Technical and Organizational Measures

This document adds to the Standard Contractual Clauses (SCC) and Data Processing Addendum (DPA) between the Parties under Article 28 of the GDPR.

Annex II
Technical & Organizational Measures (TOM)

As of: May 2024

This document adds to the Standard Contractual Clauses (SCC) and Data Processing Addendum (DPA) between the Parties under Article 28 of the GDPR.

At MODX Systems, LLC (MODX), we have put in place technical and organizational measures (TOMs) as required by the GDPR. We continuously monitor, improve, and enhance these measures to ensure top-level security and protection.

1. Confidentiality

1.1 Physical Access Control

Physical access to servers holding data wholly under the control of our hardware infrastructure partners. Our primary hosting and infrastructure is IBM Cloud (formerly Softlayer). Our secondary infrastructure partners include Amazon Web Services (legacy storage), Digital Ocean and Vultr. Each organization was selected, in part, for their commitment to the highest standards of security and integrity.

1.2 Logical Access Control

These are the measures to prevent data processing systems from being accessed or used by unauthorized persons.

Technical Measures

  • Login with username + strong password
  • Anti-Virus Software Clients
  • Firewall
  • Intrusion Detection Systems
  • Use of VPN for remote access
  • Two-factor authentication for critical systems

Organizational Measures

  • User permission management
  • Creating user profiles
  • Information Security Policy
  • Work instruction IT user regulations
  • Work instruction operation security
  • Work instruction access control

1.3 Authorization Control

We ensure that only authorized users can access specific data based on their permissions. We also ensure that personal data can’t be read, copied, modified, or removed without proper authorization during processing, use, and storage.

Technical Measures

  • SSH encrypted access
  • TLS encryption

Organizational Measures

  • Use of authorization concepts
  • Minimum number of administrators
  • Management of user rights by administrators
  • Information Security Policy
  • Work instruction communication security
  • Work instruction on the handling of information

1.4 Separation Control

We ensure that we separately retain and handle data collected for different reasons where applicable.

Technical Measures

  • Separation of production and test environments

Organizational Measures

  • Determination of database rights
  • Information Security Policy
  • Data Protection Policy
  • Work instruction operational security
  • Work instruction security in software development

1.5 Pseudonymization

We implement measures for pseudonymization or anonymizing personal data as needed. In development environments, we anonymize or pseudonymize data used for testing whenever possible.

Technical Measures

  • Log files are pseudonymized upon request

Organizational Measures

  • Internal instructions to anonymize/pseudonymize personal data as far as possible in the event of a disclosure.
  • Information Security Policy
  • Data Protection Policy

2. Integrity

2.1 Transfer Control

We have procedures to ensure your personal data stays safe from unauthorized access during electronic transmission, transport, or storage. We also ensure that we can verify and track who we send your data to.

Technical Measures

  • Use of VPN
  • Logging of access and retrievals
  • Provision via encrypted connections such as SFTP, HTTPS, SSH and similar.

Organizational Measures

  • Review of regular retrieval and transmission processes
  • Information Security Policy
  • Data Protection Policy

2.2 Input Control

We use measures to review and verify who entered, changed, or removed personal data in our systems to the extent necessary. We manage this input control through logging at different levels: operating system, network, database, and application.

Technical Measures

  • Manual or automated control of the logs

Organizational Measures

  • Survey of which programs or applications are used to enter, change or delete data
  • Assignment of rights to enter, change and delete data based on an authorization concept
  • Clear responsibilities for deletions
  • Information Security Policy
  • Work instruction IT user regulations

3. Availability and Resilience

3.1 Availability Control

We implement measures to protect personal data from accidental destruction or loss. This includes using UPS, air conditioning, fire protection, data backups, secure storage, virus protection, RAID systems, and disk mirroring. Physical equipment and data centers are protected to the highest standard and according to each vendor’s (vendors described in 1.1) respective policies and procedures. We use RAID systems, virus protection, data backups and separate, encrypted object storage.

Technical Measures

  • RAID Systems
  • Vendor Measures

Organizational Measures

  • Backup concept
  • Storage of backups in Cloud Object Storage in cross-regional or regional zones as available.
  • Separate partitions of systems and data
  • Information Security Policy

3.2 Recoverability Control

We have measures to quickly restore access to personal data if there's a physical or technical issue. Data backups of databases and operating system images are taken to the extent required and with the intent to prevent the loss of personal data in the event of a technical malfunction or human error. Network drives and servers in productive operation are backed up, and the performance is recorded (logged) and monitored. We test the recovery of our internal application and systems backups.

It is the responsibility of customers to use backup features and other tools to protect their data and test to verify they can recover it.

Technical Measures

  • Backup monitoring
  • Backup concept according to criticality and customer specifications

Organizational Measures

  • Recovery concept
  • Control of the backup process
  • Testing of internal systems data recovery
  • Storage of backups on Cloud Object Storage in cross-regional or regional locations as applicable.
  • Information Security Policy
  • Work instruction operational security

4. Procedures for Regular Review, Assessment and Evaluation

4.1 Data Protections Management

We regularly evaluate potential technical vulnerabilities or errors in our IT systems and take action as needed. We deploy critical patches for operating systems and software applications. We also check our IT systems regularly and after any changes to make sure they work properly. Our internal audit program includes regular system audits, process audits, IT security audits, and data protection audits and controls.

Technical Measures

  • A review of the effectiveness of the TOMs is carried out at least annually and TOMs are updated.

Organizational Measures

  • Internal data protection officer appointed; Data Protection Officer (DPO)
  • Staff trained and obliged to confidentiality/data protection
  • Regular awareness trainings—at least annually
  • Formalized process for requests for information from data subjects is in place
  • Regular review of technical advancements in accordance with Article 32 GDPR

4.2 Incident Response Management

We have the following measures and response in the unlikely event of a security and/or data breach.

Technical Measures

  • Use of application firewall
  • Use of VPN
  • Use of spam filtering on email

Organizational Measures

  • Documented process for detecting and reporting security incidents and/or data breaches (and any required reporting to an authority)
  • Formalized procedure for handling security incidents
  • Involvement of DPO and ISO in security incidents and data breaches
  • Documentation of security incidents and data breaches
  • A formal process for follow-up on security incidents and/or data breaches
  • Information Security Policy
  • Data Protection Policy
  • Work instruction operational security
  • Work instruction IT user regulations

4.3 Data Protection by Design and by Default

We follow measures under Art 25 GDPR to ensure data protection by design and by default.

Technical Measures

  • No more personal data is collected than is necessary for the respective purpose
  • Use of data protection-friendly default settings

Organizational Measures

  • Data Protection Policy incorporates “privacy by design/by default”
  • Perimeter analysis for web applications

4.4 Order Control (Outsourcing, Subcontractors and Order Processing)

We select subcontractors carefully to ensure they meet our data protection standards. Depending on their role and data access, subcontractors must comply with confidentiality and data protection regulations, such as signing a non-disclosure agreement and following our information security policy for suppliers. For security-critical subcontractors, we implement reporting and audit requirements, including reviewing security reports, availability statistics, and conducting supplier audits with self-assessment questionnaires and on-site inspections as needed.

Technical Measures

  • Monitoring of subcontractors according to the principles and with the technologies according to the preceding sections 1 and 2

Organizational Measures

  • Work instruction supplier management and supplier evaluation
  • Prior review of the security measures taken by the contractor and their documentation
  • Selection of the contractor under due diligence aspects (especially with regard to data protection and data security)
  • Conclusion of the necessary data processing agreement on commissioned processing or EU standard contractual clauses
  • Framework agreement on contractual data processing within the group of companies
  • Written instructions to the contractor
  • An obligation of the contractor's employees to maintain data secrecy
  • Agreement on effective control rights over the contractor
  • Regulation on the use of further subcontractors
  • Ensuring the destruction of data after termination of the contract
  • In the case of longer collaboration: an ongoing review of the contractor and its level of protection

Launch a MODX site with ease

Turn your code into a MODX-powered digital experience and deploy with confidence.

Request a Demo Plans & Pricing

Got questions? Contact us to ask or schedule a demo. Want to self-host? Download MODX