Technical and Organizational Measures (TOM) – TRACE.App

These Technical and Organizational Measures (TOM) describe the security measures that TRACE Electricity GmbH, as Controller pursuant to Art. 32 GDPR, implements for the TRACE.App service. The measures serve to protect the personal data of TRACE.App users and reflect the current state of the art.

Annex B to the Data Processing Agreement TRACE.App: This document describes the Technical and Organizational Measures (TOM) pursuant to Art. 32 GDPR that TRACE Electricity GmbH, as Data Processor, implements for the TRACE.App service. It forms part of the Data Processing Agreement (DPA-App).

• Server infrastructure is operated exclusively in AWS data centers (ISO 27001, SOC 2 Type II certified). AWS ensures comprehensive physical access control including multi-factor authentication, video surveillance and security personnel.
• No physical server access by TRACE employees. TRACE Electricity GmbH manages the infrastructure exclusively via encrypted remote API access.
• Cloudflare CDN and edge infrastructure with globally ISO-certified Points of Presence (PoPs); physical security rests entirely with Cloudflare.
• Office access to TRACE premises in Hamburg is secured by an electronic locking system with personal access credentials and an access log.

• Two-factor authentication (2FA/MFA) is mandatory for all internal systems, cloud consoles (AWS Management Console) and development platforms (GitHub).
• Multi-factor authentication (MFA): MFA is mandatorily activated for all administrator accounts (B2B corporate administrators). For regular end-user accounts, MFA is strongly recommended and can be made mandatory by the administrator.
• Password manager (1Password or Bitwarden) for all employees; minimum requirements: 16 characters, complexity rules (upper/lowercase, special characters, digits). No password reuse.
• Role-based access control (RBAC) following the Least Privilege Principle. Access rights are revoked immediately upon role change or departure.
• Automatic session timeout after 30 minutes of inactivity in all internal administration interfaces.
• All credentials are stored exclusively in encrypted form; plaintext passwords are not persisted anywhere.

• Database access occurs exclusively via authenticated and authorised API endpoints. No direct database connections from the frontend.
• All employee access to production systems and customer data is logged and auditable (audit trails).
• The production database is configured without direct developer access. Database access in production environments requires a separate, documented approval process.
• Staging and production environments are strictly separated. Production data is not used in test environments.
• Database passwords and API keys are stored exclusively in AWS Secrets Manager and rotated automatically. Database access rights are enforced via AWS IAM Policies and resource-based policies following the Least Privilege Principle.

• All data transmissions between the end user and TRACE.App are encrypted exclusively via TLS 1.2 or TLS 1.3. Older protocol versions (SSL, TLS 1.0, TLS 1.1) are disabled.
• HTTPS is enforced (HTTP Strict Transport Security, HSTS with long max-age). HTTP requests are automatically redirected to HTTPS.
• All internal API communications (backend-to-backend, microservice communication) use exclusively encrypted HTTPS connections.
• Push notifications to user devices are delivered via encrypted connections (AWS SNS or comparable service). Transactional emails are sent with DKIM, SPF and DMARC protection.
• Customer data is not transmitted via unencrypted communication channels (e.g. unencrypted email, FTP).

• All security-relevant actions — in particular changes to user data, configurations and permissions — are recorded in audit logs. Each log entry contains a timestamp, the acting person (user ID), the affected object and the type of change.
• Audit logs are stored in AWS CloudWatch Logs (retention period: at least 12 months). Authentication events (login, logout, token refresh) are logged by Auth0 (EU tenant) and retained for 30 days. No transfer to third countries.
• Retention of audit logs: at least 12 months on a rolling basis (legal basis: Art. 6(1)(c) GDPR in conjunction with statutory record-keeping obligations under §§ 147 AO, 257 HGB; system logs without statutory retention obligation are deleted after 90 days).

• Role clarification: TRACE Electricity GmbH acts as Data Processor pursuant to Art. 4 No. 8 GDPR within the scope of the Data Processing Agreement (DPA). The processing of personal data takes place exclusively on the documented instructions of the client (Controller pursuant to Art. 4 No. 7 GDPR). For end users (B2C) of TRACE.App, TRACE Electricity GmbH acts as Controller pursuant to Art. 4 No. 7 GDPR on the basis of the TRACE.App Privacy Policy. For B2B corporate accounts (DPA scope), this TOM applies as Annex B to the DPA within the scope of data processing pursuant to Art. 4 No. 8 GDPR.
• Data Processing Agreements (DPA) pursuant to Art. 28 GDPR have been concluded with all sub-processors engaged. Current sub-processors: Amazon Web Services EMEA SARL (primary infrastructure, backend, database, hosting), Okta EMEA Limited / Auth0 (user authentication, EU tenant), Cloudflare Germany GmbH (CDN, DDoS protection).
• Sub-processors are carefully selected and only engaged where they provide sufficient guarantees of compliance with GDPR requirements (Art. 28(1) GDPR).
• Employees with access to personal data are bound by a confidentiality obligation and have been instructed on data protection requirements.

• Daily automated backups to AWS S3 (encrypted, versioning enabled). Backup retention period: 35 days.
• Point-in-Time Recovery (PITR) for the production database is enabled. Restoration to any point in time within the retention window is possible.
• AWS database services are operated as fully managed, highly available services with automatic Multi-AZ replication. Individual zone failures are compensated without manual intervention.
• Cloudflare as DDoS protection (Layer 3/4/7) and high-availability CDN. Failures of individual edge locations are automatically compensated by the global network.
• Continuous system health monitoring via AWS CloudWatch with automatic alarms and SNS notifications. Critical alerts are escalated to the on-call team.
• Backups are stored encrypted and tested regularly for recoverability.

• Multi-AZ Deployment: TRACE.App is distributed across multiple AWS Availability Zones. Failure of one zone results in automatic failover without data loss.
• Automatic Failover: Load balancers and health checks detect failures and automatically route requests to available instances (Recovery Time Objective: < 5 minutes).
• Circuit Breaker: Faulty downstream services are automatically isolated to prevent cascading failures.
• Horizontal Scaling: Auto-scaling groups automatically adjust capacity to load peaks to prevent overloads.
• Recovery Point Objective (RPO): Through continuous database replication, the maximum tolerable data loss is < 1 hour.
• Resilience Tests: Regular tests of recovery procedures (at least annually) ensure the effectiveness of the measures.

• User data is logically isolated by user-specific IDs. Access to other users' data is technically precluded by AWS IAM Policies and resource-based access rules at database level.
• Production and test data are strictly separated. Production data is not used for development or testing purposes.
• Marketing data (Google Analytics 4, LinkedIn Insight Tag) is collected on the TRACE marketing website and is completely separate from data processed within the scope of data processing. No merging takes place.

• Database fields containing particularly sensitive personal data are additionally encrypted at application level with AES-256 (encryption at rest at field level).
• Database data is automatically encrypted at rest with AES-256. Key management is handled via AWS Key Management Service (AWS KMS).
• Database backups on AWS S3 are stored encrypted (AES-256, AWS KMS).
• User passwords are stored exclusively as bcrypt hashes with an appropriate work factor. Plaintext passwords are never persisted or output in logs at any point.

• An internal incident response procedure is documented and known to all relevant employees. It governs the detection, escalation, containment, remediation and post-processing of security incidents.
• In the event of a personal data breach, the Controller (client) will be informed without delay, at the latest within 24 hours of becoming aware of it (Art. 33(2) GDPR). Notification to the competent supervisory authority is the responsibility of the Controller.
• Contact for data breaches and privacy-relevant security incidents: privacy@trace-electricity.com (primary) and contact@trace-electricity.com (technical escalation). Notifications to the Controller (client) are always sent via privacy@trace-electricity.com in accordance with DPA-App § 10.
• Security incidents are documented and their root causes analysed as part of post-processing. Findings feed into the ongoing development of security measures.

• Use of Virtual Private Cloud (VPC) with strict security group configuration on AWS
• Web Application Firewall (WAF) for protection against OWASP Top 10 attacks
• DDoS protection via AWS Shield Standard
• Encryption of all database connections (TLS 1.2/1.3)
• Regular review of network configurations (at least quarterly)
• Network segmentation: production, test and development environments are strictly separated

• Regular security scans (automated, at least weekly via AWS Inspector / dependency scanner)
• Patching of critical vulnerabilities within 72 hours of publication
• Patching of important vulnerabilities within 14 days
• Dependency scanning of all libraries in use (Software Composition Analysis, SCA)
• Penetration tests at least once a year by external auditors

Penetration Tests and Vulnerability Analyses

Scope: All production systems of the TRACE.App infrastructure (AWS eu-central-1), including web APIs, authentication layers (Auth0, EU tenant), database access and network configurations.

Methodology: Based on the OWASP Testing Guide (v4.2) and BSI IT-Grundschutz Compendium. Tests cover: OWASP Top 10, API security tests (OWASP API Security Top 10), authentication and authorisation tests.

Interval: At least once a year and after significant infrastructure changes (major releases, infrastructure migration).

Execution: External, qualified security service provider (OSCP-certified or equivalent) or internal security review with equivalent qualification.

Remediation: Critical vulnerabilities (CVSS ≥ 7.0): remediation within 72 hours. High vulnerabilities (CVSS 4.0–6.9): remediation within 30 days.

Documentation: Audit reports are retained internally for 3 years and must be made available to supervisory authorities on request (Art. 5(2) GDPR accountability obligation).

• Mandatory training in data protection and information security for all employees (at least annually)
• Phishing awareness and regular phishing simulations (at least semi-annually)
• Confidentiality obligation (in writing) for all employees with access to data
• Briefing on incident response procedures
• Documentation of all training sessions conducted

• Recovery Time Objective (RTO): max. 4 hours for critical system components
• Recovery Point Objective (RPO): max. 1 hour (maximum data loss)
• Automated daily backups to geographically separate AWS regions
• Annual DR test with documented result
• Incident response plan with defined escalation levels

Data Usage and AI Training

TRACE.App does not use AI services or third-party machine learning models. User data is not used for training AI or machine learning models. All processing is based on deterministic algorithms and rule-based evaluations.

DPIA Threshold Assessment (Art. 35 GDPR)

TRACE Electricity GmbH has conducted a threshold assessment pursuant to Art. 35(1) GDPR and the DSK positive list (Data Protection Conference, October 2019) for processing within the TRACE.App service. The processing of energy consumption data in the B2B context (companies as data subjects) does not, based on current knowledge, exceed the threshold triggering a Data Protection Impact Assessment (DPIA) obligation, as no special categories of data pursuant to Art. 9 GDPR are processed and the data subjects are legal persons. The assessment will be repeated upon material changes to the processing activity.

Validity and Updates

These TOM document the Technical and Organizational Measures of TRACE Electricity GmbH pursuant to Art. 32 GDPR for the TRACE.App service (as Controller for B2C users and as Data Processor pursuant to Art. 4 No. 8 GDPR for B2B corporate accounts within the scope of the DPA-App). TRACE Electricity GmbH reviews and updates the TOM regularly and upon material changes to the infrastructure or the threat landscape.

The measures described here reflect the state of the art at the time of preparation and are continuously reviewed and adapted as required.

As of: June 2026