Technical and Organizational Measures

Annex 2 to the Data Processing Agreement Minimist FlexCo Last updated: April 2026

This document describes the technical and organizational measures implemented by Minimist FlexCo ("Processor") to ensure the security of personal data processed on behalf of its customers ("Controllers") in accordance with Article 32 of the General Data Protection Regulation (GDPR).

1. Access Control (Physical)

Physical access to data processing infrastructure is controlled through the following measures:

Hetzner Data Centers (Primary Infrastructure)

  • ISO 27001 certified data center facilities located in the European Union
  • Biometric access control systems for entry to all server areas
  • 24/7 on-site security personnel and CCTV surveillance
  • Multi-factor physical access authentication for authorized personnel
  • Access logging and audit trails for all data center entry points
  • Environmental controls including fire suppression, climate control, and redundant power supply

Google Cloud Platform (Managed Services)

  • SOC 2 Type II and ISO 27001 certified facilities
  • Multi-layered physical security controls including biometric identification and vehicle access barriers
  • Custom-designed electronic access cards with security zones
  • Laser-based intrusion detection systems in data center floors
  • Environmental controls meeting or exceeding industry standards
  • Regular third-party audits of physical security controls

Minimist personnel do not have physical access to any data center facility. All infrastructure management is performed remotely through authenticated and encrypted administrative channels.

2. Access Control (Logical)

Access to systems and personal data is restricted through the following logical controls:

Authentication

  • End-user authentication via Firebase Authentication with multi-provider support (email/password, Google OAuth 2.0, Apple OAuth)
  • Role-based access control (RBAC) enforced per tenant with distinct roles: owner, admin, and member, each with defined permission boundaries
  • API authentication via JSON Web Tokens (JWT) with short-lived access tokens and separate refresh token lifecycle
  • Machine-to-machine authentication via OAuth 2.0 client credentials flow for inter-service communication
  • Service-to-service authentication via mutually authenticated gRPC connections with token validation against the central authentication service

System Administration

  • Least-privilege access principle applied to all production systems
  • Administrative access to Kubernetes clusters restricted to authorized personnel with named credentials
  • Separate staging and production environments with independent access controls
  • Infrastructure secrets encrypted at rest using SOPS with age-based key management; never stored in plain text in source control
  • Regular review of access permissions and removal of access upon role change or departure

3. Data Separation

Personal data of different Controllers is logically separated through the following measures:

  • Multi-tenant architecture with mandatory tenant ID isolation enforced at the application layer for all data operations
  • Firestore security rules enforcing per-tenant data access boundaries at the database level
  • Per-marketplace publishable API keys ensuring storefront-level isolation of customer-facing data
  • Logical separation of customer data across all storage systems (Firestore, PostgreSQL, Cloud Storage, BigQuery)
  • Namespace isolation in Kubernetes for workload separation between environments
  • Query-level enforcement ensuring all database queries include tenant context, preventing cross-tenant data access

4. Pseudonymization

The following pseudonymization measures are applied to reduce the identifiability of data subjects:

  • Firebase UIDs used as primary user identifiers throughout the system rather than directly identifying information such as email addresses or names
  • Internal reference IDs (KSUIDs) used for orders, listings, transactions, and other business objects, providing non-sequential, non-guessable identifiers
  • Telemetry data sanitization applied before transmission to observability platforms, removing email addresses and other directly identifying information from traces, logs, and metrics
  • Analytics events collected via Server-Side Google Tag Manager, enabling server-side sanitization of any personally identifiable information before data reaches third-party analytics providers

5. Encryption

In Transit

  • TLS 1.2 or higher enforced for all external API communications, including client-to-server and server-to-third-party connections
  • gRPC with TLS for all inter-service communication within the platform
  • HTTPS enforced on all web-facing endpoints with HTTP Strict Transport Security (HSTS) headers
  • Database connections encrypted via TLS for all PostgreSQL and managed database services

At Rest

  • Google Cloud default encryption (AES-256) applied to all data stored in Firestore, Cloud Storage, and BigQuery
  • PostgreSQL database encryption at rest for all relational data stores
  • Kubernetes secrets encrypted using SOPS/KSOPS with age-based key pairs, ensuring secrets are encrypted in source control and decrypted only at deployment time within the cluster
  • Backup encryption for all database backups using provider-managed encryption keys

6. Availability and Resilience

The following measures ensure the availability and resilience of data processing systems:

  • High-availability Kubernetes cluster on Hetzner consisting of three control plane nodes (HA k3s) with workload distribution across nodes
  • Google Cloud managed services (Firestore, Cloud Storage, BigQuery) with built-in redundancy, automatic failover, and provider-guaranteed SLAs
  • Automated rollback via Argo Rollouts enabling zero-downtime deployments with automatic rollback on health check failure
  • Database backups with defined recovery procedures and regular restoration testing
  • Container orchestration with automatic pod rescheduling on node failure
  • Resource limits and autoscaling configured for all production workloads to handle traffic spikes
  • Multi-zone storage replication for critical data through Google Cloud managed services

7. Monitoring and Logging

Comprehensive monitoring and logging is implemented across all services:

  • OpenTelemetry instrumentation across all services providing correlated distributed traces, metrics, and structured logs
  • Grafana dashboards with Prometheus metrics collection and Loki log aggregation for centralized operational visibility
  • Firebase Crashlytics for mobile application crash reporting and stability monitoring
  • Alerting rules configured for anomalous access patterns, elevated error rates, and service degradation
  • Structured logging with consistent correlation IDs enabling end-to-end request tracing
  • Audit-relevant events logged including authentication attempts, authorization failures, and administrative actions
  • Log retention policies configured in accordance with data minimization principles

8. Incident Response

The following incident response procedures are in place:

  • Defined incident classification framework with severity levels and corresponding escalation procedures
  • Breach notification to affected Controllers within 48 hours of a confirmed personal data breach, including the nature of the breach, categories of data affected, approximate number of data subjects, and measures taken or proposed to address the breach
  • Post-incident review conducted for all security incidents, with findings documented and remediation actions tracked to completion
  • Regular incident response testing to ensure procedures remain effective and personnel are prepared
  • Contact channels established for Controllers to report suspected data breaches or security concerns

9. Development Practices

Security is integrated into the software development lifecycle through the following measures:

  • Code review requirements enforced for all changes to production code, with mandatory peer review before merge
  • Dependency management and vulnerability scanning for both application dependencies and container base images
  • Separate environments for development, staging, and production with promotion-based deployment pipelines
  • Infrastructure as code using Kustomize with full change history and auditability in version control
  • Secrets management via SOPS encryption ensuring no secrets are stored in plain text in source code repositories
  • Automated testing including unit tests, integration tests, and security-relevant test cases
  • Container image scanning for known vulnerabilities before deployment to production
  • Non-root container execution enforced across all production workloads under Kubernetes restricted PodSecurity policy

10. Data Minimization

The following measures ensure that only the minimum necessary personal data is processed:

  • AI processing sends only product images and necessary metadata (category, condition) to AI models for listing predictions and categorization; no user PII is intentionally transmitted to AI providers
  • Configurable image variants used for AI processing (resized, optimized variants rather than full-resolution originals) to limit data exposure
  • Analytics telemetry sanitization removes directly identifiable information before data is transmitted to observability and analytics platforms
  • Server-Side Google Tag Manager enables server-side filtering and redaction of event data before forwarding to third-party analytics services
  • Data retention policies configured for transient data stores, logs, and analytics to avoid indefinite retention of personal data

11. Sub-Processor Security

The Processor maintains the following controls over sub-processors:

  • Data Processing Agreements (DPAs) in place with all sub-processors that process personal data on behalf of Controllers
  • Flow-down of obligations ensuring equivalent security, confidentiality, and data protection requirements are contractually imposed on all sub-processors
  • Periodic review of sub-processor security posture, including verification of compliance certifications (SOC 2, ISO 27001) and adherence to contractual obligations
  • Preference for EU-based processing with sub-processors located in the European Union or European Economic Area where feasible
  • Supplementary measures implemented for any sub-processor transfers to countries outside the EU/EEA, including Standard Contractual Clauses and transfer impact assessments where required
  • Notification to Controllers before engaging new sub-processors or making changes to existing sub-processor arrangements, with an opportunity to object

12. Personnel

The following personnel-related measures are in place:

  • Confidentiality obligations binding all employees and contractors with access to personal data, including written non-disclosure agreements
  • Regular privacy and security awareness training covering GDPR requirements, data handling procedures, phishing awareness, and incident reporting
  • Background checks conducted for personnel with access to production systems and personal data, in accordance with applicable law
  • Access revocation procedures ensuring prompt removal of system access upon termination of employment or change of role
  • Principle of need-to-know applied to limit personnel access to personal data to only those individuals who require it for their specific role