logologo
HomeProductPackagesAboutContactBlogLog-in
Language Icon
German-LanguageGerman
English
Book a demo
Speisekarte
Ikone
  • Home
  • Product
  • Packages
  • About us
  • Contact us
  • Blog
  • Einloggen
  • About us
  • Language Icon
    German-LanguageGerman
    English
  • Book a demo
Legal Information
Technical and organizational measures (TOMs) of Infinitas Security GmbH

Technical and organizational measures (TOMs) of Infinitas Security GmbH

Table of content

  • Heading 2
    Heading 3

Gültig ab: 07.07.2026

‍

Note: This is a non-binding English translation of the German version of this document, including its annexes. Only the German version is legally binding and authoritative. This translation is provided for information purposes only and does not form part of the agreement.

The German version is available here.

Introduction

Security is an essential part of the services provided by Infinitas Security GmbH ("Infinitas"). This overview describes selected technical and organizational measures used by Infinitas to protect customer data and, where applicable, customer-provided content against unauthorized access, unauthorized use, alteration, disclosure or destruction.

Infinitas' security measures are aligned with recognized industry standards and with the requirements of ISO/IEC 27001:2022 and ISO/IEC 27002:2022. Infinitas maintains an information security management system certified to ISO/IEC 27001:2022. This overview does not constitute a complete disclosure of the internal control framework. Infinitas provides further details on its security architecture and relevant controls upon request as part of sales, due diligence or security review processes.

Planning

Infinitas maintains policies, controls and procedures to include security and compliance requirements early in the planning of business activities, systems and changes. These include, in particular:

  • Regulatory requirements: Infinitas monitors relevant legal, regulatory and contractual requirements as part of the ISMS and considers changes when developing policies, procedures and controls.
  • System documentation: Infinitas documents relevant systems, scopes, responsibilities, assets and security requirements to an extent appropriate for the company.
  • Change communication: Infinitas informs internal users and, where relevant, customers about material changes to important products and services through suitable communication channels.
  • Program review: Infinitas reviews and updates its security management program and related policies and procedures at least annually and when triggered by relevant events.

Risk management

Infinitas maintains policies, controls and procedures for risk-based information security management. These include, in particular:

  • Risk process: Infinitas identifies, assesses, treats and monitors information security risks to support appropriate and traceable risk management decisions.
  • Policy framework: Infinitas operates a central ISMS policy framework aligned with ISO/IEC 27001:2022 and other relevant requirements, supporting systematic risk treatment.
  • Reviews: Infinitas performs regular internal reviews and management reviews and also subjects the ISMS to external assessments as part of the ongoing certification and assurance program.

Supply chain risk management

Infinitas maintains policies, controls and procedures to appropriately assess, manage and continuously monitor risks arising from supplier and service provider relationships. These include, in particular:

  • Supplier framework: Infinitas operates a structured approach for selecting, assessing, managing and regularly reviewing suppliers throughout their lifecycle.
  • Review process: New and existing third parties are subject to a risk-based security and compliance review, including due diligence, contract review and ongoing monitoring to an appropriate extent.
  • Role model: Third-party review and management are performed by clearly assigned roles, including executive management, the InfoSec function and the relevant functional owners; external legal support is involved where required.
  • Risk assessment: Suppliers are reassessed before onboarding, when triggered by relevant events and at appropriate intervals based on their risk profile, especially in case of material changes to services, contracts or risks.
  • Supplier register: Infinitas maintains a central register of relevant suppliers and records, among other information, ownership, service relationship and risk classification.
  • Evidence review: Where relevant and available, Infinitas regularly reviews suitable assurance evidence, certifications, security documentation and other information on the service providers used.

Awareness and training

Infinitas maintains a formal set of policies, controls and procedures for appropriate training and security awareness measures. These include, in particular:

  • Basic training: During onboarding, employees are familiarized with the security requirements relevant to their work and complete security awareness training at least annually; this covers information security topics relevant to Infinitas as well as applicable data protection and compliance requirements.
  • Role-specific guidance: For roles with elevated privileges or specific security responsibilities, Infinitas provides role-specific policies, procedures and work instructions and supplements them, where needed, with targeted briefings tailored to the respective role.
  • Ongoing awareness: Security awareness at Infinitas is strengthened not only through point-in-time activities, but also regularly and when triggered by relevant events through training, onboarding materials, policy communications and recurring guidance on current risks and good security practices; this also applies to relevant external contributors within the ISMS scope.
  • Mandatory training: Security principles are reinforced through mandatory annual security awareness training; Infinitas emphasizes that information security is a shared responsibility of all employees and involved persons.

Personnel security

Infinitas maintains policies, controls and procedures to appropriately manage the security of employees and involved external persons with access to company or customer data throughout the full activity lifecycle. These include, in particular:

  • Pre-access review: Before access is granted, Infinitas verifies the identity, qualification and authorization of the relevant person and may require additional checks for particularly security-critical roles.
  • Onboarding: Onboarding at Infinitas includes the conclusion of employment or service agreements, confidentiality commitments, security training and confirmation of applicable security requirements and role-specific obligations.
  • Policy framework: Personnel-related security requirements at Infinitas are governed by relevant policies and procedures and are reviewed as part of the ISMS at least annually and when triggered by relevant events.
  • Role changes: Role changes and departures are subject to documented joiner, mover and leaver processes, including reassessment of access rights, timely removal of access that is no longer required, offboarding checklists and renewed approval before access is granted again at a later stage.
  • Disciplinary process: Infinitas maintains a documented disciplinary process to assess and handle violations of security requirements appropriately, traceably and proportionately.

Assessment, authorization and monitoring

Infinitas maintains formal policies, controls and procedures to regularly assess the effectiveness of its ISMS, security measures, development environments and cloud environments, to systematically track deviations and to identify risks at an early stage. These include, in particular:

  • Audit framework: Infinitas defines binding requirements for audits, reviews and effectiveness assessments as part of its ISMS and reviews them at least annually and when triggered by material changes.
  • Policy framework: Infinitas operates a central ISMS policy framework with thematically structured policies and procedures; these are version-controlled, reviewed regularly and approved by the responsible Infinitas leadership.
  • Audit management: Audits and comparable reviews are planned, prioritized based on risk, performed against defined control objectives, documented, assessed and followed up with specific actions, deadlines and responsibilities; previous audit, review and incident results are taken into account.
  • External audits: Infinitas performs internal audits, management reviews and other effectiveness assessments, considers external assurance evidence from relevant service providers and maintains an ISMS certified to ISO/IEC 27001:2022. The ISMS and the adequacy and effectiveness of relevant controls and processes are independently assessed as part of external certification and surveillance audits.
  • Compliance review: Infinitas continuously reviews conformity with relevant legal, regulatory and contractual requirements and with the requirements of ISO/IEC 27001:2022 as part of the certified ISMS and the ongoing audit and improvement program.
  • Deviation management: Identified deviations and nonconformities are systematically recorded, assessed for root cause, assigned corrective actions, allocated to responsible persons and tracked through closure.
  • Vulnerability scans: Infinitas uses recurring and largely automated security tests in the SSDLC and in ongoing operations, in particular secrets scans, SAST, SCA and DAST checks; identified vulnerabilities are prioritized by severity and criticality and are remediated within defined processes or formally treated based on risk.
  • Security assessments: Security and vulnerability assessments for relevant cloud products and processes are embedded in project initiation, the SSDLC, recurring operational activities and annual reviews; privacy-related risks are assessed and documented in particular for new or changed processing activities and GDPR-relevant projects.

Identification and authentication

Infinitas maintains policies, controls and procedures to uniquely assign identities and appropriately authenticate access. These include, in particular:

  • Identity system: Identities are centrally managed and access is uniquely assigned to an authorized person.
  • SSO: Single sign-on is used for suitable applications on a risk-based basis and is further expanded where technically and economically appropriate.
  • MFA protection: Infinitas uses multifactor authentication as the standard for relevant access to company and cloud services; additional access conditions are centrally managed.
  • Password requirements: Infinitas defines binding requirements for the secure handling of passwords and login credentials, in particular regarding confidentiality, use and storage.
  • Secrets protection: Access credentials, tokens, keys and other secrets are protected through suitable technical and organizational measures and are not stored in an uncontrolled manner in code or unsecured storage locations.
  • Approvals and reviews: User accounts and access rights are subject to documented approvals, regular reviews and event-driven adjustments as part of the joiner, mover and leaver process.

Access control

Infinitas maintains an appropriate set of documented policies, controls and procedures for appropriate access control when processing customer data and customer materials. These include, in particular:

  • Access policy: Infinitas operates a formal policy and related procedures for access management, covering access standards, responsibilities, approvals and the principles for creating, changing and removing user access.
  • Protection needs: Infinitas classifies systems, data and access types on a risk-based basis according to protection needs and criticality and defines enhanced requirements for privileged or particularly sensitive access, in particular mandatory use of multifactor authentication.
  • Role-based access: Access to Infinitas systems, applications and infrastructure is assigned based on roles and the least privilege principle, so that only authorized persons have access to development, build and product-related source code environments.
  • Need-to-know: Infinitas applies strict role-based access rights for employees, freelancers and other authorized persons, so that access to customer data is granted only on a need-to-know basis and only to the extent required for the respective task.
  • Support access: Access to customer data by Infinitas takes place only where required for operations, support, security or contractually agreed services. Such access is restricted to authorized roles.
  • Segregation of duties: Infinitas implements segregation of duties with a particular focus on the development process and SSDLC, in particular through documented approval and workflow controls, role-based permissions in development and source code environments and four-eye principles for code-related changes.
  • Approval process: User accounts and access rights are approved before access is enabled to data, applications, infrastructure or network components, taking into account role, protection needs and system responsibility; existing access is reviewed regularly and when triggered by relevant events.
  • Protection mechanisms: Infinitas uses technical access protection measures depending on protection needs and use case, in particular multifactor authentication and Conditional Access.
  • Device control: Infinitas operates centrally managed endpoint and mobile security controls, including defined automatic lock periods for company devices, compliance checks for managed endpoints and MAM protection mechanisms for approved BYOD scenarios.
  • Account maintenance: Infinitas identifies and removes no longer required, outdated or inactive access as part of joiner, mover and leaver processes, event-driven reviews and regular reviews, including timely removal of access and automated revocation or selective wipe where supported by the platforms used.

Configuration management

Infinitas maintains formal policies, controls and procedures to manage configurations, changes and technical baselines in a controlled manner, to make unauthorized changes more difficult and to ensure traceability throughout the lifecycle of systems, applications, endpoints and cloud resources. These include, in particular:

  • Change control: Infinitas manages changes to production-relevant software, build and deployment processes and security-relevant configurations through documented procedures. Security requirements and risks are captured during planning and design, and production changes are documented, reviewed and approved.
  • Policy framework: Infinitas operates a central ISMS policy framework with thematically structured policies and procedures that are version-controlled, reviewed at least annually and approved by the responsible leadership.
  • Approval standards: Infinitas defines baselines and approval standards for changes. Depending on the change, documented security and test requirements must be met before implementation.
  • Peer review: Production-relevant code and infrastructure changes are subject to the four-eye principle. Pull requests require at least one independent peer review approval and successful security gates and tests, where applicable to the respective change type, before promotion to higher environments or production deployment can take place.
  • Emergency changes: Infinitas allows break-glass changes only to protect service availability or to remediate critical security or operational risks. Such changes are retrospectively reviewed, documented and approved in a timely manner.
  • Asset inventory: Infinitas centrally records and tracks physical and logical assets, including owner, classification, dependencies, status and unique identifiers; completeness and ownership are reviewed regularly.
  • Operational monitoring: Infinitas monitors health, utilization, capacity and availability of relevant assets and cloud products using native monitoring and alerting functions of the platforms used; capacity reviews are performed regularly using available autoscaling and telemetry functions.

System and service acquisition

Infinitas maintains policies, controls and procedures for the secure development, change and provision of systems and services. These include, in particular:

  • SSDLC: Infinitas uses a documented secure software development life cycle in which security-relevant requirements, checks and evidence are embedded from planning through operation.
  • Provisioning: Infinitas uses standardized and largely automated processes for application and configuration changes; production changes are subject to additional approvals.
  • Reviews and tests: Infinitas requires a defined development process for relevant changes, including peer review and mandatory automated checks before merge and deployment.
  • Segregation of duties: Infinitas uses defined roles, approvals and four-eye principles for changes. Where complete organizational separation is not appropriate or not possible, compensating controls such as peer reviews, technical approvals, logging and subsequent review are applied.
  • Emergency changes: Infinitas maintains a documented procedure for emergency changes, including break-glass scenarios, with subsequent review and approval.
  • Change protection: Infinitas protects source code and deployment systems through technical and organizational controls to prevent or make unauthorized changes more difficult.
  • Change evidence: Relevant code, infrastructure and configuration changes are documented in a traceable manner; defined review and approval steps are technically enforced.
  • Documentation: Infinitas maintains appropriate technical and operational documentation for relevant cloud and software services, including security-relevant requirements for use and configuration.
  • Dependency management: Infinitas regularly reviews the codebase as well as third-party and open-source dependencies using suitable security checks and manages required updates on a risk-based basis.

System and communications protection

Infinitas maintains policies, controls and procedures to protect systems, networks, endpoints and data transfers. These include, in particular:

  • Cryptography: Infinitas protects sensitive data at rest and in transit through suitable cryptographic mechanisms reflecting the state of the art.
  • Encryption: Infinitas uses encryption for relevant cloud and application components for data at rest and in transit, in particular TLS 1.2+ and strong industry-standard mechanisms.
  • Secure information transfer: Infinitas uses approved communication and transfer channels with appropriate protection measures, in particular encryption in transit, access restrictions and risk-based approvals for external disclosures.
  • Classification and DLP: Infinitas classifies information according to protection needs and, where technically available and appropriate, uses supplementary data loss prevention and protection mechanisms for relevant cloud and communication services.
  • Environment separation: Infinitas logically separates development, test and production environments and limits connections between these environments to what is required.
  • Endpoint protection: Infinitas centrally manages company devices and enforces binding baselines for patches, password or re-authentication protection, screen locks and disk encryption.
  • Device trust: Access to company resources is restricted on a risk-based basis using device, identity and app protection controls; defined safeguards apply to approved BYOD and external access scenarios.
  • Firewall protection: Infinitas uses firewalls, network rules and upstream protection mechanisms in its cloud environments to limit access to what is required.
  • Network hardening: Infinitas uses measures such as system hardening, network segmentation, endpoint protection and other suitable controls to protect against unauthorized access and security events.
  • Data separation: Infinitas uses suitable logical separation, tenant isolation and access controls to keep customer data separated by tenant and from other data sets.

Media protection

Infinitas maintains policies, controls and procedures to protect data carriers, endpoints and other media containing company and customer data. These include, in particular:

  • Physical security and provider operations: Infinitas does not operate its own data centers for the SaaS platform, but uses selected cloud and SaaS providers, in particular Microsoft Azure. Physical security measures for the underlying data center infrastructure are provided by the respective providers under the shared responsibility model and are considered on a risk-based basis through available assurance evidence.
  • Media disposal: Infinitas requires secure erasure or cryptographic sanitization of its own data carriers and endpoints before reuse, repair or disposal; for outsourced cloud resources, Infinitas relies on the documented erasure and disposal processes of the respective provider.
  • Encryption: Infinitas protects relevant data and endpoints through appropriate encryption measures reflecting the state of the art, in particular for data at rest and in transit and for managed company devices.
  • BYOD protection: Infinitas allows approved BYOD scenarios only under defined security requirements, in particular with an approval process, app protection, access restrictions and protective measures for non-compliant or unprotected access scenarios.
  • Clear desk: Infinitas requires clear desk and clear screen measures for unattended workplaces so that confidential information and devices are not visible or accessible without protection.

System and information integrity

Infinitas maintains policies, controls and procedures to protect the integrity of systems and information, detect unauthorized changes and handle data appropriately throughout its lifecycle.

  • Test data: Infinitas generally uses synthetic or anonymized test data in non-production environments.
  • Data protection and data minimization: Infinitas processes personal data based on the principles of purpose limitation and data minimization. New or materially changed processing activities are reviewed on a risk-based basis for data protection and information security requirements.
  • Data deletion and retention: Infinitas defines appropriate retention and deletion processes for company and customer data. Deletions are performed in accordance with contractual, legal and technical requirements and based on the capabilities of the platforms used.
  • Log protection: Infinitas logs security-relevant events through the intended platform functions, protects logs against unauthorized access and unauthorized alteration and retains them for an appropriate period.
  • Access logging: Where technically available, Infinitas logs relevant user, administrative and access activities in product-relevant systems to support traceability, investigation and auditability.
  • Malware protection: Infinitas uses suitable malware protection measures on managed systems and considers relevant security alerts from the platforms used.
  • Identity binding: Infinitas uses uniquely assigned identities for user and service accounts and restricts access to what is required through role-based and identity-bound controls.
  • Environment separation: Infinitas logically and organizationally separates production and non-production environments to reduce unintended mixing, unauthorized access and integrity risks.
  • Sandbox protection: Defined protection requirements apply to development, test and troubleshooting environments, in particular regarding data minimization, access restriction and secure handling of artifacts and sensitive content.

Auditability and traceability

Infinitas maintains formal policies, controls and procedures to log security-relevant activities in a traceable manner, detect anomalies and ensure reliable traceability for investigations, reviews and audit purposes. These include, in particular:

  • Logging standard: Infinitas defines binding requirements for logging and monitoring as part of its ISMS policy framework, including requirements for relevant event types, protection of log data, retention, review and escalation.
  • Log storage: Relevant system, security, identity and application logs are, where technically available, automatically transmitted to the intended managed logging functions of the cloud and SaaS platforms used and stored there securely; access to raw logs is restricted to narrowly defined authorized roles.
  • Anomaly detection: Infinitas monitors security-relevant logs, alerts and audit events to detect unusual activities; defined review and escalation processes are in place for the review, assessment and handling of anomalies.
  • Scope maintenance: The scope of logging is reviewed and adjusted where needed when new functions, system changes, new critical assets or changed risk situations arise, so that new event types and security-relevant changes are appropriately captured.
  • Time synchronization: Infinitas ensures that systems use automatic time synchronization with trusted time sources, in particular through operating system or cloud time services such as the mechanisms provided by Microsoft Azure, so that timestamps remain consistent and forensically reliable.

Contingency planning

Infinitas maintains formal policies, controls and procedures to prepare for disruptions, security incidents and outages, make recovery plannable and ensure the continuation of critical processes within an appropriate framework. These include, in particular:

  • Operational foundation: Infinitas bases service delivery on qualified employees, defined responsibilities and suitable cloud-based operational and communication platforms.
  • Recovery planning: Infinitas maintains documented requirements and playbooks for incident response, business continuity, backup and recovery; recovery time and recovery point expectations are considered for relevant assets.
  • Continuity: Infinitas implements measures to restore access to critical data and systems in an orderly manner during disruptions and to continue their use where required.
  • Cloud-based resilience: Infinitas uses a cloud-based architecture with suitable resilience and recovery functions where required for the respective service, protection need and recovery purpose.
  • Resilience controls: Infinitas strengthens operational resilience in particular through regular backups, recovery procedures and other technical and organizational protection measures.
  • Incident response: Infinitas operates documented procedures for responding to cybersecurity events to limit impact, support recovery and maintain business operations as far as possible.
  • Capacity management: Infinitas monitors availability, health and capacity of relevant systems and services and takes suitable adjustment and protection measures where needed.
  • Backup protection: Infinitas protects backups through appropriate technical and organizational measures, in particular regarding confidentiality, integrity, availability and recoverability.
  • Recovery testing: Infinitas verifies recovery capabilities on a risk-based basis through suitable tests, reviews or technical evidence to confirm the practical usability of relevant backup and recovery measures.

Handling of security incidents

Infinitas maintains policies, controls and procedures to handle security incidents in a prepared, structured and traceable manner. These include, in particular:

  • Incident planning: Infinitas operates documented incident response requirements and playbooks for preparation, detection, assessment, containment, eradication, recovery, evidence preservation and post-incident review, taking into account data protection and other applicable requirements.
  • Role model: Security incidents at Infinitas are handled by clearly named roles and escalation paths. In particular, the InfoSec responsibility, executive management and affected system owners work together in a coordinated manner; triage and escalation follow a defined approach.
  • Exercises and tests: Infinitas regularly reviews its response capability through selected tests and exercises to continuously improve the effectiveness of incident management.
  • Plan maintenance: Incident response policies and related playbooks are reviewed and updated regularly and when triggered by material changes or incidents.
  • Lessons learned: For relevant, severe or recurring security incidents, Infinitas performs structured post-incident reviews with root cause analysis, action definition and follow-up to implement systematic improvements.
  • Process integration: Procedures for handling security incidents are embedded into relevant operational, recovery and communication processes to limit downtime and security risks.
  • Customer information: Infinitas informs affected customers about relevant security incidents without undue delay in accordance with contractual and legal requirements and supports them, where required, with the necessary information.
  • External support: Infinitas may involve external technical, legal, forensic or insurance-related support for relevant security incidents where required for assessment, containment, recovery or communication.

‍

‍

logo
Mail
Infinitas Security GmbH
Adalbertstraße 20,
80799 München
Deutschland
info@infinitas-security.com

Imprint

Cookie Consent Settings

Privacy Policy

Legal