Twitter has interpreted that GDPR compliance requires their storage/cache servers be able to securely authenticate the clients and prevent impersonation (and are using mTLS for that), and to be able to generate some level of audit logs to show which other services accessed the cache / accessed specific keys. Obviously the GDPR doesn't talk about mTLS or about exactly what granularity of auditing you need to be compliant. Whatever they wrote would not apply to half the systems, and quickly become obsolete for the rest.
But it just says that the processing must be secure (Article 32), and it's up to the companies to make a best effort estimate at what's appropriate security for the given application, and implement it.
