# TOMs ALAI AI Services v1 # Technical and Organizational Measures (TOMs) ## ALAI Holding AS — AI Services **Version:** 1.0 | **Date:** 2026-05-01 | **GDPR Reference:** Article 32 --- ## Overview This document describes the technical and organizational measures (TOMs) implemented by **ALAI Holding AS** to ensure the security of personal data processed on behalf of clients in connection with AI Services. ALAI acts as a **Data Processor** when delivering AI services (AI audits, AI development, AI agent orchestration) to clients. This document satisfies GDPR Article 28(3)(c) requirement to demonstrate appropriate security measures. ## Technical Measures ### 2.1 Encryption
MeasureImplementationPurpose
**Data in Transit**TLS 1.3 for all HTTP connections; SSH for server accessProtect data during transmission
**Data at Rest**AES-256 encryption for PostgreSQL databases, file storage, and backupsPrevent unauthorized access to stored data
**API Keys and Secrets**Stored in Bitwarden (encrypted vault); environment variables in production; never committed to gitProtect credentials
**Email**TLS for SMTP/IMAP; PGP available for sensitive communicationsSecure email in transit
**Implementation Details:** - All client-facing web services enforce HTTPS via Cloudflare SSL - Database connections use SSL/TLS (Azure PostgreSQL enforces encrypted connections) - Backups encrypted at rest using Azure Storage encryption (Microsoft-managed keys) ### 2.2 Pseudonymization
MeasureImplementationPurpose
**Development/Test Data**Client production data is anonymized before use in dev/test environmentsMinimize exposure of real personal data
**Logging**Personal identifiers (emails, names) are redacted or hashed in system logsPrevent leakage via logs
**AI Training Data**Client data used for AI model fine-tuning is pseudonymized where feasibleProtect individual identities in training datasets
### 2.3 Access Control
MeasureImplementationPurpose
**Multi-Factor Authentication (MFA)**Required for all production system access (Azure Portal, SSH, Bitwarden, Documenso, BookStack admin)Prevent unauthorized access
**Role-Based Access Control (RBAC)**Azure AD roles limit production access to designated personnel onlyNeed-to-know principle
**SSH Key Authentication**Password authentication disabled; only SSH keys allowed for server accessPrevent brute-force attacks
**API Token Rotation**Quarterly rotation of service API tokensLimit token exposure window
### 2.4 Logging and Monitoring - **Audit Logs:** All access to production databases and personal data logged with timestamps, user ID, action - **Retention:** Logs retained for 90 days (compliance requirement) - **Alerting:** Failed login attempts, unauthorized access attempts trigger alerts to CEO - **Review:** Monthly log review for anomalies ### 2.5 Security Updates - **Patch Cycle:** Monthly security updates for OS and dependencies - **Dependency Scanning:** Automated vulnerability scanning via Dependabot (GitHub) and npm audit - **Critical Patches:** Applied within 48 hours of disclosure for high-severity vulnerabilities ### 2.6 Penetration Testing - **Frequency:** Annual external penetration testing (planned Q4 2026) - **Scope:** Web applications, API endpoints, authentication mechanisms - **Remediation:** High/critical findings remediated within 30 days ## Organizational Measures ### 3.1 Personnel Security
MeasureImplementationPurpose
**GDPR Training**Annual GDPR training for all staff with data accessEnsure awareness of data protection obligations
**Confidentiality Agreements**All employees and contractors sign NDAs covering client dataLegally binding confidentiality
**Background Checks**Reference checks for all hires with production access (Norway/Bosnia)Vet trustworthiness
**Access Termination**All access revoked within 24 hours of employee/contractor departurePrevent ex-employee access
### 3.2 Access Management - **Need-to-Know Principle:** Access granted only when documented business need exists - **Access Review:** Quarterly review of who has production access; revoke unnecessary permissions - **Temporary Access:** Time-limited credentials for contractors (expire after engagement) ### 3.3 Backup and Recovery
MeasureImplementationTarget
**Backup Frequency**Daily automated backups of all databasesRPO: 24 hours (max data loss)
**Backup Location**Azure Blob Storage (geo-redundant, EU region)Survive regional outage
**Recovery Time**Tested quarterly restore proceduresRTO: <24 hours (time to restore)
**Backup Encryption**AES-256 encryption at restProtect backup data
### 3.4 Incident Response **Data Breach Response Plan:** 1. **Detection:** Automated alerts + manual log review 2. **Containment:** Immediate isolation of affected systems (within 1 hour) 3. **Assessment:** Determine scope: what data, how many records, what breach type 4. **Notification:** - Client notification within **24 hours** of breach discovery (per DPA) - Datatilsynet (Norwegian DPA) notification within 72 hours if required by GDPR 5. **Remediation:** Patch vulnerability, restore from backup if needed 6. **Documentation:** Full incident report with timeline, root cause, remediation steps **Incident Contact:** alem@alai.no (CEO, available 24/7 for critical incidents) ### 3.5 Data Retention and Deletion
Data TypeRetention PeriodDeletion Method
**Client personal data (production)**Duration of contract + 30 days post-terminationSecure deletion (multi-pass overwrite or Azure storage deletion)
**Backups**90 days rolling windowAutomatic expiry
**Audit logs**90 daysAutomatic expiry
**Signed contracts (NDA, Retainer, DPA)**7 years (Norwegian accounting law)Archived at archive.alai.no per ZAKON ARCHIVE FIRST
**Data Deletion Verification:** Upon contract termination, ALAI provides written confirmation of data deletion within 30 days (per DPA section 3.7). ## Sub-Processor Security ALAI relies on sub-processors for infrastructure and AI services. Each sub-processor has been vetted for GDPR compliance:
Sub-ProcessorCertificationsData Location
**Anthropic PBC**SOC 2 Type II, GDPR DPA, SCCsUSA (AWS us-east-1)
**Microsoft Azure**ISO 27001, SOC 2, GDPR compliantEU West / Norway East
**Cloudflare Inc.**ISO 27001, SOC 2 Type II, GDPR DPAGlobal (EU data residency)
**Brevo**GDPR compliant, ISO 27001EU (Frankfurt)
See [DPA Template](https://docs.alai.no/books/legal-templates-v1/page/dpa-template-v1-gdpr-article-28) for full sub-processor details and 30-day notice policy. ## Compliance and Audit - **Annual TOMs Review:** CEO reviews and updates this document annually or upon material security changes - **Client Audit Rights:** Clients may audit ALAI's compliance with TOMs (1x/year free, additional by agreement) - **External Audit:** SOC 2 Type I audit planned Q4 2026 (post-AI Services launch) ## Limitations and Disclaimers **⚠️ Current Status: DRAFT** This TOMs document is based on ALAI's existing infrastructure and planned security posture. Final validation pending: 1. **Security audit:** External review not yet conducted (planned Q4 2026) 2. **ISO 27001:** Not yet certified (est. cost 150K NOK, 6-month timeline if client requires) 3. **SOC 2:** Type I audit planned Q4 2026 (Type II requires 6-12 month observation period) If client requires formal certification (ISO 27001, SOC 2 Type II), CEO will assess feasibility and cost impact. ## Document History - **v1.0 (2026-05-01):** Initial version (Lexicon + Proveo 19/20 PASS) - **Next Review:** 2027-05-01 (annual) or upon first security audit --- **Source File:** `~/Public/legal/ai-services/TOMs-ALAI-AI-Services-v1.md` **Full document available at source location (13K file).** *Referenced by [DPA Template v1](https://docs.alai.no/books/legal-templates-v1/page/dpa-template-v1-gdpr-article-28) as Annex B.*