Technical and Organizational Measures (TOMs)

Version: 1.0
Last Updated: 2026-05-29

This document describes the technical and organizational measures implemented by Mobile Worker Systems Sweden AB (the “Company”) to protect Personal Data Processed in connection with the Line Inspector Service, as referenced in the Data Processing Agreement.

These measures are designed to provide a level of security appropriate to the risk under GDPR Article 32. They are organized into two parts:

Part A — Committed Baseline Measures. Measures the Company commits to maintain as the minimum security baseline for the Service. These are contractual commitments.
Part B — Additional Measures. Measures the Company implements as good practice and may enhance, change, or extend over time. These are examples, not contractual minimums.

Part A — Committed Baseline Measures

The Company commits to maintain at least the following measures for the Service. The Company may strengthen these measures at any time. The Company will not materially reduce the measures in this Part A during a Subscription Term without notice to Customer in accordance with the ToS notice provisions.

A.1 Confidentiality and Access

Measure	Commitment
Personnel confidentiality	Personnel with access to Customer Data are subject to written confidentiality obligations under their employment contracts or equivalent agreements.
Need-to-know access	Access to production systems containing Customer Data is restricted to personnel with a documented business need.
Multi-factor authentication	Multi-factor authentication is required for all administrative access to production systems.
Access geography	Administrative and support access to Customer Data is restricted as described in DPA Section 7.2.
Access control	Access to Personal Data is controlled through authentication, authorization, and logging mechanisms designed to ensure that only authorized personnel can access Customer Data.

A.2 Integrity

Measure	Commitment
Encryption in transit	Customer Data transmitted over public networks is encrypted using industry-standard transport encryption (TLS).
Encryption at rest	Customer Data stored within the Service is encrypted at rest using encryption controls provided by the underlying cloud infrastructure, including industry-standard algorithms (for example AES-256).
Role-based access	Application-level role-based access controls restrict access to Customer Data based on Customer-configured permissions.
Audit logging	Security-relevant events such as authentication and administrative activity are logged.
Processing limitation	Processing of Personal Data is limited to what is necessary to provide and secure the Service, in accordance with Customer instructions and system configuration.

A.3 Availability

Measure	Commitment
Backups	Automated backups and durability features for Customer Data (including structured data, files, and objects) are maintained using the recovery and durability features provided by the cloud infrastructure providers identified in the Sub-Processor List.
Monitoring and alerting	Production systems are monitored for operational and security events, with alerting to personnel responsible for response.
Incident detection	Monitoring includes detection of potential security incidents affecting Customer Data, with escalation to personnel responsible for response.
Resilience	Reasonable measures are implemented to support service availability and resilience, appropriate to the Service and underlying infrastructure.

A.4 Tenant Separation

Measure	Commitment
Logical separation	Customer Data is logically segregated between customers via application-level controls.
Environment separation	Production and non-production environments are separated.

A.5 Sub-processor Assurance

Measure	Commitment
Written agreements	Sub-processors are engaged under written agreements with security and data protection obligations no less protective than those in the DPA, as described in DPA Section 8.4.
Selection	Sub-processors are selected based on their ability to provide appropriate technical and organizational measures.

A.6 Lifecycle and Deletion

Measure	Commitment
Termination handling	Customer Data is deleted or anonymized following termination in accordance with the retention periods in the ToS and DPA, subject to backup rotation.
Anonymization	Where anonymization is used, it is implemented in a manner intended to be irreversible so that the resulting data is not reasonably capable of being used to identify Customer, any end user, or any data subject.

Part B — Additional Measures

In addition to the Committed Baseline above, the Company implements measures as good practice. These are described here for transparency; they are not minimum contractual commitments and may be enhanced, modified, or extended over time without notice.

B.1 Access and System Controls

Session timeouts and other controls to reduce unauthorized use.
Password complexity and management practices appropriate to system risk.
Access rights are reviewed periodically and adjusted as needed.
Beyond the Part A baseline, the Service may log additional security-relevant access events affecting Customer Data, including administrative access and security-monitoring events, as appropriate to the Service and risk profile.

B.2 Security Testing and Vulnerability Management

Periodic vulnerability scanning of production systems.
Monitoring of vendor and platform security advisories.
Application of security updates in accordance with risk and operational practicability.
Periodic security reviews appropriate to the Service and risk profile.

B.3 Incident Response

For security incidents affecting Customer Data, the Company assesses the incident, notifies affected Customers in accordance with DPA Section 10, notifies the relevant Supervisory Authority where applicable, and conducts a post-incident review.

B.4 Personnel and Organizational

Personnel with access to Customer Data are made aware of relevant security responsibilities as part of their role.
Security responsibilities and procedures are documented and reviewed periodically.

B.5 Backups and Retention Beyond Baseline

Backup retention beyond the cloud-provider baseline is maintained according to operational practices and recovery objectives.
Logging retention is configured according to operational and security needs and applicable legal requirements.

B.6 Operational Practices

Input validation is implemented to reduce malformed or unsafe inputs.
Business continuity and disaster recovery planning is undertaken appropriate to the Service and the cloud-provider features in use.

Updates

The Company may update these TOMs from time to time to reflect changes in technology, risk, and operational practices.

The Committed Baseline Measures (Part A) will not be materially reduced during a Subscription Term without notice to Customer in accordance with the ToS notice provisions.
Additional Measures (Part B) may be enhanced, modified, extended, or replaced without notice, provided that the resulting overall security posture remains at least equivalent to the Committed Baseline.