Annex II: Technical and organisational measures

Strife maintains the following technical and organisational measures.

Access control

• Role-based access control on the principle of least privilege

• Passwordless authentication to the Strife Service. Strife does not store passwords.

• Multi-factor authentication for Strife personnel accessing production systems

• Centralised identity management and access logging

Encryption

• TLS encryption of all data in transit

• Encryption at rest for sensitive data categories

• Managed key rotation

Infrastructure security

• Hosting on infrastructure with industry-recognised certifications (Microsoft Azure, Hetzner)

• Primary database storage in EU regions

• Network segmentation and firewall controls

• Continuous monitoring and logging

Operational security

• Regular security reviews

• Vulnerability management and patch management processes

• Incident response procedures

• Background checks for Strife personnel with access to production systems

• Confidentiality obligations for all personnel

Organisational measures

• Internal data protection policies

• Personnel training on data protection and information security

• Business continuity and backup procedures

• Sub-processor management and oversight

• Personal data breach response procedures

Data subject rights support

• Tools within the Strife Service for the Customer to retrieve, rectify, or delete Personal Data of Data Subjects

• Export of data in machine-readable formats (JSON, CSV)