SendStreak logo

Technical and Organisational Measures

Last updated: April 11, 2026

This document describes the technical and organisational measures (“TOMs”) implemented by SendStreak (Baryonix Kft) in accordance with Art. 32 of the General Data Protection Regulation (GDPR) to ensure the security of personal data processed on behalf of our customers.

These measures are referenced in our Data Processing Addendum and serve as Annex II of the Standard Contractual Clauses where applicable.

SendStreak may update these measures from time to time to reflect technological advances, changes in our infrastructure, or evolving security best practices. Any updates will maintain or improve the level of security described herein.

1. Confidentiality

1.1 Physical access control

Measures to prevent unauthorised persons from gaining physical access to data processing systems:

  • All infrastructure is hosted on DigitalOcean’s managed cloud platform in the EU (Frankfurt, Germany). SendStreak does not operate its own physical data centres.
  • DigitalOcean’s data centres are SOC 2 Type II audited and ISO 27001 certified, with physical security measures including 24/7 on-site security personnel, biometric access controls, video surveillance, and environmental controls.
  • SendStreak employees do not have physical access to the data centre facilities. All infrastructure management is performed remotely through authenticated and encrypted connections.

1.2 Logical access control

Measures to prevent unauthorised use of data processing systems:

  • Access to production systems is restricted to authorised personnel only, based on the principle of least privilege.
  • Multi-factor authentication (MFA) is required for all access to infrastructure management consoles and critical systems.
  • Strong password policies are enforced for all internal accounts.
  • Administrative access is logged and regularly reviewed.
  • API keys and authentication tokens are used to authenticate customer access to the service. Customers are responsible for securing their own API credentials.
  • Access rights are promptly revoked when personnel leave the organisation or change roles.

1.3 Separation control

Measures to ensure that personal data collected for different purposes is processed separately:

  • Customer data is logically separated at the application level. Each customer’s data is associated with their unique account identifier.
  • Production, staging, and development environments are strictly separated.
  • Customer data is never used in development or testing environments.

2. Integrity

2.1 Transmission control

Measures to ensure that personal data cannot be read, copied, altered, or removed by unauthorised parties during electronic transmission:

  • All data transmitted between customers and SendStreak is encrypted in transit using TLS 1.2 or higher.
  • HTTPS is enforced for all web traffic and API communications. HTTP connections are automatically redirected to HTTPS.
  • Email transmissions support STARTTLS for opportunistic encryption between mail servers.
  • SendStreak supports and encourages the use of DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) for email authentication.
  • Internal service-to-service communication within our infrastructure uses encrypted connections.

2.2 Input control

Measures to ensure it is possible to verify and establish whether and by whom personal data has been entered into, modified, or removed from data processing systems:

  • Application-level audit logging records significant actions including data creation, modification, and deletion events.
  • Logs capture the identity of the user or system performing each action, along with timestamps.
  • Audit logs are retained in accordance with our Data Retention Policy and are protected against unauthorised modification.

3. Availability and resilience

3.1 Availability control

Measures to ensure that personal data is protected against accidental destruction or loss:

  • Services are hosted on DigitalOcean’s managed infrastructure, which provides built-in redundancy and high availability.
  • Automated backups are performed regularly. Backup integrity is periodically verified through restoration testing.
  • Infrastructure is managed through code (Infrastructure as Code), enabling rapid and reliable rebuilds if necessary.
  • Monitoring and alerting systems are in place to detect and respond to service disruptions promptly.

3.2 Rapid recoverability

Measures to ensure the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident:

  • Disaster recovery procedures are documented and tested.
  • Backups are stored in geographically separated locations to protect against site-level failures.
  • Recovery objectives are defined and regularly reviewed to ensure they meet business and regulatory requirements.

4. Procedures for regular review

4.1 Data processing monitoring

  • Processing activities are monitored to ensure ongoing compliance with the GDPR and our Data Processing Addendum.
  • A record of processing activities is maintained in accordance with Art. 30(2) GDPR.

4.2 Incident response

  • A documented incident response procedure is in place for handling security breaches and data protection incidents.
  • Security incidents are reported to affected customers within 24 hours of discovery, as specified in our Data Processing Addendum.
  • Post-incident reviews are conducted to identify root causes and implement preventive measures.

4.3 Security assessments

  • Regular security reviews are conducted to identify and address potential vulnerabilities.
  • Dependencies and third-party libraries are monitored for known security vulnerabilities and patched promptly.
  • Security measures are reviewed and updated as needed to address evolving threats and technological changes.

5. Pseudonymisation and encryption

5.1 Encryption at rest

  • Data stored on DigitalOcean infrastructure is encrypted at rest using AES-256 encryption.
  • Encryption keys are managed by DigitalOcean’s key management infrastructure and are not accessible to SendStreak personnel.

5.2 Encryption in transit

  • All external communications are encrypted using TLS 1.2 or higher, as described in section 2.1.
  • TLS certificates are managed and renewed automatically.

5.3 Pseudonymisation

  • Where technically feasible and appropriate, personal data is pseudonymised for analytics and logging purposes.
  • Analytics data collected via Google Analytics uses pseudonymous identifiers and IP anonymisation.

6. Order control (processor supervision)

6.1 Sub-processor management

  • Sub-processors are carefully selected based on their ability to provide adequate security guarantees.
  • Data processing agreements are in place with all sub-processors, imposing obligations equivalent to those in our Data Processing Addendum.
  • A current list of sub-processors is maintained and published on our Sub-processor List page.

6.2 Employee obligations

  • All SendStreak personnel with access to personal data are bound by confidentiality obligations that survive the termination of their employment or engagement.
  • Personnel receive guidance on data protection responsibilities and secure data handling practices.

Contact

If you have questions about our technical and organisational measures, please contact us:

Baryonix Kft (SendStreak)
Kokut utca 0835/16
Eger, Hungary 3300

E: [email protected]
W: www.sendstreak.com