Technical and Organizational Measures (TOMs)
Infrastructure and Data Flows According to Art. 32 GDPR
Version: 2.3
Date: July 15, 2025
Responsible: Nils Weiser
1. General Information
Company:
Memoro GmbH
Reichenaustraße 11a
78467 Konstanz
Email: [email protected]
Phone: +49 176 444 343 85
Data Protection Officer:
Nils Weiser
Email: [email protected]
Phone: +49 176 444 343 85
Introduction: Infrastructure and Data Flows
This document transparently describes our technical infrastructure and the processing of your data. Our top priority is protecting your privacy: We will never view or sell your data. We specifically rely on solutions that meet the highest European data protection standards and are steadily reducing our dependence on non-European providers.
The Path of Your Data at Memoro
-
Recording and Storage: Audio file is securely stored on your device, then encrypted and uploaded to Supabase (Frankfurt, Germany).
-
Transcription: Processing by Microsoft Azure (Sweden, EU) with state-of-the-art transcription models.
-
File Conversion (if needed): Google Cloud (Frankfurt) for non-standardized formats.
-
Analysis and “Memories”:
- Google Gemini (Belgium, EU)
- Azure OpenAI (Sweden, EU)
- No use for model training, automatic deletion after max. 30 days
-
Final Storage: Supabase database (Frankfurt, Germany)
2. Purpose of this Document
This document describes the technical and organizational measures (TOMs) of Memoro GmbH according to Art. 32 GDPR to ensure an appropriate level of protection for personal data.
3. Technical Measures
3.1 Access Control and Authentication
Cloud Services
- Individual user accounts (no shared logins)
- Multi-factor authentication (MFA) for critical systems
- Password manager (1Password) with security monitoring
- Watchtower function for compromised passwords
Device Security
- Mandatory use of 1Password
- Current security updates
- Activated firewall and antivirus
3.2 Data Encryption
- Transport: TLS 1.2/1.3 for all cloud communications
- Storage: AES-256 for stored data
- End-to-End: For particularly sensitive data
3.3 Backup and Emergency Management
3-2-1 Backup Strategy
- 3 copies in different storage locations
- 2 different media types
- 1 backup at separate location
- Daily encrypted backups
- Point-in-time recovery available
3.4 Logging and Monitoring
- Automatic logging of all accesses
- Audit-proof storage of audit logs
- Automatic notification for critical events
- Regular review by data protection officer
4. Organizational Measures
4.1 Data Protection Policies and Training
- Binding internal data protection policies
- Confidentiality agreements (Art. 5 and 32 GDPR)
- Regular data protection training
- Data protection in onboarding of new employees
4.2 Permission Management
- Need-to-know principle
- Documented rights allocation
- Regular review of access rights
- Logging of all accesses
4.3 Deletion Concept
Regular Deletion Periods
| Data Category | Storage Period & Deletion |
|---|---|
| Content Data (Audio, Transcripts, Memories) | As long as account exists; immediate deletion upon user request |
| Account Data | Deletion within 30 days after deletion request |
| Technical Logs | Maximum 90 days |
| Analytics Data (PostHog) | Maximum 12 months |
| Backups | Maximum 30 days retention |
Special Regulations for Organizations
- Individual automatic deletion periods according to DPA
- Automated deletion processes with monitoring
- Monthly compliance reports
5. Sub-processors
Main Service Providers
| Service Provider | Purpose | Location | Compliance |
|---|---|---|---|
| Supabase | Backend & Database | Frankfurt, DE | SOC 2 Type II, GDPR |
| Microsoft Azure | Transcription & AI | Sweden, EU | ISO 27001, SOC 1/2/3, GDPR |
| Google Cloud | Conversion & AI | Frankfurt/Belgium, EU | ISO 27001, SOC 1/2/3, GDPR |
| PostHog | Product Analytics* | Frankfurt, DE (EU Hosting) | SOC 2 Type II, GDPR |
*Can be deactivated for organizational customers
6. Risk Analysis and Countermeasures
Technical Risks
| Risk | Countermeasures |
|---|---|
| Data Loss | 3-2-1 backup strategy, emergency plans |
| Unauthorized Access | AES-256, Zero-Trust model |
| Hacker Attacks | DDoS protection, IDS, rate limiting |
| API Abuse | OAuth 2.0, rate limits |
Organizational Risks
| Risk | Countermeasures |
|---|---|
| Missing Training | Regular training, certifications |
| External Service Providers | DPA, compliance checks |
7. Certifications and Compliance
Microsoft Azure
- ISO/IEC 27001, 27017, 27018, 27701
- SOC 1, 2, 3
- EU GDPR compliant
- EU Data Boundary
Google Cloud
- ISO/IEC 27001, 27017, 27018, 27701
- SOC 1, 2, 3
- EU Cloud Code of Conduct
- C5:2020 (BSI, Germany)
Supabase
- SOC 2 Type II
- HIPAA compliant
- DPA with SCCs
PostHog
- SOC 2 Type II
- EU-U.S. Data Privacy Framework
- GDPR compliant
8. Regular Review
- Annual review of TOMs
- Immediate adjustment for:
- Infrastructure changes
- New legal requirements
- Security incidents
- Internal audits at least annually
- Documentation of all changes with versioning
9. Data Processing Agreement (DPA)
For organizational customers, we offer a standardized DPA according to Art. 28 GDPR with:
- Specific processing activities
- Special configurations
- Additional TOMs
- Sub-processor regulations
Contact: [email protected]
10. Contact
For questions about our technical and organizational measures, please contact:
Data Protection Officer
Nils Weiser
Memoro GmbH
Reichenaustraße 11a
78467 Konstanz
Email: [email protected]
Phone: +49 176 444 343 85
This document is regularly reviewed and updated as needed. The current version can be found in our Privacy Center.