August 2025

The JOUO TOMs are here!

TOM's logo (cogwheel with a lock) with confetti around it

The abbreviation TOM refers to the technical and organizational measures that companies are obliged to document under several data protection laws (e.g. the GDPR).

 

What are the measures and what needs to be protected?

Imagine two neighbors: Mother Hulda and the king. Whose freshly baked cake do you think you could steal more easily? Mother Hulda lives in a little house where the door is always open and has no lock. While the king sits in a castle with guards, a drawbridge and loopholes. What has just been described are the measures taken to protect the still-warm cake.

In your company, this is personal data and internal information that needs to be protected. These are distributed, for example, to your office, which hopefully has access restrictions such as keys, or to the servers of your service providers such as your web hosting or email provider. However, each of these IT providers now probably has different measures in place to ensure the security of the data. And this is exactly what needs to be documented in the TOMs.

It is important that all parties involved in securing your company's personal and internal data are documented. You can think of it like documenting that all the fingers that were held in the dough when baking a cake were clean, otherwise the whole cake is no longer delicious.

 

And what can I do in JOUO now?

JOUO offers you a simple input mask to enter your TOMs, supported by all kinds of explanations about it. And so that you only have to take the time to create your TOM once, you can duplicate it again and again afterwards and only adjust what has changed.

To give you an overview of which IT service providers you need to document, JOUO shows you which service providers you use through your website security audit.

You will then receive your TOMs from JOUO as a clear, automatically generated PDF for download.

 

But that's not all: you also get your website infrastructure documentation!

For every TOM you create, you automatically receive an additional PDF that clearly lists all the data that JOUO found during your website security audit - your reliable and complete website infrastructure documentation. All your IP addresses are listed in this documentation. For each IP address, the associated service provider, all security vulnerabilities, the respective DNS data (type and value) and the open ports are listed. IP addresses are also displayed for old test servers, for example, which have been forgotten but are still part of the website infrastructure.

The documentation always corresponds to the date on which the corresponding TOM was created and can be filed together.

It is not only useful for regularly documenting the current status, but also legally required (e.g. for accountability under the GDPR) and practically necessary (e.g. for risk assessment and incident response). But beware: this documentation contains critical security information that could pose a security risk if it falls into the wrong hands. Therefore, they should not be shared with third parties unless it is requested for understandable legal reasons.