
  • Use of Infrastructure-as-Code (Terraform) and version control for configuration management of information processing systems; use of ephemeral service accounts.

Data separation

  • Separation of test and production systems where customer data is being stored
  • Storage of payment information in separate, PCI-certified systems (


  • Pseudonymisation is not used within the company


As per Art. 32 (1) lit. b GDPR

Confidentiality - Data Transmission / Storage / Destruction

  • Comprehensive use of transport layer security (TLS)
  • Use of at-rest encryption of staff computers (LUKS, FileVault)
  • Destruction of all printed matter not needed for legal compliance (GoBD)
  • Use of audit logs for systems which retain sensitive information

Integrity - Data Entry Controls

  • Data quality assurance via monitoring systems and programmatic verification of data
  • Regular and automated execution of integration tests against development and production environments
  • Data processing code used for products is open source and subject to public scrutiny
  • Ability to revert to previous data product releases

Availability and Resilience

As per Art. 32 (1) lit. b GDPR


  • Use of Firewalls
  • Backup concept including offline backups and cross-provider data mirroring
  • Data stored in two certified data centres with Uninterrupted Power Supply (USP)
  • Automated patch management
  • Monitoring system (Google GKE, Monitoring, Error Reporting, BetterStack Uptime)

Rapid Recovery & Restore

  • Tested ability to restore files from backup
  • Tested ability to programmatically re-generate data used in products

Procedure for regular testing, assessing and evaluating

As per Art. 32 (1) lit. d GDPR; Art. 25 (1) GDPR

Organisational Control

  • Records of processing activities (Art. 30 GDPR)
  • Security of Processing (Organisational and Technical Measures) (Art. 32 GDPR)
  • Risk Analysis (Art. 32 GDPR) / Business continuity planning
  • Employees and contractors are required to sign and comply with confidentiality agreements
  • Structured and documented process for the handling, processing and response to information and deletion requests.
  • Structured and documented process in response to security incidents or data loss.
  • OpenSanctions is working to acquire ISO 27001 certification by year-end 2024

Data Protection by Design and Default

  • Use of transport and at-rest encryption
  • Use of Infrastructure as Code (IaC) techniques for environment management
  • Customer information is only collected and processed as needed for specific business purposes.

Last updated: October 18, 2023