Skip to main content

TOMs ALAI AI Services v1

Technical and Organizational Measures (TOMs)

ALAI Holding AS — AI Services

Version: 1.0 | Date: 2026-05-01 | GDPR Reference: Article 32

Overview

This document describes the technical and organizational measures (TOMs) implemented by ALAI Holding AS to ensure the security of personal data processed on behalf of clients in connection with AI Services.

ALAI acts as a Data Processor when delivering AI services (AI audits, AI development, AI agent orchestration) to clients. This document satisfies GDPR Article 28(3)(c) requirement to demonstrate appropriate security measures.

Technical Measures

2.1 Encryption

MeasureImplementationPurpose
Data in TransitTLS 1.3 for all HTTP connections; SSH for server accessProtect data during transmission
Data at RestAES-256 encryption for PostgreSQL databases, file storage, and backupsPrevent unauthorized access to stored data
API Keys and SecretsStored in Bitwarden (encrypted vault); environment variables in production; never committed to gitProtect credentials
EmailTLS for SMTP/IMAP; PGP available for sensitive communicationsSecure email in transit

Implementation Details:

  • All client-facing web services enforce HTTPS via Cloudflare SSL
  • Database connections use SSL/TLS (Azure PostgreSQL enforces encrypted connections)
  • Backups encrypted at rest using Azure Storage encryption (Microsoft-managed keys)

2.2 Pseudonymization

MeasureImplementationPurpose
Development/Test DataClient production data is anonymized before use in dev/test environmentsMinimize exposure of real personal data
LoggingPersonal identifiers (emails, names) are redacted or hashed in system logsPrevent leakage via logs
AI Training DataClient data used for AI model fine-tuning is pseudonymized where feasibleProtect individual identities in training datasets

2.3 Access Control

MeasureImplementationPurpose
Multi-Factor Authentication (MFA)Required for all production system access (Azure Portal, SSH, Bitwarden, Documenso, BookStack admin)Prevent unauthorized access
Role-Based Access Control (RBAC)Azure AD roles limit production access to designated personnel onlyNeed-to-know principle
SSH Key AuthenticationPassword authentication disabled; only SSH keys allowed for server accessPrevent brute-force attacks
API Token RotationQuarterly rotation of service API tokensLimit token exposure window

2.4 Logging and Monitoring

  • Audit Logs: All access to production databases and personal data logged with timestamps, user ID, action
  • Retention: Logs retained for 90 days (compliance requirement)
  • Alerting: Failed login attempts, unauthorized access attempts trigger alerts to CEO
  • Review: Monthly log review for anomalies

2.5 Security Updates

  • Patch Cycle: Monthly security updates for OS and dependencies
  • Dependency Scanning: Automated vulnerability scanning via Dependabot (GitHub) and npm audit
  • Critical Patches: Applied within 48 hours of disclosure for high-severity vulnerabilities

2.6 Penetration Testing

  • Frequency: Annual external penetration testing (planned Q4 2026)
  • Scope: Web applications, API endpoints, authentication mechanisms
  • Remediation: High/critical findings remediated within 30 days

Organizational Measures

3.1 Personnel Security

MeasureImplementationPurpose
GDPR TrainingAnnual GDPR training for all staff with data accessEnsure awareness of data protection obligations
Confidentiality AgreementsAll employees and contractors sign NDAs covering client dataLegally binding confidentiality
Background ChecksReference checks for all hires with production access (Norway/Bosnia)Vet trustworthiness
Access TerminationAll access revoked within 24 hours of employee/contractor departurePrevent ex-employee access

3.2 Access Management

  • Need-to-Know Principle: Access granted only when documented business need exists
  • Access Review: Quarterly review of who has production access; revoke unnecessary permissions
  • Temporary Access: Time-limited credentials for contractors (expire after engagement)

3.3 Backup and Recovery

MeasureImplementationTarget
Backup FrequencyDaily automated backups of all databasesRPO: 24 hours (max data loss)
Backup LocationAzure Blob Storage (geo-redundant, EU region)Survive regional outage
Recovery TimeTested quarterly restore proceduresRTO: <24 hours (time to restore)
Backup EncryptionAES-256 encryption at restProtect backup data

3.4 Incident Response

Data Breach Response Plan:

  1. Detection: Automated alerts + manual log review
  2. Containment: Immediate isolation of affected systems (within 1 hour)
  3. Assessment: Determine scope: what data, how many records, what breach type
  4. Notification:
    • Client notification within 24 hours of breach discovery (per DPA)
    • Datatilsynet (Norwegian DPA) notification within 72 hours if required by GDPR
  5. Remediation: Patch vulnerability, restore from backup if needed
  6. Documentation: Full incident report with timeline, root cause, remediation steps

Incident Contact: [email protected] (CEO, available 24/7 for critical incidents)

3.5 Data Retention and Deletion

Data TypeRetention PeriodDeletion Method
Client personal data (production)Duration of contract + 30 days post-terminationSecure deletion (multi-pass overwrite or Azure storage deletion)
Backups90 days rolling windowAutomatic expiry
Audit logs90 daysAutomatic expiry
Signed contracts (NDA, Retainer, DPA)7 years (Norwegian accounting law)Archived at archive.alai.no per ZAKON ARCHIVE FIRST

Data Deletion Verification: Upon contract termination, ALAI provides written confirmation of data deletion within 30 days (per DPA section 3.7).

Sub-Processor Security

ALAI relies on sub-processors for infrastructure and AI services. Each sub-processor has been vetted for GDPR compliance:

Sub-ProcessorCertificationsData Location
Anthropic PBCSOC 2 Type II, GDPR DPA, SCCsUSA (AWS us-east-1)
Microsoft AzureISO 27001, SOC 2, GDPR compliantEU West / Norway East
Cloudflare Inc.ISO 27001, SOC 2 Type II, GDPR DPAGlobal (EU data residency)
BrevoGDPR compliant, ISO 27001EU (Frankfurt)

See DPA Template for full sub-processor details and 30-day notice policy.

Compliance and Audit

  • Annual TOMs Review: CEO reviews and updates this document annually or upon material security changes
  • Client Audit Rights: Clients may audit ALAI's compliance with TOMs (1x/year free, additional by agreement)
  • External Audit: SOC 2 Type I audit planned Q4 2026 (post-AI Services launch)

Limitations and Disclaimers

⚠️ Current Status: DRAFT

This TOMs document is based on ALAI's existing infrastructure and planned security posture. Final validation pending:

  1. Security audit: External review not yet conducted (planned Q4 2026)
  2. ISO 27001: Not yet certified (est. cost 150K NOK, 6-month timeline if client requires)
  3. SOC 2: Type I audit planned Q4 2026 (Type II requires 6-12 month observation period)

If client requires formal certification (ISO 27001, SOC 2 Type II), CEO will assess feasibility and cost impact.

Document History

  • v1.0 (2026-05-01): Initial version (Lexicon + Proveo 19/20 PASS)
  • Next Review: 2027-05-01 (annual) or upon first security audit

Source File: ~/Public/legal/ai-services/TOMs-ALAI-AI-Services-v1.md
Full document available at source location (13K file).

Referenced by DPA Template v1 as Annex B.

No comments to display

Back to top