Lambus For Business

Annex 2 - Technical and Organizational Measures (TOMs)

pursuant to Art. 32 GDPR for the use of the B2B software Lambus for Business

Version: 2026-03-30

1. Introduction and Purpose

This document describes the technical and organizational measures (TOMs) implemented by Lambus GmbH as a processor pursuant to Art. 28 and Art. 32 GDPR to protect personal data processed in the context of using the software Lambus for Business.

The aim of the measures is to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability, and resilience of the processing systems.

2. Type of Data Processed

In the context of using the software, the following personal data may be processed in particular:

  • Master data (e.g. last name, first name)
  • Contact data (e.g. email address, phone number)
  • Travel data (travel dates, locations, accommodations, means of transport)
  • Booking and reference numbers
  • Usage and access data of B2B customers

3. Risk Assessment

Processing generally does not include special categories of personal data within the meaning of Art. 9 GDPR.

Only travel and booking-related data is required for the contractually owed service. Processing of complete identity documents (e.g. identity cards or driving licenses) is neither intended nor required.

If such documents are transmitted by the Controller in individual cases, they are stored exclusively in the context of data processing, without separate analysis or change of purpose.

The risk to the rights and freedoms of data subjects is assessed overall as appropriate and manageable. The following measures take account of this risk profile.

4. Measures for Access Control

Purpose: Prevention of unauthorized access to data processing systems.

  • User accounts with individual login
  • Password-protected access
  • Automatic session timeout
  • Protection against brute-force attacks

5. Measures for Data Access Control

Purpose: Ensuring that authorized users can only access the data intended for them.

  • Role and rights management
  • Client separation between customers
  • Access to production systems only for authorized employees
  • Review of access rights at least every six months

6. Measures for Transfer Control

Purpose: Prevention of unauthorized transmission or disclosure of data.

  • Encrypted data transfer (TLS/HTTPS)
  • No disclosure of data to third parties without a contractual basis
  • Engagement of processors only with a DPA
  • Logging of administrative and system-side access to personal data to ensure traceability and abuse prevention

7. Measures for Input Control

Purpose: Traceability of whether and by whom personal data was entered, modified, or deleted.

  • Logging of system access
  • Traceable change processes
  • Separation of development, test, and production systems

8. Measures for Availability Control

Purpose: Protection against accidental destruction or loss of data.

  • Regular data backups (daily backup for the last seven days)
  • Recovery processes (disaster recovery)
  • Monitoring of system availability

9. Measures for Integrity Control

Purpose: Protection against unauthorized or unintentional modification of data.

  • Access restrictions to databases
  • Version control for software changes
  • Use of verified software components

10. Measures for Data Separation

Purpose: Ensuring that data of different customers is processed separately.

  • Logical client separation at application and database level
  • Strict separation of test and production data

11. Measures for Order Control

Purpose: Ensuring processing exclusively in accordance with the Controller's instructions.

  • Processing of personal data only pursuant to the DPA
  • Documented internal data protection policies
  • Regular employee training on offer

12. Measures for Employee Control

Purpose: Ensuring confidentiality through internal organization.

  • Commitment of employees to confidentiality
  • Access to customer data only when necessary (need-to-know)
  • Sensitization on data protection and IT security at least every six months

13. Measures for Handling Security Incidents

  • Documented processes for the detection and reporting of security incidents
  • Internal escalation procedures and responsibilities
  • Immediate notification of the Controller of personal data breaches, at the latest within 24 hours of becoming aware
  • Support for the Controller with reporting obligations pursuant to Art. 33, 34 GDPR

14. Sub-processors

  • Engagement only after careful selection
  • Contractual obligation pursuant to Art. 28 GDPR
  • Documentation of the sub-processors engaged. A current list of sub-processors can be provided upon request. Sub-processors currently engaged are in particular hosting and infrastructure service providers within the EU.

15. Deletion and Return of Data

  • After termination of the contractual relationship, the Processor deletes all personal data at the Controller's option or returns it, unless a statutory retention obligation exists
  • Productive personal customer data is generally not used in test or development environments. If this is exceptionally required, it is done exclusively applying the same technical and organizational measures as in the production system

16. Update of TOMs

These TOMs are reviewed regularly and updated as necessary, in particular in the event of technical changes or new legal requirements.

This document forms part of the Data Processing Agreement pursuant to Art. 28 GDPR.