Skip to main content
ToolSense
IT Security & Compliance

Enterprise-grade security for operational data you can't afford to lose

How ToolSense protects the equipment, robot, vehicle and frontline data of 200+ companies across 30+ countries.

Why this matters

FM operations data is sensitive: customer site lists, building access information, employee certifications, equipment locations, financial data. ToolSense is built from the ground up to enterprise security standards - and we publish what we do, in detail, so your IT, procurement and compliance teams don't have to chase us for answers.

Architecture & hosting

  • Hosted on Google Cloud Platform (GCP), primary region: europe-west (Belgium / Frankfurt)
  • Kubernetes-based deployment (GKE) with horizontal scaling and high availability
  • Managed databases: MySQL and PostgreSQL with automated backups, point-in-time recovery and encryption at rest
  • Microservice architecture (NestJS monorepo, GraphQL APIs, Vue.js 3 web frontend, React Native mobile)
  • 550k API requests/day, 250k IoT messages/day, 18k daily IoT devices - 99.96% measured uptime

Data protection & encryption

  • All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Tenant-level data isolation
  • Encrypted backups with 30-day retention as standard, configurable per customer
  • Customer-managed encryption keys available on enterprise plans

Identity, access & authentication

  • Single Sign-On (SSO) via SAML 2.0 and OpenID Connect
  • Role-based access control with granular permission sets
  • Two-factor authentication (2FA) for administrators and configurable for all users
  • Full audit logs of every administrative and data-modifying action
  • Integration with Microsoft Entra ID (Azure AD), Okta and Google Workspace

GDPR & data privacy

  • Fully GDPR-compliant - ToolSense is headquartered in Vienna, Austria (EU)
  • Data Processing Agreement (DPA) per Art. 28 GDPR available as standard contract
  • Subprocessor list published and updated: AWS, Google Cloud, Google Maps, HubSpot, Jotform, Userflow
  • Data residency in the EU by default; specific regions on request
  • Right-to-be-forgotten and data-export workflows built into the platform

Service level & resilience

  • Service Level Agreement (SLA): 99.5% guaranteed uptime, with service credits at 10% / 25% / 50% tiers
  • Disaster Recovery Plan: RTO and RPO of 12 hours
  • Geographically redundant backups
  • Business continuity tested annually

Operational security

  • Security policies reviewed quarterly and owned by the CTO
  • Mandatory security training for all employees, on hire and annually
  • Mobile device management (MDM) for all employee devices
  • Vulnerability scanning and dependency monitoring across the build pipeline
  • Incident response plan with defined notification SLAs to customers
  • Penetration testing program (next external test scheduled 2026)

Certifications & standards

  • GDPR
    In force
  • ISO 27001
    Certification in progress · target 2026
  • SOC 2 Type II
    On the 2026 / 2027 roadmap
  • Vendor security questionnaires
    Answered for enterprise customers (e.g. Allied Universal and similar)

Frequently asked questions

Primary data is stored on Google Cloud Platform in the European Union (default region: europe-west). Other regions available for enterprise customers on request.

Yes. ToolSense is headquartered in Vienna, Austria, and fully subject to EU GDPR. We provide a standard Art. 28 Data Processing Agreement and publish our subprocessor list.

Yes. SAML 2.0 and OpenID Connect SSO are supported, including Microsoft Entra ID, Okta and Google Workspace. 2FA is mandatory for administrators and configurable for all users.

ISO 27001 certification is in progress, with a target of 2026. We already operate to ISO 27001-aligned policies and processes.

SOC 2 Type II is on the 2026/2027 roadmap. In the meantime, we provide detailed security questionnaires and customer-facing documentation covering equivalent controls.

ToolSense undergoes regular vulnerability scanning, and an external penetration test is scheduled for 2026. Results are available under NDA on request.

Contractual SLA: 99.5%. Measured uptime over the past 12 months: 99.96%. Service credits apply at the 99% / 95% / 90% tiers (10% / 25% / 50%).

ToolSense maintains a documented incident response plan with defined customer notification SLAs in line with GDPR Art. 33 (within 72 hours). Customers receive direct communication from the CTO's office.

Yes. Data export is available via the platform and via API. Right-to-be-forgotten requests are honored per GDPR Art. 17. Both are documented in our DPA.

You do. The customer is the data controller; ToolSense is the data processor. This is contractually established in every customer agreement and DPA.

Our Security & Compliance page (this page), our DPA, our SLA, our subprocessor list and our DR plan summary are all publicly available. Detailed policies and pen-test results are available under NDA.

Need more detail under NDA?

Detailed policies, pen-test reports, and the full vendor security questionnaire are available on request.

Talk to our security teamRequest documentation