22 février 2025
Annex 2 to the Data Processing Agreement
List of Technical and Organizational Measures (TOM)
Place of Data Processing
Besides the registered office of Threema in 8808 Pfäffikon SZ (municipality of Freienbach), the IT systems of Threema, on which personal data is processed and, if necessary, stored, are located in two data centers of an ISO 27001-certified colocation partner in Zurich.
1. Confidentiality
1.1. Admission Control Measures
Appropriate measures to prevent unauthorized persons from gaining physical access to the IT systems of Threema on which personal data is processed:
| Technical Measures | Organizational Measures |
|---|---|
| Alarm system | Key management |
| Personnel separation system | Reception |
| Biometric admission control | Visitor log |
| Manual locking system | Visitor badges |
| Video surveillance | Visitors accompanied by employees |
| Lockable server racks | Employed facility management staff |
| Security personnel at the data center |
1.2. Access Control Measures
Appropriate measures to prevent unauthorized persons from using the IT systems of Threema on which personal data is processed:
| Technical Measures | Organizational Measures |
|---|---|
| Use of own server hardware | Permission management |
| No cloud solutions or shared hosting | Centrally created and managed user profiles |
| Logins with username, strong password and two-factor or multi-factor authentication | Password-protected user accounts |
| Access with Secure Shell (SSH) | State of the art security measures for home office |
| Use of security tokens for one-time password (OTP) authentication | Restricted group of people for the use of administrative user accounts |
| Firewalls | |
| Access only via Virtual Private Network (VPN) | |
| Encryption of data carriers, hard disks, smartphones and work computers | |
| Automatic desktop lock |
1.3. Permission Control Measures
Appropriate measures to ensure that, when using the IT systems, authorized employees of Threema can only access the personal data that is subject to their access authorization and that personal data cannot be read, copied, changed or deleted without authorization:
| Technical Measures | Organizational Measures |
|---|---|
| Access logging | Restricted group of people for the use of administrative user accounts |
| Access to IT systems via SSH | Limited number of administrators |
| Transport Layer Security (TLS) encryption | Management of permissions by administrators |
| Use of security tokens | Regular checks of permissions (permission audits) |
| Virtual Private Network (VPN) for remote access | |
| State of the art cryptographic procedures |
1.4. Separation Control Measures
Appropriate measures to ensure that personal data collected for different purposes can be processed logically and physically separated on the IT systems of Threema:
| Technical Measures | Organizational Measures |
|---|---|
| Separation of production, staging and test environments | Permission management for databases |
| Logical separation of systems and databases | Defined requirements for development environments |
| Multi-tenant capability for relevant applications | Defined requirements for the execution of tests in software development |
| Virtual Local Area Network (VLAN) segmentation of networks | Continuous Integration for automated testing |
| Logical separation of customer systems |
2. Integrity
Appropriate measures to ensure that personal data cannot be read, copied, changed or deleted without authorization during its transport (“data in transit”) or storage (“data at rest”) and that it is possible to determine where personal data is transmitted to:
| Technical Measures | Organizational Measures |
|---|---|
| Access only via VPN | Need-to-know principle |
| Logging of accesses and retrievals | |
| Use of security tokens | |
| Transport Layer Security (TLS) encryption | |
| Encryption for storage (“data at rest”) and transport (“data in transit”) | |
| Encrypted backups |
3. Availability
3.1. Availability Control Measures
Appropriate measures to ensure that personal data on the IT systems of Threema is protected against loss or destruction:
| Technical Measures | Organizational Measures |
|---|---|
| Fire and smoke detectors | Concept for business continuity |
| Fire extinguishing installations | Concept for defense against Distributed Denial of Service (DDoS) attacks |
| Temperature and humidity monitoring at the data center | Use of two data centers for redundancy |
| Air-conditioned server room | |
| Measures for uninterrupted power supply in an emergency | |
| Redundant Array of Independent Disks (RAID) system | |
| Video surveillance | |
| Redundant internet connection |
3.2. Recovery Measures
Appropriate measures that enable Threema to quickly restore the availability of and access to personal data on its IT systems following an incident:
| Technical Measures | Organizational Measures |
|---|---|
| Backup monitoring | Concept for data recovery |
| Manual data recovery | Control of the backup procedure |
| Backups according to criticality | Regular data recovery tests |
| Storage of encrypted backups in both data centers (redundancy) | |
| Additional encrypted backups of certain critical data outside the data centers |
4. Procedures for Reviewing, Assessing and Evaluating Effectiveness
| Technical Measures | Organizational Measures |
|---|---|
| Technical access for employees to compliance documents on data protection and information security | Data security concept with internal rules of conduct |
| Regular updates of software, firewall and spam filters | Defined requirements for “Privacy by Design” and “Privacy by Default” |
| Application of data protection-friendly default settings | Defined requirements for secure software development |
| Monitoring remote access | Avoidance of sub-processing for the processing of personal data as far as possible |
| Sub-processing for the processing of personal data only for non-essential functions of Threema products | |
| Documentation of the implemented encryption in cryptography whitepaper | |
| Regular external audits on the security of the implemented encryption | |
| Regular internal and external audits of procedures and software |