Mighty Workflow logo
Sign in Get Mighty free

Technical and Organisational Security Measures (TOMs)

These are the steps we take at Mighty Workflow to keep personal data safe—aligned with GDPR Article 32 and POPIA’s security safeguards.

Technical Measures

  • Encryption
    • All traffic is encrypted in transit using HTTPS/TLS 1.2+
    • All backups and storage volumes are encrypted at rest
    • Passwords and authentication credentials are hashed using industry-standard algorithms (e.g., bcrypt) and never stored in plain text
    • Sensitive configuration values (API keys, secrets) are stored securely in encrypted vaults
  • Access Controls
    • Role-based access controls (RBAC) limit internal team access strictly to what is necessary (“least privilege”)
    • Multi-factor authentication (MFA/2FA) is enforced for all administrative and engineering accounts
    • Session management enforces automatic timeouts
    • Access rights are reviewed on a regular basis
  • Monitoring & Logging
    • Access logs, system activity, and security events are collected and monitored
    • Failed login attempts, suspicious activity, and anomalies are automatically flagged
    • Logs are protected from tampering and retained in accordance with security policy
  • Infrastructure Security
    • Services are hosted on ISO 27001–certified cloud infrastructure with advanced security features (i.e. AWS)
    • Regular patching and vulnerability management of operating systems is performed by AWS
    • Regular patching and vulnerability management of containers
    • Regular patching and vulnerability management of dependencies
    • Firewalls, intrusion detection systems, and DDoS protection are in place to protect against attacks
  • Data Segregation & Isolation
    • User access to Customer Data is scoped to authorised roles and enforced by application logic
    • Production and test environments are segregated
  • Backup & Recovery
    • Encrypted backups are taken regularly and stored securely

Organisational Measures

  • Privacy by Design & Default
    • Features are designed with data minimisation in mind (only data strictly necessary for the workflow is collected)
    • Privacy Impact Assessments (PIAs/DPIAs) are conducted for significant new features or processing activities
  • Policies & Governance
    • A documented Data Protection Policy and Incident Response Plan are in place
    • Regular reviews of data flows and processing activities
    • Employees and contractors undergo mandatory GDPR/POPIA training and confidentiality agreements
  • Third-Party Vendor Management
    • Sub-processors and vendors are reviewed for security compliance before onboarding
    • All sub-processors are contractually bound to data protection requirements equivalent to this DPA
    • A current list of sub-processors is maintained and available to Controllers upon request
  • Data Breach Protocol
    • Any Personal Data breach is documented and notified to the Controller without undue delay (within 72 hours where GDPR requires)
    • Root cause analysis and remedial measures are documented and tracked
  • Data Subject Support
    • Self-service tools allow Controllers (Subscribers) to respond to data subject rights requests (access, correction, deletion, export)
    • We provide reasonable assistance to Controllers in fulfilling their obligations under GDPR/POPIA
  • Confidentiality & HR Measures
    • All staff with access to Personal Data are bound by confidentiality agreements
    • Access to systems is terminated immediately upon employee exit
    • Staff are provided with ongoing training on secure data handling