Technical and organisational measures (TOMs)
As of 6 July 2026. Description of the technical and organisational measures under Art. 32 GDPR. This overview is an annex to the Data Processing Agreement (DPA) and describes the measures of Tippel — Lukas Friedrich (sole proprietorship), Kampweg 4, 34369 Hofgeismar, Germany (“Tippel”) as processor within the meaning of Art. 28 GDPR. The service runs on IONOS SE infrastructure with data centres in Germany.
0. Scope and allocation of roles
For the account and usage data of the registered businesses (name, email, password hash, usage and billing data), Tippel is itself the controller. For the content of the analysis — the documents (PDF/TXT/MD) and source code/ZIP repositories uploaded by customers, which may contain personal data — Tippel acts as processor for the respective customer (Art. 28 GDPR); the customer is the controller in that respect. The measures below apply to both processing situations.
1. Confidentiality (Art. 32(1)(b))
- Physical access control: Processing and storage exclusively in IONOS SE data centres in Germany. Physical security (building, access and perimeter protection, fire/climate/power supply) is provided by the data-centre operator IONOS SE; Tippel does not operate its own server locations (see the sub-processor list). Specific operator certifications: [to be confirmed: e.g. ISO 27001 of the IONOS data centres].
- System access control: Login to the application only with email and
password. Passwords are stored solely as a bcrypt hash (never in plaintext, no reversible
method). Sessions are maintained via random tokens stored in the database and a
technically necessary cookie (
komplai_session); the cookie is httpOnly, SameSite=Lax and “Secure” in production, with a limited lifetime. After several failed login attempts, an automatic login lockout applies. Access to the application is only possible over TLS/HTTPS. - Data access control: Access to cases, analyses (jobs), uploaded
files and result documents is role- and owner-bound: users can only view and download
data associated with their own account, and every state-changing action checks account
ownership. State-changing forms are protected by CSRF tokens. To reduce cross-site
scripting and third-party code execution, a strict Content Security Policy with
script-src 'self'applies (no external scripts, no inline JavaScript from untrusted sources). - Separation control: Logical tenant/account separation: payload data
is stored separately per account/case and checked against account ownership on every
access. Application data resides in dedicated database tables prefixed
kc_, separated from any other application on the same database. Production and test environment: [to be confirmed: separate environments/data sets]. - Pseudonymisation/encryption: Passwords are stored solely as a hash; all transmission between client, server and sub-processors is transport-encrypted (TLS). For traceability, checksums (SHA-256) are kept per analysed document. Encryption at rest at storage/database level: [to be confirmed whether enabled by IONOS or at application level].
2. Integrity (Art. 32(1)(b))
- Transfer control: Transmission to sub-processors occurs only
transport-encrypted (TLS) and on the basis of data processing agreements. For transfers
to the USA (OpenRouter Inc. as API gateway and the model provider, currently Anthropic),
EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) are relied upon; as an additional
measure, provider routing is set to “no retention, no training”
(
data_collection: deny). Whether the US providers are additionally certified under the EU-US Data Privacy Framework is [to be checked]. No sharing for advertising or training purposes; no tracking, no analytics/marketing cookies. - Input control / traceability: Standard server/reverse-proxy access logs (IP address, time, requested URL) serve operational security and are retained only for a short period (legal basis Art. 6(1)(f) GDPR). Every generated report carries a basis of assessment with document hashes, model id and legal version, so it remains traceable which inputs led to which result. Specific retention period of the server logs: [to be added: exact period].
3. Availability and resilience (Art. 32(1)(b) and (c))
- Availability / operational security: Operated on managed IONOS infrastructure in Germany. Rate limiting and security headers (including the strict CSP above) protect against overload and common attacks. Server logs support the detection of operational disruptions and security anomalies.
- Resilience / restore: Interrupted analyses are detected automatically on restart; failed analyses trigger an automatic refund of the credits used. Regular backups of the database and payload data, and the restore procedure, are established and documented before go-live. Specific backup frequency, backup retention period and recovery objectives (RPO/RTO): [to be added].
4. Procedures for regular review, assessment and evaluation (Art. 32(1)(d))
- Processor and sub-processor control: Sub-processors are engaged only under a data processing agreement or — where a third country is involved — on the basis of the EU Standard Contractual Clauses. The sub-processors used (IONOS SE, DE; OpenRouter Inc., USA; Anthropic, USA via OpenRouter; Stripe Payments Europe Ltd., Ireland) are disclosed and dated in the sub-processor list.
- Data protection management / data minimisation: Only the data required for account, analysis and payment is processed; only Stripe Payments Europe Ltd. receives full payment data. Responsibility for data protection matters lies with management; a data protection officer has not been appointed, as the obligation to appoint one under Art. 37 GDPR / § 38 BDSG regularly does not apply to this sole proprietorship. Enquiries: info@tippel.ai.
- Incident / data breach response: Personal-data breaches are documented and reported to the controller without undue delay (Art. 33(2) GDPR). Where Tippel is itself the controller, a notification is made to the competent supervisory authority — the Hessian Commissioner for Data Protection and Freedom of Information (HBDI), Wiesbaden — in accordance with Art. 33 GDPR. Contact for reports: info@tippel.ai.
- Updating and review: The technical and organisational measures are reviewed, assessed and, where necessary, adjusted regularly and on specific occasions (e.g. changes to the application, new sub-processors or security incidents). Cadence of scheduled review: [to be added: e.g. annually].
This description documents the measures taken or to be established by go-live and does not constitute legal advice. For specific engagements the DPA governs.
The German version is authoritative.