ANNEX III TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Measures of pseudonymisation and encryption of personal data
Data transfers are encrypted where possible. This includes from IoT gateways and also to the Talva and support applications.
Data is stored on encrypted storage.
Customers using TKStar GPS devices should be aware that data transfers are not end to end encrypted.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
APIs and access control is used to ensure that authorised users can only access data appropriate to their access level.
Services provided by Nemlia are configured to have geographic storage redundancy with live replication to an alternative physical location. In addition they store point in time backups to allow restoration of data to an earlier checkpoint.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Nemlia services are deployed in the Azure cloud which has multiple geographic locations. In the event that a location stops being available we have processes to restore service to another location.
Data is constantly replicated to a backup region to ensure that we do not lose customer data during a location outage.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
Nemlia has dashboards and support processes to check the correct functioning of the systems. Sub processors have additional security controls to monitor and protect systems from security issues.
Nemlia has onboarding and offboarding processes to ensure that access is only available to appropriate staff members. Where possible single sign on and 2FA is used for Nemlia staff.
Measures for user identification and authorisation
Nemlia uses Auth0 to provide user authentication of customers, support staff and partners. User permissions are restricted as part of the authentication process ensuring that authenticated users can only access data specifically available to them.
For technical support (platform, engineering) all users are authenticated using Azure 2FA.
Measures for the protection of data during transmission
Data in transmission to between Nemlia backend and the Talva and Support front ends is encrypted using modern web encryption standards. Only authenticated users can access the platform and their access level is restricted as appropriate to their role.
Where possible data transfers do not include personal information. For example sensor readings only include the sensor identifier. Notifications transmitted to users may include personal information if the customer has configured them to include personal information.
Measures for the protection of data during storage
Data storage media are encrypted.
Customer data is backed up to a second geographic location to ensure high availability.
Measures for ensuring physical security of locations at which personal data are processed
Customer Data is stored in the Azure cloud which has strong physical access controls.
Measures for ensuring events logging
Nemlia uses several different event logging systems to ensure customers are receiving a secure and reliable service. These systems include application reliability monitoring, subsystem logging and authentication logging.
Measures for ensuring system configuration, including default configuration
Where possible Nemlia uses continuous deployment systems to deploy new software.
Measures for ensuring data minimisation
Nemlia only collects data required to provide and support the contracted service to customers. Customers can disable sensors and Nemlia can disconnect them from the system temporarily or permamently.
Measures for ensuring limited data retention
Nemlia has automated processes for deleting automatically collected sensor measurements. Nemlia will remove other information 30 days after an organisation or account has been marked for archiving which occurs at the end of the contract. Backups are retained for a further 30 days and these may include deleted data. If a restore is conducted data previously archived data will be removed automatically.
Measures for allowing data portability and ensuring erasure
A manual data export of data directly associated to a user or resident can be requested by customers. Erasure of customer data can be conducted upon request, however this may reduce the service provided to customers.
ANNEX IV: LIST OF SUB-PROCESSORS
The current list of Nemlia’s subprocessors and any updates thereto can be found here https://nemlia.com/dpa
Company name, address (including country)
Services to be provided
Processing outside of the EU/EEA (y/n)
Microsoft EU Data Protection Officer
One Microsoft Place, South County Business Park, Leopardstown, D18 P521, Ireland
Telephone: +353 (1) 706-3117
38 Avenue John F. Kennedy, L-1855, Luxembourg
Telephone: +352 2789 0057
1600 Amphitheatre Parkway, Mountain View, California 94043 USA
375 Beale Street, Suite 300, San Francisco, CA 94105, USA
10800 NE 8th Street, Suite 700, Bellevue, WA 98004, USA
25 First Street, Cambridge, MA 02492 U.S.A.
Erste Brunnenstraße 1
740 15th Street
NW, 6th Floor, Washington DC 20005