Technical & Organisational Measures (TOM)
Reference document
This is niil's default description of the technical and organisational measures (Art. 32 GDPR). It reflects the controls implemented in the platform. Items marked operator-confirmed are deployment/operational commitments your niil operator confirms for your instance. For the hosted niil service (niil.ai / app.niil.ai) the operator is Gradient Zero Deutschland GmbH (gzero.ai); for a self-hosted deployment it is the organisation running the instance.
Art. 32 GDPR · Version 1.0
These measures protect the confidentiality, integrity, availability, and resilience of processing.
1. Confidentiality
- Encryption at rest — chat messages, uploaded documents, and conversation titles are encrypted with AES-256-GCM before persistence; connector credentials are sealed with a separate AES-256-GCM key. Keys are supplied as deployment secrets (KMS-managed in production). See Encryption.
- Encryption in transit — TLS terminated at the ingress; secure, HTTP-only session cookies.
- Access control — role-based access control (tenant-admin / builder / viewer); least-privilege command authorisation; per-tenant isolation enforced at the command/query layer and, in production, by PostgreSQL Row-Level Security.
- Tenant separation — every record is tenant-scoped; cross-tenant access is denied by the authorisation layer.
- Data-loss prevention — PII detection and redaction on chat input/output, with findings recorded in the audit trail. See Data protection & GDPR.
- Physical access (operator-confirmed) — controlled by the EU IaaS provider (ISO 27001-certified data centres).
2. Integrity
- Input/transmission control — an event-sourced, append-only command/event log; immutable audit entries.
- Audit logging — every significant action is recorded with actor, action, resource, and compliance control tags (GDPR / SOC 2 / HIPAA).
3. Availability & resilience
- Backups (operator-confirmed) — daily encrypted backups of the datastore with at least 7-day retention; periodic restore tests.
- Disaster recovery (operator-confirmed) — a documented restore runbook with defined RPO/RTO targets.
- Availability target (operator-confirmed) — per the main agreement.
4. Zero data retention & no training
Prompts and outputs are not used to train models. ZDR is contracted with AI sub-processors and signalled technically where supported — see Zero Data Retention.
5. Procedures for regular review
- Data-protection management (operator-confirmed) — periodic review of measures; data-protection officer where required.
- Incident response — a documented detection → notification → analysis → remediation process; breach notification to the Customer without undue delay.
- Testing & vulnerability management (operator-confirmed) — regular external testing and continuous dependency scanning.
6. Data-subject rights & deletion
- Self-service data export (Art. 15) and erasure (Art. 17) per data subject.
- Deletion crypto-erases encrypted content; statutory retention is respected.