rankion.ai
🇩🇪 Deutsch 🇬🇧 English 🇫🇷 Français 🇪🇸 Español
Art. 32 GDPR

Technical and organisational measures

How we protect data technically and organisationally.

Translation notice — The German version of this document ("Technisch-organisatorische Maßnahmen") is the legally binding original and forms part of our DPA. This English translation is provided for informational purposes only. In case of any conflict between this translation and the German version, the German text shall govern. View authoritative German version.

Technical and organisational measures (TOMs)

Description of the technical and organisational measures pursuant to Art. 32 GDPR. The TOMs are part of our DPA.

Confidentiality

  • Physical access control: Servers in a Hetzner data centre (Germany) with physical access control, multi-factor authentication for staff
  • System access control: SSH access only via certificate-based authentication (ED25519), no passwords; staff database access logged
  • Separation control: Tenant separation at database level via team IDs, automatic scoping in all queries
  • Pseudonymisation: where possible (e.g. analytics)

Integrity

  • Input control: All data modifications are audited (Laravel auditing trail)
  • Transfer control: TLS 1.3 for all connections, public-key pinning for API endpoints

Availability and resilience

  • Availability control: Daily automated database backups with 30-day retention, documented disaster-recovery plan
  • Recoverability: RTO < 4 hours, RPO < 24 hours
  • Load tolerance: Queue workers (Supervisor) with auto-restart, OPcache reload on deploys

Procedure for regular review

  • Monthly automated security audits via a publicly documented skill — results published at /en/trust/security-audits
  • Ad-hoc audits before every major deploy involving auth-touching code
  • Patch management: Critical-severity CVEs are patched within 72 hours, high-severity within 7 days
  • Penetration tests: External pen-tests annually (planned from Q3 2026; results aggregated on /trust/security-audits)

Encryption

  • TLS 1.3 (HSTS, max-age ≥ 1 year)
  • Database encryption in transit
  • Backups encrypted (AES-256)
  • Password hashing: bcrypt (cost ≥ 10), API tokens via Laravel Sanctum (SHA-256-hashed)

Order control (sub-processors)

Selection of sub-processors is preceded by due-diligence review (DPA available, EU region or valid third-country safeguards). Full list at /en/trust/sub-processors. Changes are communicated with 14 days advance notice.

Staff awareness

  • Commitment to data secrecy at onboarding
  • Annual AI-literacy and data-protection training (see /en/trust/ai-literacy)
  • Documented incident-response plan; defined escalation chain

This document forms part of the DPA in Annex 2. As of 2026-05-03. Material changes will be communicated to business customers.

← Back to Trust Center

Last update: 2026-05-03

Cookies: We use necessary cookies for functionality and optional ones for improvements. Details

Necessary
Active
Analytics
Marketing