Technical and Organizational Measures (TOMs)

To protect personal data, we implement a variety of technical and organizational measures (TOMs) in accordance with Art. 32 GDPR (DSGVO). These measures ensure the confidentiality, integrity, availability, and resilience of systems and services that process personal data. This page provides an overview of the security measures implemented by Lumi Education UG (haftungsbeschränkt).

Responsible Entity

The responsible entity according to Art. 4 No. 7 GDPR is:

Lumi Education UG (haftungsbeschränkt)

Brückenstraße 8

38312 Ohrum

Germany

Email: [email protected]

The company is legally represented by Jan Philip Schellenberg.

Data Protection Officer

We have appointed an external Data Protection Officer (DPO):

heyData GmbH

Schützenstraße 5

10117 Berlin

Germany

Website: https://www.heydata.eu

Email: [email protected]

Confidentiality

Confidentiality ensures that personal data is protected from unauthorized access.

Physical Access Control

Measures prevent unauthorized persons from accessing systems that process personal data.

Examples include:

  • Employees are instructed not to work in public environments (e.g. cafés)

  • Work is primarily performed in home office environments

  • Employees are instructed to work in separate workspaces whenever possible

These measures reduce the risk of unauthorized physical access to devices and data.

System Access Control

Measures ensure that only authorized users can access systems.

Implemented safeguards include:

  • authentication using username and password

  • firewalls protecting infrastructure

  • disk encryption on devices

  • encrypted laptops and tablets

  • user role and permission management

  • two-factor authentication

  • visitor logging where applicable

  • requirement to lock devices when leaving workstations

Data Access Control

Access to personal data is restricted according to user roles.

Measures include:

  • logging of data access and system activities

  • limiting the number of system administrators

  • central user permission management

  • use of screen privacy filters where appropriate

  • internal policies limiting printing of personal data

  • controlled deletion procedures for personal data

Separation of Data

Measures ensure that data collected for different purposes is processed separately.

Examples include:

  • separation of production and testing environments

  • separate storage of pseudonymization mapping files

  • implementation of a permission and authorization concept

  • database-level access control

  • internal procedures to anonymize or pseudonymize data whenever possible

Integrity

Integrity ensures that personal data cannot be altered or manipulated without authorization.

Secure Data Transfer

To prevent unauthorized access during transmission or storage, the following safeguards are implemented:

  • encrypted Wi-Fi connections (WPA2)

  • logging of data access and transfers

  • secure transmission via encrypted protocols such as HTTPS or SFTP

  • use of cryptographic signing procedures where applicable

Input Control

Input control ensures traceability of who entered, modified, or deleted data.

Measures include:

  • logging of data entry, modification, and deletion

  • traceability through individual user accounts

  • permission-based control of data editing

  • clearly defined responsibilities for data deletion

  • internal procedures for controlled data removal

Availability and Resilience

To ensure the availability of services and protect against data loss, the following safeguards are implemented:

  • regular automated backups

  • documented backup and recovery procedures

  • hosting with professional infrastructure providers

These measures ensure that personal data remains available and protected against accidental loss or destruction.

Security Management and Review Processes

We regularly review and improve our data protection measures.

Data Protection Management

Organizational safeguards include:

  • use of the heyData platform for privacy management

  • appointment of an external Data Protection Officer

  • confidentiality agreements for employees

  • regular employee training on data protection

  • maintenance of a record of processing activities (Art. 30 GDPR)

Incident Response Management

Procedures are in place for responding to potential data protection incidents.

These include:

  • procedures for reporting data breaches to authorities (Art. 33 GDPR)

  • procedures for notifying affected individuals (Art. 34 GDPR)

  • involvement of the Data Protection Officer in incidents

  • use of security tools such as firewalls

Privacy by Design and Privacy by Default

Our platform is developed according to the principles of Art. 25 GDPR.

This includes:

  • internal training on privacy by design and privacy by default

  • collection of only the personal data necessary for the service provided

Processor Control

When subprocessors are used, we ensure that data processing follows strict requirements.

Measures include:

  • written data processing agreements (DPAs)

  • secure deletion of data after the end of processing

  • confirmation that subcontractors also commit employees to confidentiality

  • careful selection of subprocessors

  • continuous monitoring of subcontractors and their activities

Questions

If you have questions regarding our technical and organizational measures, data protection practices, or our Data Processing Agreement (AAV), please contact:

[email protected]