Technical and Organizational Security Measures

Last updated: February 26, 2026

Partium implements and maintains the following technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR, as well as the Data Act, as defined in Exhibit "EU Data Regulations".

1.   INFORMATION SECURITY MANAGEMENT SYSTEM (ISMS)

Partium maintains an ISMS certified to ISO/IEC 27001, which is regularly audited by an independent third party. Policies and procedures are reviewed at least annually as part of the ISMS continuous improvement process.

2.   ACCESS CONTROL

Access to personal data is restricted to authorized personnel only, following the principle of least privilege.
Microsoft SSO (Single Sign-On) is used for all employee access to internal systems, enforcing strong authentication and centralized access management.
Multi-factor authentication (MFA) is enabled for all accounts with access to personal data.
Access rights are reviewed at least quarterly and promptly revoked upon role change or termination.

3.   DATA ENCRYPTION

All personal data is encrypted in transit using TLS 1.2 or higher.
Personal data stored in Amazon Web Services (AWS) is encrypted at rest using AWS Key Management Service (KMS) and industry-standard algorithms (e.g., AES-256).

4.   PHYSICAL SECURITY

All production systems are hosted in AWS data centers, which are certified to ISO 27001, SOC 1, SOC 2, and other relevant standards. AWS data centers employ robust physical security controls, including 24/7 monitoring, access logs, and biometric access restrictions.

5.   NETWORK SECURITY

AWS security groups and firewalls are configured to restrict network access to production systems. Regular vulnerability scanning and annual penetration testing are conducted by independent third parties. Intrusion detection and prevention systems are in place to monitor for unauthorized access.

6.   DATA BACKUP AND RECOVERY

Automated daily backups of production databases are performed and stored in encrypted form within AWS. Backup and disaster recovery procedures are tested at least annually to ensure data integrity and availability.

7.   SYSTEM MONITORING AND LOGGING

Security events and access to personal data are logged and monitored using centralized logging solutions. Logs are retained for a minimum of 12 months and reviewed regularly for suspicious activity.

8.   EMPLOYEE AWARENESS AND TRAINING

All employees receive annual training on data protection, information security, and privacy obligations, in line with ISO 27001 requirements.
Confidentiality agreements are signed by all personnel with access to personal data.

9.   DATA MINIMIZATION AND PSEUDONYMIZATION

Personal data is only collected and processed as necessary for the specified purposes.
Where feasible, personal data is pseudonymized or anonymized to reduce risk.

10.   INCIDENT RESPONSE

A documented incident response plan is maintained and tested annually as part of the ISMS.
Data breaches are reported to the Customer (as Controller) in accordance with the Data Processing Agreement.

11.   SUB-PROCESSOR MANAGEMENT

Sub-processors are required to implement equivalent security measures and are regularly assessed for compliance. A current list of sub-processors is maintained and made available to the Customer (as Controller) in accordance with the Data Processing Agreement.

12.   REGULAR REVIEW AND IMPROVEMENT

Security measures are reviewed at least annually and updated to address emerging risks and technological developments.
Partium maintains a process for continuous improvement of its security posture, as required by ISO 27001.