Technical and organizational measures to ensure the security of personal data

Technical and organizational measures to ensure the security of personal data

2Mobile doo implements the following technical and organizational measures to ensure an appropriate level of security of personal data, taking into account the nature, scope, circumstances and purposes of the processing and the risks to the rights and freedoms of individuals:

  • I. Measures ensuring the “confidentiality” of personal data

    I./1. Access control to premises


    The purpose of controlling access to premises is to prevent unauthorized persons from gaining access to premises where personal data are processed. Control of access to premises is carried out in particular by means of the following measures:


    1. Controlled access to business premises:

    • Each visitor must announce their arrival and may only enter the business premises accompanied by an employee.


    2. Video surveillance of an office building:

    • Video surveillance is implemented in the office building.
    • Video surveillance is managed by the office building manager.

    3. Card and key management:

    • Each employee has their own access token to enter the office building and the part of the office building where the company's office is located. The office is locked with a key that each employee has.
    • Cabinets are locked, with access to keys restricted to specific employees only.
    • If a person's employment is terminated, the access card and key are returned.

    I./2. Access control to computer systems


    The purpose of controlling access to computer systems is to prevent the use of computer systems for the processing of personal data by unauthorized persons. Control of access to computer systems is carried out in particular by the following measures:


    1. Firewall and intrusion detection system

    • Windows workstations use Windows Defender Firewall.
    • MacOS workstations use the built-in macOS Firewall.
    • The firewall is turned on by default and configured to prevent unauthorized connections.

    2. Antivirus and security software

    • Windows Defender protection is installed and active on workstations running Windows.
    • MacOS workstations have Apple's built-in security mechanisms active:
    • XProtect, which automatically and silently scans applications and files for known malicious code.
    • Malware Removal Tool (MRT), which automatically removes detected threats.
    • Gatekeeper, which prevents applications from unknown developers from running and verifies the integrity of downloaded applications.
    • Apple Notarization, which scans applications for malicious content and enables quick blocking of detected threats.

    3. Updating the system and security components

    • Automatic updating of the operating system, security engines, antivirus definitions, and browsers is enabled by default.
    • On Windows systems, updates are managed by Windows Update.
    • On macOS systems, XProtect security definitions, MRT, and notarization revocation lists are updated automatically and independently of system updates.

    4. Each employee has their own workstation, which is protected by a password. Each employee has their own password for individual systems and applications.


    5. Employees are required to lock workstations when not in use.


    6. The screen saver password works to ensure automatic locking after 3 minutes if the employee does not lock the workstation.


    7. All tools we use for our business ensure secure login with a unique username, password and second authentication factor (OTP, MFA, 2FA).


    8. Minimum requirements for passwords and password management:

    • Passwords must be more than 8 characters long and contain all of the following: uppercase and lowercase letters, numbers, and special characters.
    • Passwords must be changed at least once every 3 months.
    • Password sharing and the use of group passwords is prohibited.

    9. In case of suspected security threats, the administrator sends a request to all employees to immediately change the password for a specific tool.


    10. Monitoring security vulnerabilities of critical systems: The administrator is responsible for monitoring the status of the cloud tool provider's pages. If security vulnerabilities are identified, we take action according to the tool provider's instructions (e.g. the administrator sends a password change request to all users of a particular tool).


    11. In the event of termination of employment, the person's access to all systems will be terminated.


    I.3. Data access control


    Data access control includes measures to ensure that users of data processing systems can access data based on the granted access rights and that data are not read, copied, modified or deleted without authorisation during processing, use and storage. Data access control is implemented in particular by means of the following measures:


    1. Access to systems with personal data is based on user accounts. Employees must obtain access permission and are assigned a specific segment of the system to which they can access. All access is enabled only with a username, password and MFA.


    2. Employees have access only to the data they absolutely need to perform their job duties and in accordance with the need-to-know principle. General access rights apply only to the administrator and the director.


    3. Data carriers (e.g. decommissioned computers) are completely erased before disposal.


    I./4. Separation control


    The control of separation includes measures to ensure that data collected for different purposes are processed separately. The control of separate data processing is implemented in particular by the following measures:


    1. By separating development, test and production environments at the customer's request.
    2. Cloud tools enable logical separation of customers.

  • II. Measures that ensure the "integrity" of personal data

    II./1. Transmission control


    Transmission control includes measures to ensure that personal data cannot be read, copied, modified or deleted without authorisation during electronic transmission or storage. Transmission control is ensured in particular by the following measures:


    1. Password protection of documents
    2. VPN tunnels in case of connection to a remote partner environment
    3. Firewall and antivirus protection as described under point I./2.

    II./2. Input control


    Input control includes measures to ensure that it is possible to check and determine retrospectively whether personal data have been input into data processing systems, modified or removed (input control) and by whom. Input control is ensured in particular by the following measures:


    1. We provide basic traceability of personal data processing (entry, deletion, modification) via the "Windows Activity History" tool, via the "Windows App History" tool, via checking browsing history in browsers, via the "Event Viewer" tool, via the Azure Admin Portal and reviewing email usage or access to employee email inboxes (administrator only).
    2. Employees have access only to the data they absolutely need to perform their work tasks and in accordance with the need-to-know principle.
    3. Access to systems with personal data is based on user accounts.
  • III. Measures ensuring the “availability” of personal data

    Availability control includes measures that ensure that personal data is protected against accidental destruction or loss. Availability control is implemented in particular by the following measures:


    1. All documents are stored in the cloud in the tools we use daily for our work. Cloud tool providers provide secure data storage. Access to cloud tools is enabled based on user accounts that provide MFA, OTP and 2FA.
    2. A smoke and fire detection system is installed in the office building, which is regularly tested.
    3. Firewall and antivirus protection as described under point I./2.
    4. In the event of security threats or security violations, the administrator sends a threat notification to all employees via common chat channels and may request a reset of all employees' passwords.
  • IV. Organizational measures

    IV./1. Employees and other collaborators


    1. Recruitment procedures are designed to ensure careful selection of employees (e.g. sending a detailed CV and a job interview with additional questions).


    2. Employees who process personal data or have access to them have undertaken in writing to maintain confidentiality in relation to the processing of personal data.


    3. Employees know how to recognize social engineering.


    4. Employees adhere to the password policy.


    5. Employees adhere to a clean screen and clean desk policy.


    6. Employees are trained to raise awareness about security and privacy:


    • Every new employee must complete the "Safe in Pisani" online seminar within 7 days of employment, accessible at the following link: https://www.varnivpisarni.si/, and must save the certificate to their device.
    • Through the Wizer tool (https://www.wizer-training.com/), all employees receive a call once a year to complete the "Security Annual Training", which covers all current trends in corporate security. The administrator can check whether all employees have completed the training, and employees also receive e-mails with a reminder that they must complete this training.

    7. Employees are informed of the operator's instructions and are obliged to comply with them, which are also regularly checked. Operators have the right to carry out inspections and audits under the contract.


    8. We have processes in place to carefully select service providers and monitor contract compliance. We have concluded appropriate data processing contracts with sub-processors, which include appropriate technical and organizational security measures and the right to conduct inspections and audits.


    IV./2 Audit of technical and organizational measures


    1. We internally assess the effectiveness of technical and organizational measures at least once a year. If deficiencies are identified, we introduce new measures or adjust existing ones.


    2. The principle of "data protection by design and default" is established in software development, so that the right to privacy is taken into account when developing and designing products, services and applications.


    IV./3. Measures in the event of a personal data breach


    1. In the event of becoming aware of a personal data breach, we will notify the controller in writing without undue delay, and no later than 24 hours after becoming aware of the breach. The written notification will contain:


    • the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects, and the types and approximate number of personal data records;
    • the likely consequences of the personal data breach;
    • the measures to be taken by the controller or proposed to be taken by the controller to address the personal data breach, as well as, where appropriate, measures to mitigate the potential adverse effects of the breach.

    2. The notification will be sent by e-mail to the address of the Data Protection Officer of the controller or another contact person if the controller does not have a designated Data Protection Officer.


Technical and organizational measures

Ljubljana, 27.1.2026


2Mobile d.o.o.

Let's connect.

Together we will choose the right solution for your needs.