Technical and Organizational Measures (TOM) – TRACE.Parser

These Technical and Organizational Measures (TOM) describe the security measures that TRACE Electricity GmbH, acting as Data Processor pursuant to Art. 28(3)(c) GDPR and Annex II of the EU Standard Contractual Clauses (SCCs, Decision 2021/914), implements for the TRACE.Parser service (parser.trace-electricity.com). The measures apply to all personal data processed in the context of data processing by TRACE.Parser.

AI Security Measures

Measure	Description
Data Minimisation for AI Requests	Before transmission to AI APIs, electricity production profile data is reduced to the minimum necessary for analysis. Company-identifying attributes are removed or pseudonymised prior to the AI request (Minimum Necessary Data Principle, Art. 5(1)(c) GDPR).
Prompt Injection Protection	All user-provided inputs processed as part of an AI request undergo input validation (special character escaping, system prompt isolation). AI outputs are checked for injection patterns before being rendered in the application (Output Sandboxing). System prompts are technically isolated from user prompts.
API Key Management	API keys for OpenAI, Anthropic and AWS AI services are stored separately in AWS Secrets Manager and rotated regularly. Each AI provider receives its own API key with minimal scope (Least Privilege). All accesses are logged in CloudWatch.
AI Request Logging	Significant AI requests (excluding personal raw values) and associated metadata (timestamp, provider, request length) are logged for 30 days and can be made available for review upon request by the Controller.
Anonymisation for AI Improvement	Production profiles used to improve the quality of TRACE.Parser analysis are irreversibly anonymised in advance: (1) removal of all company-identifying attributes (name, ID, location, connection identifier), (2) aggregation to time-interval level, (3) k-anonymity (k≥5): each data point is indistinguishable from at least 4 others, (4) Differential Privacy: statistical noise techniques. Customers may object to the use of their data: privacy@trace-electricity.com.

Annex B to the Data Processing Agreement (DPA) – TRACE.Parser: This document describes the Technical and Organizational Measures (TOM) pursuant to Art. 32 GDPR that TRACE Electricity GmbH, as Data Processor, implements for the TRACE.Parser service. It forms an integral part of the Data Processing Agreement (DPA – Parser).

• Server infrastructure is operated exclusively in AWS data centres (ISO 27001, SOC 2 Type II certified). AWS ensures comprehensive physical access control including multi-factor authentication, video surveillance and security personnel.
• No physical server access by TRACE employees. TRACE Electricity GmbH manages the infrastructure exclusively via encrypted remote API access.
• Cloudflare CDN and edge infrastructure with globally ISO-certified Points of Presence (PoPs); physical security is the sole responsibility of Cloudflare.
• Access to TRACE office premises in Hamburg is secured by an electronic locking system with personalised access credentials and an access log.

• Two-factor authentication (2FA/MFA) is mandatory for all internal systems, cloud consoles (AWS, Cloudflare) and development platforms (GitHub, Vercel).
• Password manager (1Password or Bitwarden) for all employees; minimum requirements: 16 characters, complexity rules (uppercase/lowercase, special characters, digits). No password reuse.
• Role-based access control (RBAC) following the principle of least privilege. Access rights are revoked immediately upon change of role or departure.
• Automatic session timeout after 30 minutes of inactivity in all internal administration interfaces.
• All credentials are stored exclusively in encrypted form; plaintext passwords are not persisted at any point.

• Database accesses are made exclusively via authenticated and authorised API endpoints. No direct database connections from the frontend.
• All employee accesses to production systems and customer data are logged and auditable (audit trails).
• The production database is configured without direct developer access. Database access in production environments requires a separate, documented authorisation process.
• Staging and production environments are strictly separated. Production data is not used in test environments.
• Database passwords and API keys are stored exclusively in AWS Secrets Manager and rotated automatically.
• Specific data access control measures: Multi-factor authentication (MFA) for all administrator access to AWS infrastructure; role-based access control (RBAC) via AWS Identity and Access Management (IAM); Least Privilege principle (minimum permissions per role); regular IAM policy reviews (quarterly); logging of all administrator access via AWS CloudTrail.

• All data transmissions between end users and TRACE.Parser are encrypted exclusively via TLS 1.2 or TLS 1.3. Older protocol versions (SSL, TLS 1.0, TLS 1.1) are disabled.
• HTTPS is enforced (HTTP Strict Transport Security, HSTS with long max-age). HTTP requests are automatically redirected to HTTPS.
• All internal API communications (backend-to-backend, microservice communication) are conducted exclusively over encrypted HTTPS connections.
• Email delivery of system notifications and transactional emails is handled via AWS SES with DKIM, SPF and DMARC signatures to ensure integrity and authenticity.
• Customer data is not transmitted via unencrypted communication channels (e.g. unencrypted email, FTP).

• All security-relevant actions — in particular changes to user data, configurations and permissions — are recorded in audit logs. Each log entry contains a timestamp, the performing party (user ID), the affected object and the type of change.
• Log data is stored in AWS CloudWatch. For elevated protection needs, logs can be secured against subsequent manipulation using S3 Object Lock (COMPLIANCE mode).
• Retention of audit logs: at least 12 months on a rolling basis (legal basis: Art. 6(1)(c) GDPR in conjunction with statutory record-keeping obligations under §§ 147 AO, 257 HGB; system logs without statutory retention obligations are deleted after 90 days).

• A Data Processing Agreement (DPA) pursuant to Art. 28 GDPR has been concluded with the Controller. Personal data is processed exclusively on the basis of and within the scope of this DPA.
• Sub-processors are engaged only with the prior written approval of the Controller (in accordance with DPA § 8 — Engagement of sub-processors). Current sub-processors: Amazon Web Services EMEA SARL (hosting, database, email via SES), Cloudflare Germany GmbH (CDN, DDoS protection), Okta EMEA Limited (Auth0) (1 Beckett Way, Dublin 12, Ireland; user authentication, EU tenant eu.auth0.com, AWS eu-west-1; no third-country transfer).
• Instructions from the Controller are documented and executed in full. TRACE Electricity GmbH informs the Controller without undue delay if, in TRACE's assessment, an instruction would violate data protection law.
• Employees with access to personal data are bound to confidentiality and have been instructed on data protection requirements.

• Daily automated database backups via AWS RDS Automated Backups. Backup retention period: 35 days.
• Point-in-Time Recovery (PITR) for the production database is enabled. Recovery to any point in time within the retention window is possible.
• Upload file retention and data deletion: Temporary upload files (CSV electricity production profiles): automatically deleted from processing servers after completion of analysis (max. 24 hours after upload). Persistent analysis results: deleted within 30 days after end of contract. Technical implementation: automated deletion routines via AWS Lambda with logging.
• Multi-AZ database deployment (AWS RDS Multi-AZ): automatic failover to the standby instance in the event of failure of the primary database instance. Failover target: under 60 seconds.
• Cloudflare as DDoS protection (Layer 3/4/7) and high-availability CDN. Failures of individual edge locations are automatically compensated by the global network.
• Continuous system health monitoring via AWS CloudWatch with automatic alarms. Critical alerts are escalated to the on-call service via PagerDuty.
• Backups are stored encrypted and regularly tested for restorability.

• Multi-AZ Deployment: TRACE.Parser is distributed across multiple AWS Availability Zones. Failure of one zone results in automatic failover without data loss.
• Automatic Failover: Load balancers and health checks detect failures and automatically redirect requests to available instances (Recovery Time Objective: < 5 minutes).
• Circuit Breaker: Faulty downstream services are automatically isolated to prevent cascading failures.
• Horizontal Scaling: Upload processing queue (AWS SQS) decouples CSV uploads from analysis processing and prevents system overload at high upload volumes.
• Recovery Point Objective (RPO): Through continuous database replication, the maximum tolerable data loss is < 1 hour for analysis results.
• Resilience Testing: Regular tests of recovery procedures (at least annually) ensure the effectiveness of the measures.

• Customer data from different Controllers is stored and processed in logically separate environments (tenant ID-based isolation at database level). Cross-Controller data access is technically precluded.
• Production and test data are strictly separated. Production data is not used for development or testing purposes.
• Marketing data (Google Analytics 4, LinkedIn Insight Tag) is collected on the TRACE marketing website and is fully separated from data processed in the context of data processing activities. No merging takes place.

• Database fields containing particularly sensitive personal data are additionally encrypted at application level using AES-256 (encryption at rest at field level).
• AWS EBS volumes (virtual hard drives of application servers) are fully encrypted with AES-256. Key management via AWS Key Management Service (KMS).
• Database backups are stored encrypted (AES-256, AWS KMS).
• S3 Bucket Encryption: AWS S3 buckets for stored electricity production profiles are server-side encrypted (SSE-KMS / AES-256 via AWS Key Management Service). Access only via encrypted HTTPS connections. Bucket policies prevent public access (S3 Block Public Access enabled for all buckets). S3 Object Lock is enabled for audit log buckets in COMPLIANCE mode to prevent subsequent manipulation.
• User passwords are stored exclusively as bcrypt hashes with an appropriate work factor. Plaintext passwords are neither persisted nor output in logs at any time.

• All administrative access to the AWS console and resources is via AWS VPN or AWS SSO with MFA (Region eu-central-1, Frankfurt)
• AWS Security Groups and Network ACLs restrict network access to production systems on an allowlist basis (Least-Privilege Network)
• RDS database instances are located in a private subnet with no direct internet access
• AWS WAF (Web Application Firewall) is active in front of API endpoints (protection against OWASP Top 10)
• DDoS protection via AWS Shield Standard
• Encryption of all database connections (TLS 1.2/1.3)
• Regular review of network configurations (at least quarterly)
• Network segmentation: production, test and development environments are strictly separated

• Regular security scans (automated, at least weekly via AWS Inspector / dependency scanner)
• Patching of critical vulnerabilities within 72 hours of publication
• Patching of significant vulnerabilities within 14 days
• Dependency scanning of all deployed libraries (Software Composition Analysis, SCA)
• Penetration tests at least once annually by external auditors

Penetration Tests and Vulnerability Analyses

Scope: All production systems of TRACE.Parser (AWS eu-central-1), including Parser web APIs, upload endpoints, analysis engine and database access.

Methodology: Based on the OWASP Testing Guide (v4.2). Tests cover: OWASP Top 10, API security tests (OWASP API Security Top 10), input validation (CSV upload security), authentication tests.

Interval: At least once annually and after significant infrastructure changes (Art. 32(1)(d) GDPR: regular review).

Remediation: Critical vulnerabilities (CVSS ≥ 7.0): remediation within 72 hours. High vulnerabilities (CVSS 4.0–6.9): remediation within 30 days.

Documentation: Audit reports are retained internally for 3 years (Art. 5(2) GDPR accountability principle).

• Mandatory training on data protection and information security for all employees (at least annually)
• Phishing awareness and regular phishing simulations (at least semi-annually)
• Confidentiality obligation (in writing) for all employees with data access
• Briefing on incident response procedures
• Documentation of all completed training sessions

• Recovery Time Objective (RTO): max. 4 hours for critical system components
• Recovery Point Objective (RPO): max. 1 hour (maximum data loss)
• Automated daily backups to geographically separate AWS regions (eu-central-1 Frankfurt, replication to additional EU region)
• AWS RDS Multi-AZ deployment for automatic failover (< 60 seconds)
• Annual DR test with documented result
• Incident response plan with defined escalation levels

• An internal incident response procedure is documented and known to all relevant employees. It governs detection, escalation, containment, remediation and post-incident review of security incidents.
• In the event of a personal data breach, the Controller will be notified without undue delay, and at the latest within 24 hours of becoming aware of the incident (Art. 33(2) GDPR). Notification to the competent supervisory authority is the responsibility of the Controller.
• Contact for data breaches and security incidents with data protection relevance: privacy@trace-electricity.com (primary) and contact@trace-electricity.com (technical escalation). Notifications to the Controller are always sent via privacy@trace-electricity.com in accordance with DPA-Parser § 12.
• Security incidents are documented and analysed for root causes during post-incident review. Findings feed into the ongoing improvement of security measures.

AI-Assisted Analysis and Model Training

TRACE Electricity GmbH processes uploaded production data (CSV files) within the scope of the TRACE.Parser service exclusively for the purposes agreed under contract. The following providers are engaged as sub-processors for AI-assisted analysis: OpenAI, LLC (San Francisco, USA), Anthropic PBC (San Francisco, USA) and AWS AI services via Amazon Web Services EMEA SARL (Luxembourg). Use of this data for training AI or machine learning models only takes place on the basis of a separate, freely revocable consent from the Controller pursuant to Art. 6(1)(a) GDPR. This consent is voluntary and has no bearing on the provision of the analysis service. The Controller may revoke consent at any time by email to privacy@trace-electricity.com.

Scope and Updates

These TOM constitute a binding annex to the Data Processing Agreement (DPA) between TRACE Electricity GmbH and the respective Controller for the TRACE.Parser service. TRACE Electricity GmbH is entitled to update the TOM provided that the security level is not thereby reduced. Material changes will be communicated to the Controller in advance.

The measures described here reflect the state of the art at the time of preparation and are continuously reviewed and updated as required.

As of: June 2026  |  Version 1.0  |  Annex to the Data Processing Agreement (DPA) – TRACE.Parser