Zensai’s Technical and Organizational Measures (TOMs)

Introduction

The technical and organizational measures (TOMs) described here supplement Annex III – Technical and Organisational Measures including Measures to Ensure the Security of the Data of the Zensai’s Data Processing Addendum. They apply to Zensai’s Learn365, Perform365, Engage365, Integrate365, and Flow365 environments (collectively, the “Services”) and are designed to meet the requirements of Article 32 GDPR as well as the high common level of cybersecurity for protecting network and information systems. Specifically, Zensai’s program addresses requirements for:

• Ensuring the availability, integrity, confidentiality, and resilience of processing systems and services.
• Implementing measures for risk assessment, incident detection and management, business continuity, and crisis response.
• Supporting timely and accurate notification to customers in the event of significant incidents affecting critical systems or services.

Zensai maintains a robust security and data protection program externally audited against leading international standards, including ISO/IEC 27001, ISO/IEC 27701 and Microsoft 365 App Certification. Documentation, reports, and additional assurance materials are available to customers upon request through the Trust Center.

Further information about Zensai’s security, privacy, and compliance program can be found in the Zensai Trust Center which provides detailed resources, including:

• Our Commitment to Data Privacy, Information Security, and GDPR Compliance
• Application and Operational Security
• Business Continuity
• Architecture and Development
• Data Handling Security and Privacy
• Permissions and Authentication

The Zensai Privacy Policy is available from the Zensai website.

Measures of pseudonymization and encryption of personal data

Zensai has implemented the following measures to protect personal data during transport, transmission, communication, and storage:

(a) Encryption in transit and at rest: All communications are encrypted using TLS 1.2 or higher, and all customer databases and storage systems apply AES-256 encryption.

(b) Encryption key management: Encryption keys are managed through Azure Key Vault and:

• are secured with access controls independent of the host operating system;
• are rotated, stored, and destroyed in accordance with Azure security standards;
• are replaced or retired if compromised.

(c) Segregation and pseudonymization: Each customer is provisioned a dedicated database and logically separated storage environment, reducing the risk of re-identification in the event of unauthorized access.

For more information, see these Zensai Trust Center articles:

• Secure Development Lifecycle (SDLC)
• Data Security and Encryption

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of systems

Zensai maintains a comprehensive Information Security and Privacy Management System aligned with ISO/IEC 27001 and ISO/IEC 27701. The program includes:

(a) Objectives: Safeguards to ensure the confidentiality, integrity, availability, and resilience of personal data and to protect against unauthorized access, disclosure, destruction, or loss.

(b) Governance: Security and privacy oversight is embedded across Zensai through a dedicated compliance function.

(c) Monitoring: Continuous 24/7 monitoring using Microsoft Sentinel SIEM, anomaly detection, and Defender for SQL.

(d) Operational resilience: Services are hosted on Microsoft Azure infrastructure with paired region deployment to ensure high availability and disaster recovery capacity.

(e) Reviews: Security controls and risk assessments are reviewed at least annually or upon material changes in Services.

For more information, see the Application and Operational Security section of the Zensai Trust Center.

Measures for restoring availability and access in case of incident

Zensai has implemented the following measures to ensure continuity of processing:

(a) Backups: Automated, encrypted backups of customer databases with retention up to 35 days.

(b) Replication: Backups are geo-replicated across paired Azure regions to ensure restoration capacity in case of a regional outage.

(c) Business continuity and disaster recovery: Azure paired region design ensures geographic separation and redundancy.

(d) Restoration testing: Procedures are in place to validate that backups and failover systems can be restored as intended.

For more information, see Data Backup, Retention & Media Sanitation.

Processes for testing, assessing, and evaluating security

Zensai operates a secure development lifecycle program that includes:

(a) Secure coding standards: All engineers receive annual OWASP Top 10 training.

(b) Vulnerability management: Static (SAST) and dynamic (DAST) application testing is conducted, supported by automated tooling.

(c) Independent penetration testing: At least annually, external experts conduct penetration tests.

(d) Verification: Zensai applications are validated through Veracode Certification.

(e) Audits and certifications: ISO/IEC 27001, ISO/IEC 27701, and CSA STAR Level 1 provide independent assurance.

Measures for user identification and authorization

Zensai has implemented technical and organizational controls for secure authentication and authorization:

(a) Identity management: Authentication is handled through Microsoft Entra ID (Azure Active Directory).

(b) Multi-factor authentication: MFA is fully supported and enforced for privileged access.

(c) Role-based access control: Privileged roles are provisioned using least-privilege principles.

(d) Consent management: Administrators can grant tenant-wide consent for delegated permissions.

For more information, see the Permissions and Authentication section of the Zensai Trust Center.

Measures for protection of data during transmission

Zensai enforces encryption of data in motion:

(a) TLS 1.2 or higher is applied to all communications.

(b) Session cookies are flagged HttpOnly and Secure.

(c) Domains are included in global HSTS preload lists to enforce encrypted connections.

For more information, see Data Security and Encryption.

Measures for protection of data during storage

Zensai ensures that:

(a) Each customer has a dedicated Azure SQL database.

(b) Storage of files and metadata uses AES-256 encryption.

(c) Logical separation ensures strict segregation of personal data.

For more information, see Personal data and data storage.

Measures for ensuring physical security of processing locations

Zensai ensures that:

(a) Hosting infrastructure: Zensai does not operate physical data centers. All hosting is on Microsoft Azure, with physical and environmental controls managed by Microsoft.

(b) Azure physical security: Includes badge access, CCTV, guards, and secure destruction of media.

(c) Corporate offices: Zensai premises are protected by badge access and visitor registration.

For more information, see Data Center Locations and Physical Security.

Measures for ensuring events logging, monitoring configuration and change management

Zensai ensures that:

(a) Centralised logging: Authentication, infrastructure, and application events are logged.

(b) SIEM monitoring: Logs feed into Azure Sentinel SIEM, where anomalies trigger alerts.

(c) Tamper protection: Logs are retained securely and protected from unauthorised modification.

(d) Change control: Formal change management procedures are followed before deployment.

(e) Segregation of duties: Roles are separated to reduce risk of fraud or error.

(f) Environment separation: Production and non-production environments are strictly isolated; no personal data is used in test environments.

For more information, see these Zensai Trust Center articles:

• Advanced Platform Security & Threat Protection
• Microsoft 365 App Certification

Measures for internal IT governance and incident response

Zensai ensures that:

(a) Incident Response Policy: Zensai maintains a documented incident response workflow, with defined roles and escalation criteria.

(b) Security Incident Response Team: Dedicated staff respond to and remediate incidents.

(c) Breach notification: Customers are notified without undue delay and no later than 48 hours after detection, in line with DPA Annex III.

For more information, see Data Breach Detection & Notification.

Measures for certification and assurance

Zensai maintains and publishes independent assurance programs:

(a) ISO/IEC 27001 (ISMS)

(b) ISO/IEC 27701 (PIMS)

(c) Microsoft 365 App Certification

(d) CSA STAR Level 1

(e) Veracode Verified Continuous

(f) TxRamp certification

For more information, see the Application and Operational Security section of the Zensai Trust Center.

Measures for ensuring data minimisation, quality and limited retention

Zensai has implemented the following measures to minimize the amount of personal data processed, ensure data quality, and securely delete data when no longer required:

(a) Data minimization:

• Each customer is provisioned a dedicated Azure SQL database, ensuring strict segregation of data.
• Generative AI features in Learn365, Perform365, and Engage365 are designed so that personal data is not used for model training, ensuring purpose limitation.
• Data Loss Prevention (DLP) controls in Microsoft 365 and Azure prevent unauthorized transfer or accidental leakage of data.

(b) Data quality:

• Zensai enforces secure coding standards and quality assurance practices as part of its Secure Development Lifecycle (SDLC).
• Code is subject to peer review, static and dynamic testing, and regular vulnerability scans.
• Regular patch cycles and hotfixes address newly discovered issues to maintain integrity and accuracy of data processing.

(c) Data retention and erasure:

• Personal data is retained only for the duration of the subscription and deleted 90 days after termination.
• Encrypted backups are retained solely as required for legal/regulatory compliance.
• Media sanitization follows NIST 800-88 standards via Azure-certified destruction procedures.
• Certified deletion confirmations are available to Customers on request.

For more information, see these Zensai Trust Center articles:

• Data Deletion & Media Sanitation
• Secure Development Lifecycle (SDLC)

Measures for ensuring accountability

Zensai embeds accountability through a central Data Governance framework and regular independent audits:

(a) Audits: Annual independent audits (ISO, Microsoft 365 App Cert).

(b) Training: Employees complete mandatory annual privacy and security training.

(c) Transparency: is ensured via public Zensai Trust Center resources, which provide customers with up-to-date information about policies, controls, and certifications.

Measures for data portability and erasure

Zensai provides customers with tools to export their data, such as:

(a) Data export: Customers may export data through the Learn365 OData API.

(b) Erasure: On termination, personal data is securely deleted, with certification available upon request.

(c) Legal basis: Processes aligned with GDPR Article 17 and DPA Annex III.4.

For more information, see Data Deletion & Media Sanitation.