All legal docs
Compliance
TOMs / Technische und organisatorische Maßnahmen
Security measures under GDPR/DSGVO Article 32 — full internal document
- Brand
- Nidai
- Owner / Inhaber
- Mohamed Essam Mohamed Shafey
- Address / Anschrift
- Frankfurter Allee 281, 10317 Berlin, Germany
- Website
- https://nidai.eu
- Email / E-Mail
- hallo@nidai.eu
- Phone / Telefon
- +49 157 51456670
- Legal form / Rechtsform
- Einzelunternehmen (sole proprietorship, not registered in the commercial register)
- VAT / USt.
- VAT is not charged pursuant to § 19 UStG (Kleinunternehmerregelung).
- Tax / Steuer
- Steuernummer pending; USt-IdNr. pending.
Scope
These TOMs describe the baseline security measures Nidai applies when processing personal data for its own purposes and as processor for B2B customers. Project-specific annexes may add stronger measures for sensitive services.
Baseline Security Measures
| Area | Measure | Implementation baseline |
|---|---|---|
| Access control | Unique user accounts; no shared admin accounts | Provider-managed auth/SSO where available; role-based access; least privilege |
| Admin access | Restricted to authorized Nidai personnel | 2FA mandatory for admin accounts; access granted only for operational need |
| Authentication | Strong passwords and MFA | MFA for internal tools, hosting, code repositories, database, payment and AI model-provider accounts |
| Authorization | Role-based access control | Customer data segregated by organization/workspace; row-level security policies in the database; tenant checks in API routes |
| Encryption in transit | HTTPS/TLS only | TLS for web apps, APIs, webhooks, database connections where supported |
| Encryption at rest | Provider-managed encryption | Provider-managed database/hosting/storage encryption; stronger customer-specific encryption for sensitive projects |
| Logging | Security and audit logs | Login events, document processing, AI extraction, invoice review, exports, admin actions |
| Backups | Regular backups for production data | Provider-managed backups per plan; export strategy for critical customer data |
| Data minimization | Only process data needed for agreed service | Payload minimization before AI model calls; redact unnecessary data where feasible |
| AI provider controls | No unnecessary model training on customer data | Use business/API plans with training disabled where possible; avoid consumer AI accounts for customer data |
| Sub-processor management | Approved list and DPA checks | Maintain public sub-processor list; notify customers of material changes where required |
| Incident response | Data breach procedure | Triage, contain, document, notify controller/customer without undue delay |
| Deletion | Customer-driven and policy-based deletion | Deletion workflows for workspaces, files, logs and backups according to retention policy |
| Development security | Separate dev/prod environments | No production data in local/dev unless anonymized; secrets stored in environment managers |
| Vendor security | Review security posture | Prefer ISO 27001/SOC 2 providers; EU hosting for sensitive services |
Service-Specific TOMs
| Service | Additional safeguards |
|---|---|
| AI Document Processing (Nidai DocuFlow) | GoBD-style audit log for edits/exports; document access restricted by organization; duplicate/export logs; customer review before accounting export. |
| Company Knowledge Assistant (Nidai Brain) | Permission-scoped collections; citation-based answers; retrieval logs; source deletion/re-indexing; optional EU/German hosting for sensitive customers. |
| Business Portals & Dashboards / Web Apps & SaaS Development (Nidai Portal Studio / Nidai Studio) | Project-specific security review; separate environments; customer-owned roles; secure file upload; input validation and rate limiting. |
| AI Receptionist | Caller AI disclosure; short retention for audio/transcripts by default; separate handling for phone/SMS metadata; emergency/medical escalation disclaimers where relevant. |
Internal Operational Rules
- Do not paste live customer personal data into consumer AI tools.
- Use test/anonymized data in development.
- Review RLS and access policies before production release.
- Keep a secrets inventory and rotate compromised credentials immediately.
- Review TOMs every 6 months or after a material architecture change.