Technical and Organisational Measures (TOMs)

At Friendly, we take data protection and information security seriously. We are committed to complying with the new Swiss Federal Act on Data Protection (nFADP) and the EU General Data Protection Regulation (GDPR). Through carefully implemented technical and organizational measures, we ensure that the data you entrust to us is stored securely and protected against unauthorized access.

We specifically protect the confidentiality, availability, and integrity of all processed data according to their level of sensitivity. You can learn more about how we do this below.

1. Responsibility

Responsibility for data processing lies with Friendly LLC, Werkhofstrasse 5, 6052 Hergiswil, Switzerland.

You can reach us by email at .

2. Confidentiality

Confidentiality means that unauthorized persons cannot access personal data.

2.1 Access Control

Friendly protects sensitive areas from unauthorized physical access through:

  • Secure data centers: Our data is processed in ISO 27 001-certified data centers. These facilities are equipped with strict access controls such as biometric scanners, security personnel, and video surveillance.
  • Office security: Access to our office is regulated by key and restricted to authorized individuals. Visitors must register and are accompanied by an authorized employee.
  • Remote work security: Security in home office settings is ensured through a comprehensive employee policy.

2.2 System Access Control

Friendly protects personal and sensitive business data from unauthorized system access through:

  • User authorization: Only authorized employees have access to our systems. They use strong authentication methods such as complex passwords and multi-factor authentication (MFA). Access to the systems and applications is logged.
  • Secure private devices: Employees may use personal devices for work purposes. These must meet the same security standards as company devices, including up-to-date operating systems, encrypted drives, and active firewalls.
  • Role and permissions concept: Data and system access is granted strictly on a need-to-know basis according to our role-based access control model, ensuring that employees only access the data necessary for their work.
  • Network encryption: Access to our systems and applications is only possible via encrypted connections.
  • Secure server configuration: Our servers are protected by firewalls, intrusion prevention systems, and are subject to regular security updates and checks.

2.3 Separation Control

Friendly ensures that customer data is processed in a strictly segregated manner and cannot be accessed by unauthorized third parties through:

  • Multi-tenant system architecture: Our applications are designed to process the data of different customers in a tenant-specific manner. Mixing or cross-access between tenants is technically excluded.
  • Clear data assignment: Every piece of processed information is clearly assigned to a specific customer. This separation is enforced across all relevant databases and applications.
  • Tenant-specific access logic: Access to data is strictly limited to the respective tenant context. Access controls ensure that employees or systems cannot unintentionally access data belonging to other customers. All access to systems and applications is logged.

2.4 Privacy by Design and Privacy by Default

Friendly applies the principles of Privacy by Design and Privacy by Default when selecting, configuring, and operating the software in use:

  • Privacy by Design: We use software solutions that incorporate data protection and information security as part of their technical foundation. During configuration, we focus on privacy-oriented system design.
  • Privacy by Default: Our configurations follow the principle of data minimisation, ensuring that only the personal data strictly necessary for operation is processed and displayed.

3. Availability

Availability means that personal data is accessible when needed.

3.1 Availability Control and Resilience

Friendly protects personal data from accidental loss or intentional destruction through:

  • Protection against external factors and outages: Our data centers feature smoke detection and extinguishing systems, temperature and humidity monitoring, air conditioning, backup power systems, and emergency plans.
  • Protection against attacks: We have implemented defenses against known attacks such as Distributed Denial of Service (DDoS).
  • Secure IT infrastructure: Our systems are designed with redundancy and protected through measures such as load balancing and automatic failover mechanisms.
  • Early warning systems: Automated tools continuously monitor the availability and security of our systems and trigger alerts in case of anomalies.
  • Ongoing monitoring: Our IT specialists continuously monitor system availability, functionality, security, and load.

3.2 Rapid Recoverability

Friendly ensures fast data recovery in the event of loss through:

  • Regular backups: All business-critical data is backed up daily and stored in encrypted form at secure, separate locations.
  • Emergency management: A written emergency plan for rapid recovery in the event of data loss or system failure is in place and regularly tested.
  • Recovery tests: Regular testing of backup recovery procedures ensures that all data can be successfully restored when needed.

4. Integrity

Integrity means that personal data is not altered without authorization or unintentionally.

4.1 Data Transfer Control

Friendly ensures that data is transmitted securely through:

  • Secure communication channels: We use secure, encrypted communication channels for internal communications.
  • Secure data exchange: Sensitive data is not sent via email but transferred using encrypted cloud services.
  • Secure supplier relationships (processing control): We only use third-party software from trusted providers and require contractual guarantees regarding compliance with data security standards.

4.2 Input Control

Friendly ensures traceability of data input through:

  • Documentation and traceability: All data processing activities are logged to ensure transparency and data integrity.
  • Database and application security: Databases and applications are configured with access controls that allow only authorized users to make changes.
  • Authorization framework: Permissions for data entry, modification, and deletion are clearly defined.

4.3 Data Deletion and Data Lifecycle Management

Friendly ensures that personal data is only stored for as long as necessary for the respective processing purpose:

  • Automated deletion: Personal data is deleted after the end of the contract, the discontinuation of the processing purpose, or the expiration of legal retention periods.
  • Archiving obligations: Data that must be retained for legal reasons is stored separately, excluded from regular processing, and deleted once the retention period has expired.
  • Self-service deletion functions: Customers can delete or modify their data at any time within the scope of their administrative permissions.

5. Management

5.1 Policies, Training, and Documentation

Friendly ensures that all employees protect the confidentiality and integrity of information through:

  • Employee policies: All employees are bound by an internal information security policy.
  • Confidentiality agreements: Employees are required to maintain the confidentiality of sensitive information both during and after their employment.
  • Documentation: All measures and processes to ensure compliance are thoroughly documented to minimize the risk of human error.
  • Regular training: Employees receive regular training on data protection and information security to stay informed about best practices and emerging threats.
  • Fostering a security culture: We promote a culture of security awareness and open communication around data protection and security topics.

5.2 Management of Information Security Threats

Friendly ensures efficient handling of information security incidents through:

  • Incident management: Security incidents and suspicious activities are reported immediately and handled in accordance with our incident response plan.
  • Timely customer communication: Affected customers are informed without delay in the event of a security incident.

5.3 Review and Updating of Measures

Friendly ensures the ongoing relevance of our security standards through:

  • Continuous improvement: We continuously monitor emerging threats and regulatory developments, applying a management system aimed at ongoing improvement of our security standards.
  • Regular penetration tests: We regularly conduct external penetration tests to evaluate the effectiveness of our technical security measures. The results are directly incorporated into the ongoing development of our security architecture.
  • Regular audits: Internal and external audits — especially for ISO 27 001 (Information Security) and ISO 9 001 (Quality Management) certifications — ensure compliance with our security policies.

Updated on: May 5, 2025