Skip to content
All legal docs

Compliance

TOMs / Technische und organisatorische Maßnahmen

Security measures under GDPR/DSGVO Article 32 — full internal document

Brand
Nidai
Owner / Inhaber
Mohamed Essam Mohamed Shafey
Address / Anschrift
Frankfurter Allee 281, 10317 Berlin, Germany
Website
https://nidai.eu
Email / E-Mail
hallo@nidai.eu
Phone / Telefon
+49 157 51456670
Legal form / Rechtsform
Einzelunternehmen (sole proprietorship, not registered in the commercial register)
VAT / USt.
VAT is not charged pursuant to § 19 UStG (Kleinunternehmerregelung).
Tax / Steuer
Steuernummer pending; USt-IdNr. pending.

Scope

These TOMs describe the baseline security measures Nidai applies when processing personal data for its own purposes and as processor for B2B customers. Project-specific annexes may add stronger measures for sensitive services.

Baseline Security Measures

AreaMeasureImplementation baseline
Access controlUnique user accounts; no shared admin accountsProvider-managed auth/SSO where available; role-based access; least privilege
Admin accessRestricted to authorized Nidai personnel2FA mandatory for admin accounts; access granted only for operational need
AuthenticationStrong passwords and MFAMFA for internal tools, hosting, code repositories, database, payment and AI model-provider accounts
AuthorizationRole-based access controlCustomer data segregated by organization/workspace; row-level security policies in the database; tenant checks in API routes
Encryption in transitHTTPS/TLS onlyTLS for web apps, APIs, webhooks, database connections where supported
Encryption at restProvider-managed encryptionProvider-managed database/hosting/storage encryption; stronger customer-specific encryption for sensitive projects
LoggingSecurity and audit logsLogin events, document processing, AI extraction, invoice review, exports, admin actions
BackupsRegular backups for production dataProvider-managed backups per plan; export strategy for critical customer data
Data minimizationOnly process data needed for agreed servicePayload minimization before AI model calls; redact unnecessary data where feasible
AI provider controlsNo unnecessary model training on customer dataUse business/API plans with training disabled where possible; avoid consumer AI accounts for customer data
Sub-processor managementApproved list and DPA checksMaintain public sub-processor list; notify customers of material changes where required
Incident responseData breach procedureTriage, contain, document, notify controller/customer without undue delay
DeletionCustomer-driven and policy-based deletionDeletion workflows for workspaces, files, logs and backups according to retention policy
Development securitySeparate dev/prod environmentsNo production data in local/dev unless anonymized; secrets stored in environment managers
Vendor securityReview security posturePrefer ISO 27001/SOC 2 providers; EU hosting for sensitive services

Service-Specific TOMs

ServiceAdditional safeguards
AI Document Processing (Nidai DocuFlow)GoBD-style audit log for edits/exports; document access restricted by organization; duplicate/export logs; customer review before accounting export.
Company Knowledge Assistant (Nidai Brain)Permission-scoped collections; citation-based answers; retrieval logs; source deletion/re-indexing; optional EU/German hosting for sensitive customers.
Business Portals & Dashboards / Web Apps & SaaS Development (Nidai Portal Studio / Nidai Studio)Project-specific security review; separate environments; customer-owned roles; secure file upload; input validation and rate limiting.
AI ReceptionistCaller AI disclosure; short retention for audio/transcripts by default; separate handling for phone/SMS metadata; emergency/medical escalation disclaimers where relevant.

Internal Operational Rules

  • Do not paste live customer personal data into consumer AI tools.
  • Use test/anonymized data in development.
  • Review RLS and access policies before production release.
  • Keep a secrets inventory and rotate compromised credentials immediately.
  • Review TOMs every 6 months or after a material architecture change.