Technical and Organisational Measures (TOM)
Annex 2 to the Data Processing Agreement (DPA) pursuant to Art. 32 GDPR
ProofShare implements the following technical and organisational measures to ensure a level of security appropriate to the risk of processing, in accordance with Art. 32 GDPR and the BSI IT-Grundschutz framework. These measures are reviewed and updated on a regular basis.
1. Confidentiality (Art. 32(1)(b) GDPR)
1.1 Access Control and Authentication
| Measure | Description |
|---|
| User authentication |
Password-based authentication with one-way cryptographic hashing using a memory-hard algorithm compliant with current BSI TR-02102 recommendations. Plaintext credentials are never stored or logged. |
| Two-factor authentication |
Time-based one-time password (TOTP) two-factor authentication is available for all photographer accounts and recommended for accounts with elevated data volumes. |
| Session security |
Session tokens are cryptographically random, bound to the authenticated session, and issued with industry-standard security attributes to prevent interception and reuse. Sessions are invalidated immediately upon logout. |
| Persistent login |
Extended login sessions are opt-in only, implemented via a separate cryptographically random token distinct from the session credential, and are time-limited. |
| API authentication |
Machine-to-machine access uses cryptographically random bearer tokens with sufficient entropy. Tokens are stored in hashed or constrained form; they cannot be reconstructed from stored values alone. |
| Client access |
End customers access content via individual, non-guessable access codes. Access is strictly scoped to the content explicitly shared with that access code. |
| Privilege management |
Administrative privileges are managed through a role-based access control model. Privilege escalation through the application layer is not possible; roles are enforced at the data layer. |
1.2 Logical Data Separation (Multi-Tenancy)
| Measure | Description |
|---|
| Database isolation |
All data access is scoped to the authenticated account. Parameterised queries with mandatory account-scope checks are used throughout; cross-account data access is architecturally excluded. |
| File storage isolation |
Each account's files are stored under a unique, randomly generated storage prefix that is not derivable from account metadata. Files are not directly publicly accessible; access is mediated by application-layer authorisation controls. |
| Client data scoping |
End customers can only access content that has been explicitly shared with them. No lateral access to other photographers' content or other customers' data is possible. |
1.3 Encryption
| Measure | Description |
|---|
| Encryption in transit |
All data transmissions between clients and the platform are encrypted using TLS in a version and configuration compliant with current BSI TR-02102-2 recommendations. Unencrypted connections are rejected. |
| Encryption at rest – file storage |
Files stored in the cloud object storage (Cloudflare R2) are encrypted at rest using industry-standard symmetric encryption as provided and managed by the storage provider. |
| Encryption at rest – sensitive configuration |
Credentials and secret keys stored in the database (e.g. third-party service credentials, cryptographic keys) are encrypted at rest using symmetric encryption with a key that is stored separately from the database. |
| Password storage |
User passwords are stored exclusively as irreversible cryptographic hashes using a memory-hard algorithm. No plaintext or reversibly encoded passwords are retained anywhere in the system. |
2. Integrity (Art. 32(1)(b) GDPR)
| Measure | Description |
|---|
| Injection prevention |
All database interactions use parameterised queries. Dynamic query construction from user-supplied input is prohibited by coding policy and enforced in code review. |
| Output encoding |
All user-supplied content is subject to context-aware output encoding before rendering in web pages, preventing cross-site scripting (XSS) attacks. |
| Cross-site request forgery (CSRF) protection |
All state-changing operations require a synchronised token that is validated server-side before any action is taken. Requests lacking a valid token are rejected. |
| Input validation |
All inputs are validated server-side for type, length, format and permitted value ranges. Validation is performed independently of any client-side checks. |
| File upload security |
Uploaded files are validated for type and content. Upload destinations are determined entirely by server-side logic; user-supplied path components are not used in file storage operations. |
| Automated abuse prevention |
Automated rate limiting is applied to sensitive endpoints (e.g. contact form, authentication) to mitigate brute-force and automated abuse attacks. |
3. Availability and Resilience (Art. 32(1)(b) and (c) GDPR)
| Measure | Description |
|---|
| Redundant file storage |
Uploaded files are stored in a georedundant cloud object storage service (Cloudflare R2) with a contractually guaranteed high-availability SLA. |
| Database backups |
The database is backed up regularly. Backup frequency and retention are determined by the hosting provider's standard schedule. Controllers are additionally advised to use the platform's built-in export functions to maintain independent copies of their data. |
| Software maintenance |
Server software and third-party dependencies are kept up to date. Security patches are prioritised and applied without undue delay upon release. |
| Anomaly monitoring |
System logs are reviewed on a regular basis. Anomalies indicating potential security incidents or service degradation are investigated promptly. |
4. Recoverability (Art. 32(1)(c) GDPR)
| Measure | Description |
|---|
| Controller data export |
Photographers can export their content (albums, photos, moodboards, call sheets) at any time using built-in download and PDF export functions, independently of the platform's operational status. |
| Backup restoration capability |
Database backups and file storage can be restored from provider-managed snapshots. Restoration procedures are documented and tested. |
| Incident response process |
A documented incident response process covers detection, containment, notification of affected controllers (within 36 hours of awareness), remediation, and a written post-incident report to affected controllers within 30 days of containment. |
5. Testing and Evaluation (Art. 32(1)(d) GDPR)
| Measure | Description |
|---|
| Security review process |
Code changes are reviewed against a security checklist aligned with the OWASP Top 10 before deployment. Security considerations are a mandatory part of the development workflow. |
| Dependency vulnerability management |
Third-party software dependencies are scanned for known vulnerabilities as part of the deployment process. Identified vulnerabilities are remediated based on their severity. |
| Periodic security assessment |
Authentication flows, access control logic, file handling and external-facing interfaces are subject to periodic manual security review. Findings are remediated in order of risk. |
6. Pseudonymisation and Data Minimisation (Art. 32(1)(a) GDPR)
| Measure | Description |
|---|
| Client access codes |
End customers can access shared galleries without providing a personal identifier. Authentication relies on non-guessable access codes; the platform does not require personal registration by clients. |
| Storage path obfuscation |
Files are stored under paths that are not predictable from publicly visible information. Enumeration of other accounts' storage is not possible through the application or storage layer. |
| Data minimisation |
Only the personal data necessary for the provision of the contracted service is collected and processed. No behavioural tracking or advertising profiling is performed. |
7. Sub-processor Controls
| Sub-processor | Role | Contractual safeguards |
|---|
| Cloudflare, Inc. (R2 Storage) |
Cloud object storage for uploaded files |
Data Processing Addendum; EU-US Data Privacy Framework (DPF) certification; SOC 2 Type II |
| Stripe Payments Europe, Ltd. |
Payment processing and subscription billing |
Data Processing Agreement; PCI-DSS Level 1 Service Provider; EU-based entity |
| Sendinblue SAS (Brevo) |
Transactional email delivery |
Data Processing Agreement (Art. 28 GDPR); ISO 27001 certified; EU-based processing |
Last updated: June 2026