Security Measures
ProcessMind Security Measures
Effective date: April 15, 2026
This document describes the technical and organizational measures (“TOMs”) ProcessMind B.V. maintains to protect the confidentiality, integrity, and availability of Customer Data. These measures supplement the Data Processing Addendum , the Privacy Policy , and the SaaS Hosting Policy . ProcessMind reviews and updates these measures at least annually.
Customer Data is never sold to, shared with, or used by third parties for their own purposes.
1. Infrastructure Security
1.1 Cloud Platform. ProcessMind is hosted exclusively on Amazon Web Services (AWS) in the EU (Frankfurt, Germany, eu-central-1). AWS maintains ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, and PCI DSS certifications. See AWS Compliance Programs for a full list.
1.2 Serverless Architecture. All application logic runs on AWS Lambda (serverless). There are no long-lived servers to patch or harden, eliminating an entire class of infrastructure risks including unpatched operating systems, persistent compromises, and server misconfiguration.
1.3 Network Isolation. All compute and database resources operate within a Virtual Private Cloud (VPC) using private subnets with no direct internet access. Database instances are not publicly accessible; they are reachable only via the AWS RDS Data API from authorized Lambda functions.
1.4 Content Delivery. Static assets are served through Amazon CloudFront with strict Content Security Policy (CSP) response headers including frame-ancestors restrictions to prevent clickjacking.
1.5 Environment Segregation. Production and development environments use separate AWS accounts, separate databases, and separate infrastructure stacks, managed through AWS Control Tower with best-practice account segregation. Preventive and detective guardrails enforce security baselines across all accounts. Developer credentials cannot access production Customer Data.
2. Data Encryption
2.1 Encryption in Transit. All data transmitted between clients and ProcessMind services is encrypted using TLS 1.2 or higher. HTTPS is enforced on all API endpoints, S3 uploads, and the web application. Internal service-to-service communication within the VPC also uses encrypted channels.
2.2 Encryption at Rest. All databases (Amazon Aurora PostgreSQL) are encrypted at rest using AES-256 through AWS Key Management Service (KMS) with a customer-managed key and automatic annual key rotation enabled. All storage (Amazon S3) is encrypted at rest using AES-256 via server-side encryption with Amazon S3 managed keys (SSE-S3).
2.3 Key Management. Database encryption keys are managed centrally via AWS KMS. Key access is governed by IAM policies following the principle of least privilege. S3 encryption keys are managed automatically by AWS. Keys are never stored in application code or configuration files.
3. Data Isolation and Residency
3.1 Tenant Isolation. Each customer organization receives a dedicated, isolated database instance. Customer Data is never commingled with other customers’ data at the database level. Shared metadata (e.g., account records, billing) is stored in a separate multi-tenant database with strict access controls.
3.2 Data Residency. All Customer Data, including databases, file uploads, backups, and query results, is stored exclusively in the EU (Frankfurt, Germany). ProcessMind does not transfer or replicate Customer Data outside the European Economic Area.
3.3 Data Retention and Deletion. For paid subscriptions, Customer Data is automatically deleted ninety (90) days after the end of the subscription term. For trial accounts, data is automatically deleted thirteen (13) months after account creation. Customers may delete their data at any time through the application or by contacting ProcessMind. Data in automatic backups expires within an additional ninety (90) days. Full details are provided in Section 6 of the Data Processing Addendum .
4. Identity and Access Management
4.1 Authentication. ProcessMind supports Single Sign-On (SSO) via Microsoft Entra ID (Azure AD), Google OAuth 2.0/OIDC, and LinkedIn OAuth 2.0/OIDC. ProcessMind acts as a relying party and does not store user passwords. Multi-factor authentication (MFA) is supported through the customer’s identity provider.
4.2 Session Management. All sessions use signed JSON Web Tokens (JWT) transmitted over secure, HttpOnly cookies with SameSite and Secure flags. Token signatures are validated on every API request.
4.3 Authorization. All API endpoints enforce JWT-based authorization at the application layer. Access to Customer Data is scoped to the authenticated tenant, preventing cross-tenant data access.
4.4 Least Privilege. Internal systems follow the principle of least privilege. IAM roles for infrastructure components are scoped to the minimum permissions required. Employee access to production systems is restricted to named personnel with a documented business need.
4.5 Employee Access Controls. Employee access to internal systems is managed through Active Directory with SSO and mandatory MFA. Role-based access control (RBAC) ensures that access to Customer Data is limited to authorized personnel on a need-to-know basis. Access rights are reviewed periodically.
5. Logging, Monitoring, and Audit
5.1 Centralized Logging. All application events, authentication events, and system activities are logged centrally via Amazon CloudWatch using structured JSON logging. Separate log groups are maintained for application logs, audit events, and telemetry data. Audit and telemetry logs are retained indefinitely and protected against deletion.
5.2 Access Logging. WebSocket API access logging is enabled. Application-layer logging captures authentication events and API request details for forensic analysis.
5.3 Monitoring and Alerting. CloudWatch alarms and dashboards provide real-time monitoring of system health, error rates, and security-relevant events. Anomalies trigger automated alerts to the engineering team.
5.4 Log Protection. Logs are stored in dedicated, access-controlled CloudWatch log groups. Log data is encrypted at rest. Production logs are not accessible from development environments.
6. Vulnerability Management
6.1 Automated Compliance Scanning. Infrastructure-as-code is scanned at every deployment using cdk-nag, which validates configurations against multiple compliance frameworks including AWS Solutions best practices, HIPAA Security, NIST 800-53 Rev 4 and Rev 5, and PCI DSS 3.2.1. Compliance reports are generated for every stack and reviewed as part of the deployment process. Findings are tracked, triaged, and either remediated or documented with justifications.
6.2 Dependency Management. Software dependencies are monitored continuously for known vulnerabilities. Critical and high-severity vulnerabilities are patched promptly. Dependencies are updated on a regular cycle.
6.3 Secure Software Development Lifecycle (SDLC). All code changes go through peer review before merging to production. Automated test suites (unit, integration, and end-to-end) run on every change. Security considerations are part of the review checklist.
7. Backup and Disaster Recovery
7.1 Automated Backups. Amazon Aurora performs continuous, automated backups with a retention period of seven (7) days. Backups are encrypted using the same customer-managed KMS keys as the source databases.
7.2 Point-in-Time Recovery. Aurora supports point-in-time recovery to any second within the backup retention window, enabling rapid restoration in case of data corruption or accidental deletion.
7.3 S3 Data Durability. File uploads and data warehouse artifacts are stored in Amazon S3, which provides 99.999999999% (11 nines) durability. S3 versioning is enabled, retaining previous object versions for recovery purposes.
7.4 Business Continuity. Disaster recovery procedures are documented and tested periodically. The serverless architecture inherently provides high availability across multiple Availability Zones within the eu-central-1 region.
8. Incident Response
8.1 Incident Notification. In the event of a Security Incident (as defined in the DPA), ProcessMind will notify affected customers without undue delay, and where feasible, within seventy-two (72) hours of becoming aware of the incident.
8.2 Incident Handling. ProcessMind maintains documented incident response procedures covering identification, containment, eradication, recovery, and post-incident review. Lessons learned from incidents are incorporated into security controls and processes.
8.3 Communication. Incident notifications include the nature and scope of the incident, data categories affected, measures taken to contain the incident, and recommended actions for the customer.
9. Organizational Measures
9.1 Information Security Management. ProcessMind maintains an information security management system aligned with ISO 27001. ProcessMind pursues and maintains certifications in accordance with customer and regulatory requirements.
9.2 Security Awareness. All personnel with access to Customer Data receive security awareness training. Security best practices are embedded in onboarding, development workflows, and operational procedures.
9.3 Vendor and Sub-processor Management. Sub-processors are contractually bound to data protection standards equivalent to those described in this document. ProcessMind maintains a public sub-processor list and provides at least thirty (30) days’ notice before engaging a new sub-processor. Sub-processors are reviewed annually for compliance.
9.4 Confidentiality. All personnel authorized to process Customer Data are bound by written confidentiality obligations.
10. Compliance and Certifications
| Framework / Standard | Status |
|---|---|
| GDPR (EU General Data Protection Regulation) | Compliant |
| EU Data Residency (Frankfurt, Germany) | Enforced |
| AWS Infrastructure Certifications (ISO 27001, SOC 2, PCI DSS) | Inherited via AWS |
| Standard Contractual Clauses (SCCs) for international transfers | Implemented (see DPA ) |
| Data Processing Addendum (DPA) | Available on request |
For questions regarding security, compliance, or to request documentation such as audit reports or completed security questionnaires, contact security@processmind.com.