Technical and Organisational Measures (TOMs)

Effective Date: 1.06.2026

These Technical and Organizational Measures ("TOMs") describe the administrative, technical, physical, and organizational safeguards implemented by Live Engage sp. z o.o. ("TrueEngage", "Company", "we", "our", or "us") to protect Personal Data and Customer Data processed through the TrueEngage Service.

These TOMs form part of the Data Processing Addendum ("DPA") and describe security measures implemented to support compliance with applicable Data Protection Laws.

TrueEngage maintains:

ISO/IEC 27001 certification;
SOC 2 Type II attestation;

or equivalent successor certifications.

Additional information regarding security controls, certifications, compliance documentation, business continuity, disaster recovery, subprocessors, and security practices may be made available through the TrueEngage Trust Center.

2. GOVERNANCE AND INFORMATION SECURITY MANAGEMENT

2.1 Information Security Program

TrueEngage maintains a formal Information Security Management System (ISMS) designed to identify, assess, manage, monitor, and continually improve information security risks.

2.2 Policies and Procedures

Documented policies and procedures govern:

Information security;
Access management;
Asset management;
Cryptography;
Vendor management;
Incident response;
Business continuity;
Disaster recovery;
Change management;
Secure development;
Risk management.

2.3 Security Governance

Information security responsibilities are assigned to designated personnel with responsibility for security, privacy, compliance, and risk management activities.

2.4 Security Awareness

Personnel receive security and privacy awareness training during onboarding and periodically thereafter.

2.5 Risk Management

Information security risks are periodically assessed and managed through documented risk treatment processes.

3. ACCESS CONTROL AND IDENTITY MANAGEMENT

3.1 Least Privilege

Access to systems and data is granted according to business need and the principle of least privilege.

3.2 Authentication Controls

Administrative and privileged access accounts are protected using multi-factor authentication (MFA).

3.3 Access Provisioning

Access rights are subject to approval processes and are reviewed periodically.

3.4 Access Revocation

Access rights are removed or modified when personnel change roles or leave the organization.

3.5 Session Security

Authentication controls, session management controls, account lockout mechanisms, and password policies are implemented where appropriate.

4. INFRASTRUCTURE SECURITY

4.1 Hosting Environment

The Service is hosted using commercially recognized cloud infrastructure providers, including Microsoft Azure and supporting cloud services.

4.2 Regional Deployments

Customer Data is processed in the region selected for the applicable Customer deployment. Available regions may include:

European Union;
United States;
Other supported regions.

4.3 Infrastructure Hardening

Systems are configured using security baselines and hardening standards appropriate to their function.

4.4 Vulnerability Management

Security vulnerabilities are identified, assessed, prioritized, and remediated through documented processes.

5. ENCRYPTION AND DATA PROTECTION

5.1 Encryption in Transit

Data transmitted over public networks is protected using industry-standard encryption protocols, including TLS.

5.2 Encryption at Rest

Customer Data stored by the Service is protected using encryption at rest where appropriate.

5.3 Key Management

Cryptographic keys are managed through controlled processes designed to protect confidentiality and integrity.

6. APPLICATION SECURITY

6.1 Secure Development

Software is developed using secure development practices designed to reduce security risks throughout the software development lifecycle.

6.2 Code Review

Changes to production systems are subject to review and approval processes.

6.3 Security Testing

Security testing activities may include:

Static analysis;
Dynamic analysis;
Dependency scanning;
Vulnerability scanning;
Penetration testing.

6.4 Change Management

Changes to systems and applications are managed through documented change management procedures.

7. LOGGING AND MONITORING

7.1 Logging

Security-relevant events are logged where appropriate.

7.2 Monitoring

Systems are monitored to identify potential security, operational, and availability issues.

7.3 Alerting

Alerts may be generated for suspicious activity, security events, system failures, and operational anomalies.

7.4 Log Protection

Access to logs is restricted to authorized personnel.

8. INCIDENT RESPONSE

8.1 Incident Management Program

TrueEngage maintains documented incident response procedures designed to identify, investigate, contain, remediate, and recover from Security Incidents.

8.2 Escalation Procedures

Incident response processes include defined escalation paths and communication procedures.

8.3 Security Incident Notifications

Where required by law or contract, TrueEngage will notify affected Customers of confirmed Security Incidents affecting Customer Data without undue delay.

8.4 Post-Incident Activities

Material incidents may be subject to root cause analysis and corrective action review.

9. BUSINESS CONTINUITY AND DISASTER RECOVERY

9.1 Continuity Planning

TrueEngage maintains documented business continuity and disaster recovery procedures.

9.2 Backup Controls

Appropriate backup procedures are implemented for critical systems and data.

9.3 Testing

Business continuity and disaster recovery procedures are periodically tested.

9.4 Recovery Objectives

TrueEngage maintains defined recovery objectives for critical services and systems.

Additional information regarding recovery objectives may be made available through the Trust Center or upon reasonable request.

10. PHYSICAL SECURITY

10.1 Corporate Facilities

Physical access to corporate facilities is restricted to authorized personnel.

10.2 Cloud Infrastructure

Physical security controls for cloud infrastructure are managed by the applicable cloud service providers.

10.3 Media Protection

Where physical media is used, appropriate controls are implemented for storage, transport, and disposal.

11. SUBPROCESSOR AND VENDOR MANAGEMENT

11.1 Due Diligence

Subprocessors and critical vendors are subject to risk-based evaluation prior to engagement.

11.2 Contractual Controls

Subprocessors processing Personal Data are subject to contractual data protection obligations.

11.3 Ongoing Review

Material subprocessors and critical vendors are periodically reviewed.

11.4 Subprocessor List

A current list of approved subprocessors is available in the Trust Center

12. DATA RETENTION AND DELETION

12.1 Retention

Personal Data is retained only as long as necessary to:

Provide the Service;
Fulfill contractual obligations;
Comply with legal obligations;
Resolve disputes;
Enforce legal rights.

12.2 Deletion

Upon expiration of applicable retention periods, Personal Data may be deleted, anonymized, or aggregated in accordance with documented procedures.

12.3 Customer Instructions

Customer-specific retention requirements may be implemented where supported by the Service.

13. CONTINUAL IMPROVEMENT

TrueEngage maintains processes designed to continually improve its security and privacy programs.

Security controls may be reviewed and updated in response to:

Risk assessments;
Security Incidents;
Audit findings;
Regulatory developments;
Business changes;
Technology changes.

14. CUSTOMER RESPONSIBILITIES

Customers remain responsible for:

Configuring the Service appropriately;
Managing authorized users;
Protecting credentials;
Providing required privacy notices;
Obtaining required consents;
Complying with applicable Data Protection Laws.

15. DOCUMENTATION AND CONTACT INFORMATION

Additional information regarding security controls, certifications, compliance documentation, subprocessors, business continuity, and disaster recovery may be available through:

Trust Center:

https://trust.trueengage.com/

Security Contact:

dataprotection@trueengage.com

Compliance documentation may be made available subject to confidentiality restrictions and reasonable access controls.