Technical and Organisational Measures

Updated: February 2026

Introduction

Escrow4all B.V. (“Escrow4all”) implements comprehensive Technical and Organisational Measures (“TOMs”) reflecting the level of care, diligence, and security that can reasonably be expected from a professional escrow service provider operating in a trust-critical environment.

These measures are rooted in established information security, risk management, and operational control practices and are aligned with recognised international standards, including ISO/IEC 27001:2022 and ISO/IEC 27002:2022. They are designed to safeguard the confidentiality, integrity, availability, and resilience of systems and data, taking into account the sensitive nature of escrow services and the handling of financial, contractual, and personal information.

Escrow4all’s TOMs encompass governance, organisational controls, personnel security, physical and technical safeguards, incident management, business continuity, and supplier oversight. Compliance with applicable data protection requirements, including Article 32 of the GDPR, is an integral outcome of these measures. The measures are continuously reviewed and improved in response to evolving risks, technological developments, and regulatory expectations.

This document outlines the key aspects as they have been defined in our ISO 27001 Statement of Applicability and is meant to provide a high-level overview of the security safeguards. For a detailed insight, the Statement of Applicability is available upon request.

Quick links:

1. Governance, Policies and Risk Management
2. Confidentiality of Data
3. Integrity of Systems and Data
4. Availability and Resilience
5. Encryption and Cryptographic Controls
6. Incident Management and Breach Response
7. Physical and Environmental Security
8. Personnel Security and Awareness
9. Supplier and Data Processor Management
10. Data Minimisation, Retention and Deletion

1. Governance, Policies and Risk Management

(ISO/IEC 27002:2022 – A.5 Organisational Controls)

a. Escrow4all maintains formally approved information security and topic-specific policies, reviewed at planned intervals and upon material changes.

b. Information security roles, responsibilities, and segregation of duties are clearly defined and enforced.

c. Legal, regulatory, and contractual requirements relevant to information security and data protection are identified, documented, and kept up to date.

d. Information security is embedded in project management, supplier management, cloud service usage and the proprietary portal services of Escrow4all.

e. Risk assessments and threat intelligence activities are conducted to identify, assess, and mitigate information security risks.

2. Confidentiality of Data

(ISO/IEC 27002:2022 – A.5, A.6, A.8)

a. Access to data is restricted through role-based access control and the principle of least privilege.

b. Tier 1 data, relating to the material provided by clients for escrow purposes, can only be accessed by verification consultants to perform the required and contractually specified verifications. The verification manager is only entitled to transfer the material, in the case of an authorised release event and only after consulting the board of directors of Escrow4all.

c. Identity and access rights are managed throughout the full user lifecycle, including provisioning, periodic review, and timely revocation.

d. Secure authentication mechanisms, including multi-factor authentication for privileged access, are enforced.

e. Personnel, suppliers and other business partners essential for Escrow4all’s services are bound by confidentiality and non-disclosure obligations.

f. Appropriate security controls are applied to remote working arrangements.

3 – Integrity of Systems and Data

(ISO/IEC 27002:2022 – A.8 Technological Controls)

a. Changes to Escrow4all’s systems and applications are subject to documented change management procedures.

b. Logging and monitoring mechanisms record access, changes, and security-relevant events.

c. Secure development lifecycle practices, including secure coding and security testing, are applied.

d. Configuration management ensures that secure system baselines are established, maintained, and reviewed.

e. Escrow4all provides an online portal for parties to review their information:

• Parties have access, amongst other documentation, to agreements, overview of material in deposit and verification reports.
• The portal includes only metadata of material  (e.g. name and version) but never the material itself.
• Role-based access includes: overview of beneficiaries, registration form.

4 – Availability and Resilience

(ISO/IEC 27002:2022 – A.5.29–A.5.30, A.8.13–A.8.14)

a. Backup copies of systems and data – physical and/or digital (as appropriate) are created regularly, stored securely, and tested periodically.

b. Internal redundancy and capacity management control measures are implemented to support service availability. External redundancy measures are established with third parties as part of the service provision to these third parties

c. Business continuity and ICT readiness plans are documented, maintained, and tested.

d. Measures are in place to maintain information security during disruption events.

5 – Encryption and Cryptographic Control

(ISO/IEC 27002:2022 – A.8.24)

a. Data is protected during transmission using secure communication protocols.

b. Encryption at rest is applied to storage systems and backup media where appropriate.

c. Cryptographic key management procedures are defined and implemented.

6 – Incident Management and Breach Response

(ISO/IEC 27002:2022 – A.5.24–A.5.28)

a. Escrow4all maintains documented procedures for detecting, assessing, responding to, and recovering from information security incidents.

b. Security incidents are logged, investigated, and remediated without undue delay.

c. Lessons learned from incidents are used to strengthen and improve security controls.

d. Differentiation is made between loss of data, in which case the data is irretrievable and cannot be misused by any party (e.g.), and data breaches, in which case individuals may gain unauthorised access to data:

• In cases of loss of data, this is remediated by a back-up by Escrow4all unless the time between deposit and losing data was too short and no back-up was made.
• In the case of a data breach where personal data is involved, the GDPR guidelines are followed. For all other data breaches, Escrow4all convenes with all stakeholders involved.

7 – Physical and Environmental Security

(ISO/IEC 27002:2022 – A.7 Physical Controls)

a. Physical security perimeters and access controls protect offices, facilities, and infrastructure.

b. Physical storage vaults in multiple geographically seperated locations (with at least 15 km distance in between locations).

c. Hosting environments, including third-party data centres, apply physical access monitoring and environmental safeguards.

d. Secure disposal and re-use procedures are applied to equipment and storage media.

8 – Personnel Security and Awareness

(ISO/IEC 27002:2022 – A.6 People Controls)

a. Background screening is performed in accordance with applicable laws and role requirements.

b. Information security responsibilities are incorporated into employment and engagement terms.

c. Regular information security and data protection training is provided.

9 – Supplier and Data Processor Management

(ISO/IEC 27002:2022 – A.5.19–A.5.23)

a. Information security requirements are contractually imposed on suppliers and data processors.

b. Supplier security practices are assessed prior to engagement and reviewed on an ongoing basis.

c. Cloud services are governed by defined acquisition, management, and exit procedures.

d. Escrow4all makes use of hosting providers for the provision of the escrow services. These are TransIP, AWS and Microsoft.

10 – Data Minimisation, Retention and Deletion

(ISO/IEC 27002:2022 – A.5.34, A.8.10)

a. Data is processed only to the extent necessary for defined and contractual purposes.

b. Data retention follows from the contract, in certain cases the administrative data will be retained for a longer period. Data purging of the material is done periodically (with a minimum of once per quarter of a year) and follows after termination of the agreement for the respective data.

c. Secure deletion procedures are applied when data is no longer required.

Statement of Assurance

Escrow4all confirms that the above Technical and Organisational Measures are implemented, maintained, and regularly reviewed in accordance with ISO/IEC 27001:2022 and Escrow4all’s Statement of Applicability, and reflect the level of security and operational control appropriate for a professional escrow service provider.