Trust Center
Security
PhotoRobot Technical and Organizational Measures (TOMs)
Choose document
PhotoRobot Security - Overview
PhotoRobot Architecture & Data Flow
PhotoRobot Security Measures Summary
PhotoRobot Business Continuity & DR Overview
PhotoRobot AI Governance Summary
PhotoRobot Information Security Policy
PhotoRobot Access Control Policy
PhotoRobot Incident Response Policy
PhotoRobot Backup Policy
PhotoRobot Disaster Recovery Policy
PhotoRobot SDLC Security Policy
PhotoRobot Change Management Policy
PhotoRobot Logging & Monitoring Standard
PhotoRobot Technical and Organizational Measures (TOMs)
Last edited: Dec 30, 2025

PhotoRobot Technical and Organizational Measures (TOMs)

This document defines PhotoRobot’s Technical and Organizational Measures (TOMs) pursuant to Article 32 GDPR: Version 1.0 – PhotoRobot Edition, uni-Robot Ltd., Czech Republic. The document has been last updated as of 31 December 2025, and supports compliance with PhotoRobot’s contractual obligations under the DPA and SLA.

1. Introduction - PhotoRobot TOMs

This document describes the Technical and Organizational Measures (TOMs) implemented by uni-Robot Ltd. (PhotoRobot) to ensure an appropriate level of security for the processing of personal data in accordance with Article 32 of the General Data Protection Regulation (GDPR).

These measures apply to the operation of PhotoRobot services, including but not limited to:

  • PhotoRobot Controls Cloud
  • PhotoRobot Cloud 2.0
  • PhotoRobot Controls Local (when connected to cloud services)
  • APIs and related online services
  • Supporting infrastructure and internal systems

This document serves as the authoritative description of PhotoRobot’s TOMs and may be referenced in Data Processing Agreements (DPAs), audits, and enterprise security reviews.

2. Scope and Applicability

The TOMs described herein apply to:

  • Personal data processed on behalf of customers as part of PhotoRobot services
  • Internal operational data necessary to provide, maintain, and secure the services

The measures are designed taking into account:

  • the state of the art
  • implementation costs
  • the nature, scope, context, and purposes of processing
  • the risks to the rights and freedoms of natural persons

3. Organizational Security Measures

3.1. Information Security Governance

PhotoRobot maintains internal policies and procedures governing information security, data protection, and acceptable use of systems.

Responsibilities for security and data protection are clearly defined within the organization, including designated contacts for privacy and legal matters.

3.2. Employee Confidentiality and Awareness

  • Employees and contractors are bound by confidentiality obligations
  • Access to systems is granted on a need-to-know basis
  • Security and data protection awareness is promoted as part of onboarding and ongoing operations

4. Access Control and Authorization

4.1. Role-Based Access Control (RBAC)

Access to systems and customer data is controlled using role-based access control (RBAC) principles.

  • Users are granted the minimum privileges necessary to perform their tasks
  • Administrative access is restricted to authorized personnel

4.2. Authentication

  • Strong authentication mechanisms are used for internal and external systems
  • Password policies and access credentials are managed securely
  • Access credentials must not be shared

5. Infrastructure and Network Security

5.1. Hosting and Cloud Infrastructure

PhotoRobot services are hosted on professional cloud infrastructure providers (e.g., Google Cloud Platform), which implement industry-standard physical and environmental security controls.

5.2. Network Protection

  • Network traffic is protected using firewalls and access controls
  • Public-facing services are isolated from internal systems
  • Infrastructure components are monitored for availability and security events

6. Encryption and Data Protection

6.1. Data in Transit

  • Data transmitted between clients and PhotoRobot services is encrypted using TLS/HTTPS
  • Secure communication channels are enforced for APIs and cloud interfaces

6.2. Data at Rest

  • Data stored within cloud infrastructure is protected using encryption mechanisms provided by the hosting provider
  • Access to stored data is restricted to authorized systems and personnel

7. Logging, Monitoring, and Incident Detection

7.1. Logging

  • System logs are generated for operational and security-relevant events
  • Logs are used for troubleshooting, monitoring, and incident analysis

7.2. Monitoring

  • Services are monitored for availability, performance, and anomalies
  • Alerts are triggered in case of abnormal behavior or service disruption

8. Incident Response and Breach Management

PhotoRobot maintains procedures for handling security incidents, including personal data breaches.

These procedures include:

  • identification and assessment of incidents
  • mitigation and containment measures
  • internal escalation
  • communication with customers where required
  • compliance with GDPR breach notification obligations (Articles 33 and 34 GDPR)

9. Backup, Availability, and Business Continuity

9.1. Backups

  • Data backups are performed as part of standard cloud operations
  • Backups are used for disaster recovery and service continuity purposes

9.2. Availability

  • Reasonable efforts are made to maintain high availability of services
  • Planned maintenance activities may cause temporary service interruptions

Details regarding availability targets and response times are described separately in the applicable Service Level Agreements (SLAs).

10. Secure Development and Change Management

10.1. Secure Development Practices

PhotoRobot follows structured development and deployment processes, including:

  • separation of development, testing, and production environments where appropriate
  • controlled deployment procedures
  • version control and change tracking

10.2. Updates and Patching

  • Software components are updated to address security vulnerabilities
  • Critical updates are prioritized based on risk assessment

11. Sub-Processors and Third Parties

PhotoRobot may engage sub-processors to support service delivery (e.g., hosting, email services).

  • Sub-processors are selected based on their security and data protection practices
  • A current list of sub-processors is maintained separately and made publicly available

12. Physical Security

Physical access to servers and data centers is managed by the cloud infrastructure provider and includes:

  • access controls
  • surveillance and monitoring
  • environmental protections

PhotoRobot does not operate its own data centers.

13. Data Minimization and Retention

  • Only data necessary for service provision is processed
  • Personal data is retained only as long as required for contractual, legal, or operational purposes
  • Data deletion and retention periods are defined in relevant policies and agreements

14. Review and Updates

These Technical and Organizational Measures are reviewed periodically and updated as necessary to reflect:

  • changes in technology
  • changes in services
  • evolving security and regulatory requirements

Material changes may be communicated to customers as appropriate.

15. Contact Information

For questions regarding these Technical and Organizational Measures:

uni-Robot Ltd.

Vodičkova 710/31

110 00 Prague 1

Czech Republic

Email: legal@photorobot.com

Final Note 

These TOMs describe PhotoRobot’s current technical and organizational measures and are intended to provide transparency and assurance to customers. They do not constitute a guarantee of uninterrupted service or absolute security, but reflect a risk-based and proportionate approach to data protection and information security.