Technical and Organisational Measures

pursuant to Art. 32 GDPR · Annex 1 to the Data Processing Agreement

Processor: Mosaic Medical UG (haftungsbeschränkt), Stubbenhof 16, 21147 Hamburg, Germany, operating under the brand "Dermalia"

This document describes the technical and organisational measures Dermalia has implemented to protect personal data. As an annex it forms part of the Data Processing Agreement under Art. 28 GDPR.

1. Confidentiality (Art. 32(1)(b) GDPR)

Physical access control

Dermalia operates no servers of its own. All data processing takes place in certified data centres of the cloud providers used (Vercel, Neon) in the EU region Frankfurt am Main. Physical access to these data centres is controlled by the respective operators (incl. AWS infrastructure, ISO-27001-certified locations). Dermalia staff have no physical access to the servers.

System access control

(1) Access to all administrative systems is exclusively via personal accounts with strong authentication.

(2) Internal administration surfaces use Better Auth with magic link, passkey (WebAuthn) or Google OAuth; classic passwords are not used for administrative access.

(3) Access to the database and hosting is via the cloud providers' account management with two-factor authentication.

Data access control

(1) Patient reports are not publicly discoverable. Access is exclusively via a non-guessable report ID that acts as an access token. There is no patient login.

(2) For practice users a role-based permission model applies (Owner, Admin, Member) with tenant-separated data storage via the organisation concept. A practice sees only its own reports.

(3) Super-admin access is limited to a small, named group of people and is logged.

Separation control

Data of different practices is logically separated via tenant identifiers (organisation ID). Every database query is scoped to the tenant of the requesting user.

Pseudonymisation and data minimisation

(1) No date of birth, medical records, insurance or billing data is processed.

(2) Patients are known in the system only via report ID and optionally first name and email address. No link to other systems takes place.

2. Integrity (Art. 32(1)(b) GDPR)

Transfer control

(1) All data transmission takes place exclusively over TLS-encrypted connections (HTTPS).

(2) Data at rest is stored encrypted by the cloud providers used (encryption at rest at database and file-storage level).

(3) Retrieval of scan raw data from the Isemeco source system uses a dedicated technical access, separate from the practice's own credentials.

Input control

Security- and data-protection-relevant operations (report deletion, data export, practice creation, role changes, impersonation by super-admins) are recorded in an audit log with timestamp and triggering account.

3. Availability and resilience (Art. 32(1)(b) and (c) GDPR)

Availability control

(1) The infrastructure runs on highly available, multiply redundant cloud platforms.

(2) The PostgreSQL database runs as a managed service; backups and point-in-time recovery are provided by the database vendor.

Rapid recoverability

Through the managed-service operation of the database and the declarative, versioned infrastructure, the service can be restored promptly after an outage.

4. Procedures for regular review (Art. 32(1)(d) GDPR)

Data protection management

(1) Processing activities are documented pursuant to Art. 30 GDPR.

(2) Sub-processors used are named transparently in the Data Processing Agreement and reviewed for GDPR compliance.

Incident response

Data breaches are reported to the Controller without undue delay, at the latest within 24 hours of becoming aware (Art. 33 GDPR).

Sub-processing control

(1) Sub-processing outside the EU/EEA takes place exclusively under the EU Standard Contractual Clauses (Implementing Decision 2021/914).

(2) Upon request, Dermalia provides the Controller with the current version of these TOM.

5. Data erasure

(1) Patient reports are automatically deleted by default 24 months after creation.

(2) The Controller can at any time request immediate erasure of individual reports or the entire dataset via the practice dashboard or by request.

(3) Upon termination of the contract, all data is erased or returned within 30 days.

Version 1.0.0 · Published on 2026-05-28