Technical and organizational measures (TOM)

MITTANBUD MARKETPLACES AS
Org. nr.: 980 178 986

Address: Hagegata 22, 0653 OSLO, Norway

Version: 1.0

Date: 2026-01-12

1 Introduction

MITTANBUD MARKETPLACES AS (“Mittanbud”) implements appropriate technical and organisational measures to ensure the protection of personal data processed under the Data Processing Agreement. The measures are adapted to the types of processing, scope, context, categories of personal data, the cost of implementation, the purposes of the processing as well as risks, of varying probability and severity.

This document (the “TOM”) describes the technical and organizational measures implemented by Mittanbud to meet legal and contractual requirements. The TOM is attached to and forms part of Mittanbud’s Data Processing Agreement / Data Processing Addendum.

Platform overview (mittanbud.no):

• Mittanbud is a marketplace platform where private consumers and businesses create accounts.
• Consumers register jobs (e.g., carpenter, electrician, etc.), and jobs are matched to relevant businesses.
• Businesses submit offers; parties may communicate through the platform; a consumer chooses a provider.
• Categories of personal data: basic, content, and technical data. Mittanbud does not intend to process special category data as part of normal operations.
• Approximate scale: ~1 million consumers (over ~10 years), ~6,000 paying businesses, and ~50,000 non-paying businesses.
• Geography: Mittanbud is based in Norway; the platform is available in Scandinavian countries.

Roles: Mittanbud acts as both:

• Data controller for platform processing where Mittanbud determines purposes/means; and
• Data processor for processing performed on behalf of businesses/customers under the DPA (where applicable).

2 Document management

Mittanbud validates that necessary and obligatory privacy-related documentation is in place when Mittanbud processes personal data. Privacy-related documentation is stored in a central repository (Google Drive) with restricted access control and version handling, ensuring documentation is managed in a structured manner.

Mittanbud performs a full review every January, and updates individual documents on an ongoing basis as needed.

4 Policies and risk management

Mittanbud maintains and follows data protection and IT policies and practices that are integral to Mittanbud’s operations and mandatory for employees and consultants. These policies are reviewed periodically and amended as needed to maintain protection of personal data.

• Policies in place: Password/MFA, access control, incident response.
• Training: Monthly training provided by a third-party provider.
• Confidentiality undertakings: All employees and consultants are subject to confidentiality obligations through employment/consulting agreements (signed upon engagement) and are required to follow internal security and privacy policies.
• Risk assessments: Performed at least annually (January), with mitigation actions handled and documentation updated. Issues identified during the year are addressed as they arise.
• DPIA: Performed when needed.
• Incident response: Mittanbud has a documented incident response process for detection, handling, and follow-up.
• Responsible role: CTO.

5 Malware and endpoint protection

Mittanbud has systems and methods to protect IT infrastructure against malicious code, including endpoint protection/EDR, spam filtering, and security updates, and actively monitors that protections are active and updated.

• Endpoints: Company-managed laptops.
• Endpoint protection / EDR: Implemented.
• Email anti-phishing/spam: Implemented.
• Patching: End-user OS/browser/software are kept automatically updated to latest versions. For platform languages/dependencies, Mittanbud aims not to lag significantly behind and prioritizes upgrades when releases address security.

6 Transfer and dissemination control

Mechanisms for securing data traffic and communication connections, as well as for monitoring and logging activities in networks, have been established to the required extent. As appropriate, firewalls and protective network controls are in place.

• Hosting: AWS (Dublin and Sweden regions).
• Web application protection: WAF in place.
• Transport security: All data is transmitted over HTTPS/TLS when leaving secure cloud areas; HTTPS is enforced.
• Encryption at rest: Data at rest is encrypted for databases/storage. Since RDS encryption at rest is enabled, automated backups/snapshots are encrypted as part of that encryption model. (AWS Documentation)
• AWS Backup vault encryption: Backup vaults are configured with KMS encryption, which encrypts applicable backups placed in the vault (and for others encryption is managed by the source service). (AWS Documentation)
• VPN: Used for sensitive/production access (solution name not disclosed).
• Exports/printouts: Paper printouts and exports of confidential data are avoided whenever possible. Exports are only permitted for administration and handled with special care; when no longer required, exports are deleted.

7 Input control

Mittanbud takes measures to ensure it is possible to check and establish retrospectively whether and by whom personal data has been processed, including traceability for assigning, changing, and deleting user authorizations.

• Logging coverage: Most relevant events are logged, including access and changelogs for key data points.
• Log storage: Used across multiple platforms (including Humio, VictoriaLogs, and Elasticsearch).
• Retention: Depends on log type:
  • Agreement/approval logs: 5 years
  • Access logs: typically 30 days
• Alerting: Alerts exist for suspicious behavior, with detection varying by system.

8 Data segregation and retention

Mittanbud ensures that personal data collected for different purposes are not mixed in processing. Systems are physically/logically separated where needed, and access controls ensure parties can only access personal data they are authorized to access. Personal data that are no longer required are deleted.

• Tenant separation: Enforced by tenant IDs and an authorization layer in the application/ORM framework, so businesses only access data they are permitted to see.
• Environment separation: Development, staging, testing, and production environments exist.
• Use of production data in test: Production data may be present in test environments but is obscured.
• Retention: Tenders/jobs are retained based on user activity, up to 5 years since last relevant user activity/login, reflecting applicable needs (including “reklamasjonstid” considerations).
• Deletion/erasure: Supported both via automated deletion routines and by processes for user requests (including access/export and deletion requests).
• Availability/backups: Daily backups are performed; additionally, the microservice architecture uses multiple replicas to enable failover and automatic rebuild/recovery when failures occur.

9 Supplier relationship management

Mittanbud ensures that identified security requirements are addressed in supplier relationships, including assessment of supplier technology, routines/processes, and relevant IT and information security controls. Supplier access rights and contractual aspects are reviewed regularly.

• Sub-processors list: [INSERT LINK TO SUB-PROCESSORS LIST]
• DPA: Mittanbud maintains a Data Processing Agreement / Addendum.
• Transfers outside EEA: Yes — Transfer Impact Assessments (TIAs) are performed/maintained for relevant suppliers.
• Review cadence: Yearly review of suppliers (January/February).