This document describes the Technical and Organizational Measures (TOMs) that Gneis Agency ("Gneis Agency") implements to protect customer data and ensure the security, integrity, and availability of our services.
This document supplements our Data Processing Agreement (DPA) and provides technical details relevant for enterprise procurement and compliance assessments.
1. Encryption
1.1 Encryption at Rest
All customer data stored in our systems is encrypted using AES-256 encryption. This includes:
- Database records
- File storage and backups
- Log files containing customer data
- Cached data
1.2 Encryption in Transit
All data transmitted to and from Gneis Agency services is encrypted using TLS 1.2 or higher. This includes:
- All API communications
- Web application traffic
- Internal service-to-service communication
- Data transfers to sub-processors
1.3 Key Management
- Encryption keys are managed through cloud provider key management services (AWS KMS, Google Cloud KMS)
- Keys are rotated regularly in accordance with industry best practices
- Access to encryption keys is strictly limited and audited
2. Access Control
2.1 Multi-Factor Authentication (MFA)
- Customer accounts: MFA is available and recommended for all customer accounts
- Internal staff: MFA is mandatory for all Gneis Agency employees accessing production systems
- Administrative access: Hardware security keys required for privileged access
2.2 Role-Based Access Control (RBAC)
- Access to systems and data is granted based on job function and necessity
- Roles are regularly reviewed and updated
- Separation of duties for critical operations
2.3 Principle of Least Privilege
- Employees are granted only the minimum access necessary for their role
- Elevated privileges require additional approval and are time-limited
- Access is revoked immediately upon role change or termination
2.4 Access Logging
- All access to customer data is logged
- Logs include user identity, timestamp, action performed, and data accessed
- Logs are retained for a minimum of 12 months
3. Backup and Recovery
3.1 Backup Frequency
- Database backups: Daily encrypted backups
- Point-in-time recovery: Available for the last 7 days
- Configuration backups: Daily
3.2 Backup Retention
- Daily backups retained for 30 days
- Monthly backups retained for 12 months
- Backups stored in geographically separate locations
3.3 Backup Security
- All backups are encrypted using AES-256
- Backup access is restricted and audited
- Regular backup restoration tests are performed
3.4 Disaster Recovery
- Recovery Point Objective (RPO): 24 hours
- Recovery Time Objective (RTO): 4 hours for critical systems
- Documented disaster recovery procedures tested annually
4. Security Testing
4.1 Penetration Testing
- Third-party penetration testing conducted annually
- Testing scope includes external infrastructure, web applications, and APIs
- Critical and high findings remediated within 30 days
- Summary reports available to Enterprise customers upon request
4.2 Vulnerability Scanning
- Automated vulnerability scanning performed weekly
- Continuous dependency scanning for known vulnerabilities
- Patch management SLA: Critical vulnerabilities within 7 days
4.3 Code Security
- Security-focused code reviews for all changes
- Static Application Security Testing (SAST) in CI/CD pipeline
- Dependency vulnerability scanning before deployment
5. Infrastructure Security
5.1 Cloud Infrastructure
- Hosted on enterprise-grade cloud platforms (AWS, Google Cloud)
- Infrastructure-as-Code for consistent, auditable configurations
- Network segmentation and isolation between environments
5.2 Network Security
- Web Application Firewall (WAF) protecting all public endpoints
- DDoS protection and mitigation
- Intrusion detection and prevention systems
- Private networks for internal service communication
5.3 Monitoring and Alerting
- 24/7 infrastructure monitoring
- Real-time alerting for security events
- Centralized logging and security information management
6. Service Level and Availability
6.1 Uptime Commitment
Gneis Agency targets 99.9% uptime for our services, measured monthly.
6.2 Third-Party AI Provider Exclusion
Important: Uptime calculations exclude downtime caused by Third-Party AI Model Providers (e.g., OpenAI, Anthropic, Google AI). These providers operate independently, and their availability is outside Gneis Agency's direct control.
When third-party AI providers experience outages:
- Gneis Agency will communicate status promptly
- Where possible, failover to alternative providers may be implemented
- Such incidents are documented separately from Gneis Agency's uptime metrics
6.3 Scheduled Maintenance
- Scheduled maintenance windows are communicated at least 72 hours in advance
- Maintenance is performed during low-traffic periods when possible
- Emergency maintenance for security issues may occur with shorter notice
7. Incident Response
7.1 Security Incident Process
- Documented incident response procedures
- Dedicated security incident response team
- Maximum 72-hour notification for data breaches (per GDPR)
7.2 Incident Classification
- Critical: Active data breach or system compromise
- High: Vulnerability with potential for exploitation
- Medium: Security issue requiring attention
- Low: Minor security improvement
7.3 Post-Incident Review
- Root cause analysis for all significant incidents
- Lessons learned documented and shared
- Preventive measures implemented
8. Vulnerability Disclosure Program
8.1 Reporting Security Issues
We welcome responsible disclosure of security vulnerabilities.
Report security issues to: security@gneis.ai
8.2 What to Include
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Your contact information (optional, for follow-up)
8.3 Our Commitment
- Acknowledge receipt within 2 business days
- Provide status updates during investigation
- Credit researchers (if desired) upon resolution
- No legal action for good-faith security research
9. Compliance and Certifications
9.1 Current Standards
- GDPR compliant
- EU AI Act compliant
- Standard Contractual Clauses (SCC) for international transfers
9.2 Security Practices
- Based on ISO 27001 framework
- SOC 2 Type II principles followed
- Regular third-party security assessments
9.3 Vendor Security
- All sub-processors assessed for security posture
- Data Processing Agreements with all sub-processors
- Regular vendor security reviews
10. Employee Security
10.1 Background Checks
- Background verification for employees with data access
- Reference checks for all positions
10.2 Security Training
- Security awareness training for all employees
- Role-specific security training for technical staff
- Annual refresher training and phishing simulations
10.3 Confidentiality
- All employees sign confidentiality agreements
- Non-disclosure agreements for sensitive information
- Clear acceptable use policies
11. Physical Security
11.1 Data Center Security
Our cloud providers maintain:
- 24/7 physical security and surveillance
- Biometric and multi-factor access controls
- Environmental controls (fire suppression, climate control)
- SOC 2 Type II and ISO 27001 certified facilities
11.2 Office Security
- Access control to Gneis Agency offices
- Clean desk policy
- Secure disposal of sensitive documents
12. Contact
For security-related inquiries:
Gneis Agency
Pilestræde 52A
DK-1112 Copenhagen K
Denmark
Security team: security@gneis.ai
Privacy team: privacy@gneis.ai
General inquiries: info@gneis.ai
Related Documents:
- Data Processing Agreement: https://trust.gneis.io/dpa
- Privacy Policy: https://trust.gneis.io/privacy
- AI Transparency Policy: https://trust.gneis.io/ai
- Sub-processors: https://trust.gneis.io/subprocessors
*This Security Posture document is reviewed and updated at least annually. Last review: January 2026.*
