Pages

Technical and Organizational Measures (TOM)

Last Updated: February 20, 2026

Art of X UG (haftungsbeschränkt) ("Minds AI") implements the following technical and organizational measures pursuant to Art. 32 GDPR to ensure a level of security appropriate to the risk involved in the processing of personal data.

1. Access Control

Physical Access Control

Minds AI infrastructure is hosted exclusively with certified cloud providers:

  • DigitalOcean – Frankfurt, Germany data center (EU). Certifications: SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018.
  • Supabase – Stockholm, Sweden data center (EU), hosted on AWS. Certifications: SOC 2 Type II.

Physical security (biometric access controls, 24/7 surveillance, access logging) is fully managed by the cloud providers.

Logical Access Control

  • Role-based access control (RBAC) for all internal systems and administration interfaces.
  • Multi-factor authentication (MFA) required for all employee access to production systems.
  • Individual user accounts – no shared credentials.
  • Regular review and revocation of access rights following the principle of least privilege.
  • API keys and credentials are managed in encrypted secrets managers.

2. Encryption

Encryption in Transit

  • All data transmissions are secured via TLS 1.2 or higher.
  • HSTS (HTTP Strict Transport Security) is enabled for all public endpoints.
  • Internal service-to-service communication is also encrypted.

Encryption at Rest

  • Databases (Supabase/PostgreSQL) use AES-256 encryption for data at rest.
  • File storage (DigitalOcean Spaces / Supabase Storage) uses server-side AES-256 encryption.
  • Backups are stored in encrypted form.

3. Data Separation (Tenant Isolation)

  • Strict logical separation of customer data at the database level through tenant isolation (Row-Level Security in PostgreSQL).
  • Each customer can only access their own data – enforced at both the database and API level.
  • Automated tests ensure no cross-tenant data leakage occurs.

4. Availability and Resilience

Hosting Architecture

  • Application runs on DigitalOcean App Platform with automatic scaling and health checks.
  • Database on Supabase with high-availability configuration.

Backup and Recovery

  • Daily automatic database backups with a retention period of at least 7 days.
  • Point-in-Time Recovery (PITR) for the PostgreSQL database.
  • Regular testing of recovery procedures.
  • Recovery Time Objective (RTO): as defined in SLA.
  • Recovery Point Objective (RPO): maximum 24 hours.

5. Incident Response

  • Documented incident response process for security incidents.
  • Notification of the Controller (customer) within 48 hours of becoming aware of a personal data breach, in accordance with the Data Processing Agreement (DPA).
  • Logging and tracking of all security-relevant incidents.
  • Regular review and update of the incident response plan.

6. Confidentiality and Employee Obligations

  • All employees and contractors are bound by confidentiality agreements (NDAs).
  • Regular data protection training for all employees.
  • Obligation to maintain data secrecy in accordance with GDPR.
  • Access to personal data is granted only on a need-to-know basis.

7. Subprocessor Management

  • Careful selection of sub-processors based on data protection and security criteria.
  • Contractual obligation of all sub-processors to GDPR-compliant data processing.
  • Regular review of sub-processors.
  • Current list of sub-processors is available at Subprocessors.
  • Advance notice to customers of any changes as per the DPA.

8. Logging and Monitoring

  • Centralized logging of system events and access.
  • Langfuse for monitoring and tracing AI model interactions (hosted in the EU).
  • PostHog for product analytics – used only with explicit user consent (consent-based).
  • Monitoring of critical system metrics with automated alerts.
  • Regular review of logs for anomalies.

9. Data Minimization and Pseudonymization

Data Minimization

  • Collection and processing of only those personal data that are necessary for the respective processing purpose.
  • Regular review of processed data categories for necessity.
  • Automatic deletion of data no longer needed in accordance with defined retention periods.

Pseudonymization

  • Where technically feasible and appropriate, personal data is processed in pseudonymized form.
  • Internal processing primarily uses UUIDs rather than real names.
  • Analytical evaluations are performed on an aggregated or pseudonymized basis.

10. Regular Review and Assessment

  • Regular security assessments of infrastructure and applications.
  • Dependencies are regularly checked for known vulnerabilities (dependency scanning).
  • Review and update of these TOMs at least annually or upon significant changes to processing activities.
  • Continuous improvement of security measures based on current threat landscape.

11. Additional Measures

Input Control

  • Logging of changes to personal data (audit trail).
  • Traceability of who entered, modified, or deleted which data and when.

Transfer Control

  • Data transfers are exclusively encrypted.
  • No transfer of personal data to third countries without an adequate level of protection (adequacy decision or Standard Contractual Clauses).

Processing Control

  • Processing of personal data exclusively in accordance with the Controller's instructions.
  • Contractual regulation of commissioned processing in the DPA.

These technical and organizational measures are reviewed regularly and updated as necessary to ensure a level of protection consistent with the current state of the art.

Art of X UG (haftungsbeschränkt) Managing Directors: Friedrich von Borries and Alexander Doudkin