Version 2.0
Last update: April, 2026

Archlet für strategische Beschaffung

Introduction

This document describes the technical and organizational measures (TOMs) implemented by Archlet AG ("Archlet") to protect personal data and customer data processed as part of our Software-as-a-Service (SaaS) offerings. These measures are designed to ensure the confidentiality, integrity, availability, and resilience of our systems and services, and to comply with applicable data protection regulations, including the European Union's General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP).

Archlet reviews and updates these TOMs on a regular basis to reflect changes in technology, threats, regulations, and business requirements.

Measures

Governance and Security Management
  • Archlet maintains an information security and privacy governance framework with clearly defined responsibilities, policies, and procedures.
  • Security and privacy responsibilities are assigned to appropriate roles within the organization, with executive accountability for the information security management system (ISMS).
  • Security and privacy risks are assessed on a regular basis and whenever material changes to systems, processes, or vendors occur.
  • Exceptions to security requirements are documented, reviewed, approved by authorized personnel, and tracked to resolution.
  • The ISMS, supporting policies, and these Technical and Organizational Measures are reviewed at least annually and updated as required.
Access Control
  • Access to personal data and customer data is granted on a need-to-know basis and following the principle of least privilege. Personnel are only granted the access required to perform their designated duties.
  • User accounts are individual and attributable; shared accounts are prohibited.
  • Strong authentication is enforced for all user accounts. Password requirements follow current NIST SP 800-63B guidance, including minimum length, complexity, and screening against known breached passwords.
  • Multi-factor authentication (MFA) is mandatory for all employee access to production systems, administrative interfaces, and any system containing personal or customer data.
  • Privileged access (e.g., administrator rights) is limited to a minimal number of authorized personnel, granted only for the duration required, and subject to additional controls and monitoring.
  • Access rights are reviewed at least annually and are revoked immediately upon termination of employment or change of role.
  • All access to personal data is logged and monitored to detect and prevent unauthorized access or misuse.
Physical Access Control
  • Archlet offices are protected by physical access controls and are accessible only to authorized personnel and escorted visitors.
  • Production systems are hosted in Microsoft Azure data centers, which operate under internationally recognized certifications (including ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, and SOC 3). Physical security at these data centers is managed by Microsoft and includes 24/7 on-site security personnel, video surveillance, biometric access controls, and strict visitor management.
  • Archlet personnel do not have physical access to the underlying hosting infrastructure.
  • Physical media containing personal or customer data is protected against unauthorized access and securely disposed of when no longer needed.
Asset Management and Endpoint Security
  • Archlet maintains an inventory of company-managed devices and systems used to access business data.
  • Company-managed endpoints are configured according to defined security baselines and are protected through full-disk encryption, screen lock, access controls, and endpoint protection (anti-malware and threat detection).
  • Security updates and patches are applied to user devices and internally managed systems in a timely, risk-based manner.
  • Company-managed devices are centrally managed, enabling configuration enforcement and remote wipe in the event of loss or theft.
  • Use of removable media is restricted and, where permitted, subject to encryption and other appropriate safeguards.
Network Security
  • Production networks are protected through firewalls, network segmentation, and managed security services provided by Microsoft Azure.
  • Public endpoints are protected against common threats, including Distributed Denial-of-Service (DDoS) attacks and web application attacks (e.g., via a Web Application Firewall).
  • All data transmitted between clients and Archlet services, and between internal components where applicable, is encrypted using industry-standard protocols (TLS 1.2 or higher).
  • Administrative access to infrastructure is restricted to authorized personnel, requires MFA, and is performed through secured channels.
Data Encryption
  • Personal data and customer data are encrypted at rest using industry-standard algorithms (AES-256 or equivalent).
  • Personal data and customer data are encrypted in transit using TLS 1.2 or higher.
  • Encryption keys are managed through Microsoft Azure's key management services, with access to keys restricted and logged.
Data Segregation
  • Archlet operates a multi-tenant SaaS environment. Customer data is logically segregated so that each customer can only access their own data.
  • Access controls, authentication, and application-level logic enforce this segregation at all layers of the platform.
  • Non-production environments are logically separated from production environments.
  • Production data is not used in non-production environments; where test data derived from production is required, it is anonymized or pseudonymized before use.
Pseudonymization and Anonymization
  • Pseudonymization and anonymization techniques are applied to personal data where appropriate to reduce the risk to data subjects.
  • In non-production environments, data used for testing, development, or analytics is anonymized or pseudonymized wherever feasible.
Logging and Monitoring
  • Security-relevant events across applications, infrastructure, and access management systems are logged centrally to support operational security, incident detection, and forensic analysis.
  • Logs are protected against unauthorized access and tampering, and are retained for a defined period in accordance with our retention policy and applicable legal requirements.
  • Logs are monitored to detect suspicious activity, security incidents, and operational issues. Alerts are generated for defined security events and reviewed by authorized personnel.
Vulnerability Management
  • Systems and dependencies are scanned regularly for known vulnerabilities. Identified vulnerabilities are prioritized based on severity and remediated within defined timeframes.
  • Security patches are applied to infrastructure and applications on a regular basis, with critical patches expedited.
  • Independent security providers perform penetration tests on the Archlet platform at least annually. Findings are tracked to remediation.
  • Automated security tools (including static analysis, dependency scanning, and secret scanning) are integrated into the Software Development Life Cycle (SDLC).
Secure Software Development
  • Archlet follows a secure SDLC that incorporates security at each stage, from design through deployment.
  • All code changes are subject to peer review before being merged into production branches.
  • Changes to production are deployed through automated, auditable CI/CD pipelines. Access to deploy to production is restricted to authorized personnel.
  • Security requirements and threat considerations are addressed during the design of new features and significant architectural changes.
Change Management
  • Changes to applications, infrastructure, and configuration are subject to defined change management processes appropriate to their risk and impact.
  • Material changes are reviewed, tested, and approved before release to production.
  • Changes with potential security or privacy impact are evaluated for risk before implementation.
  • Emergency changes follow an expedited process and are reviewed retrospectively to confirm appropriateness and to capture any follow-up actions.
  • All changes to production are logged and auditable.
Recoverability, Business Continuity, and Disaster Recovery
  • Personal data and customer data are backed up on a regular basis. Backups are stored redundantly and in geographically distributed locations within the European Union.
  • Backups are encrypted using the same standards applied to production data.
  • Backup and restore procedures are tested periodically to verify their effectiveness.
  • Archlet maintains a business continuity and disaster recovery plan with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). The plan is reviewed and tested on a regular basis.
Data Retention and Deletion
  • Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law or contractual obligations.
  • Data retention policies are reviewed regularly and updated to remain appropriate and compliant.
  • Upon expiry of the retention period, or upon customer request in accordance with the applicable contract, personal data is securely deleted or anonymized.
Incident Response Management
  • Archlet maintains a documented incident response plan that covers the identification, containment, investigation, remediation, and post-incident review of security incidents and personal data breaches.
  • Roles and responsibilities for incident response are clearly defined.
  • Personnel receive regular training on incident response procedures.
  • In the event of a personal data breach, Archlet notifies affected customers without undue delay and in accordance with GDPR and applicable data processing agreements.
  • Post-incident reviews (lessons-learned) are conducted for significant incidents to identify root causes and corrective actions, and to drive continuous improvement of security controls.
Employee Security and Awareness
  • All employees are subject to confidentiality obligations as part of their employment contract, which remain in effect after termination.
  • Background checks are conducted for new hires where legally permissible.
  • All employees complete security and data protection awareness training upon onboarding and at regular intervals thereafter.
  • Role-specific training is provided to personnel with elevated responsibilities (e.g., engineering, operations, customer support).
Third-Party and Subprocessor Management
  • Third parties with access to personal or customer data are assessed prior to engagement to verify that they implement appropriate technical and organizational measures.
  • Data Processing Agreements (DPAs), including EU Standard Contractual Clauses where applicable, are concluded with all subprocessors.
  • An up-to-date list of subprocessors is made available to customers at archlet.io/subprocessors and is updated when changes occur.
  • Access granted to third parties is limited to what is required, documented, and removed without undue delay when no longer needed.
  • The security posture of subprocessors is reviewed on a regular basis.
Privacy Management
  • Archlet considers data protection and privacy requirements in the design and operation of its services and internal processes (privacy by design and by default).
  • Archlet has appointed a Data Protection Officer (DPO) who oversees data protection matters, monitors compliance with applicable regulations, and serves as the point of contact for data subjects and supervisory authorities.
  • The DPO reviews these Technical and Organizational Measures on a regular basis and advises on necessary changes.
  • Privacy-related inquiries, data subject requests, and privacy incidents are handled through defined processes within established timelines.
  • Records of processing activities are maintained in accordance with GDPR Article 30.
Security Policies and Governance
  • Archlet maintains a comprehensive set of information security policies covering, among others, access management, acceptable use, data classification, change management, incident response, and business continuity.
  • Security policies are approved by management, communicated to all personnel, and binding for employees, contractors, and temporary staff.
  • Policies are reviewed at least annually and updated as required.
Audits and Certifications
  • Archlet is ISO/IEC 27001 certified. The certification covers our information security management system (ISMS), which governs the design, development, operation, and support of the Archlet SaaS platform. The ISMS is subject to regular internal audits as well as external surveillance and recertification audits by an accredited certification body.
  • Archlet's production infrastructure is hosted on Microsoft Azure, which maintains ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, and SOC 3 certifications.
  • Archlet undergoes independent penetration testing at least annually. Summary reports are available to customers upon request and subject to a non-disclosure agreement.
  • A copy of the ISO/IEC 27001 certificate is available to customers and prospects upon request.

Conclusion

Archlet is committed to the protection of personal and customer data processed as part of our SaaS offerings. The technical and organizational measures described above are designed to ensure the confidentiality, integrity, availability, and resilience of our systems and services, and to comply with applicable data protection regulations. These measures are reviewed and updated on a regular basis to reflect evolving technology, threats, and regulatory requirements.