Legal
Security and TOMs Overview
This page is provided for convenience and may be updated over time.
Security and TOMs Overview
This document summarizes the technical and organizational measures (TOMs) used by Lingonberry Island Ltd. (Bus.ID: FI2912630-1, Finland) to protect personal data in the Callers CRM service.
1. Access control
- Firebase Authentication with custom tenant claims for workspace isolation.
- Role-based access controls for workspace admins and standard users.
- Superadmin-only administrative access with workspace ID 1 reserved for system operations.
2. Encryption
- TLS for data in transit.
- Database encryption at rest provided by the hosting provider.
- Gmail OAuth tokens encrypted at rest in production using
TOKEN_ENCRYPTION_KEY.
3. Application security
- Rate limiting on sensitive endpoints.
- Input validation on API endpoints.
- Optional session revocation checks in production.
4. Logging and monitoring
- Error monitoring via Sentry.
- Prometheus metrics for performance and security events (if enabled).
- Audit logging for administrative and security-relevant actions.
5. Operational security
- Principle of least privilege for staff access.
- Separation of dev/test and production environments.
- Change controls and documented deployment procedures.
6. Incident response
- Security incidents are tracked and escalated internally.
- Customers are notified of personal data breaches without undue delay, as required by GDPR.