DPA

ANNEX III TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Measures of pseudonymisation and encryption of personal data

Data transfers are encrypted where possible. This includes from IoT gateways and also to the Talva and support applications.
Data is stored on encrypted storage.
Customers using TKStar GPS devices should be aware that data transfers are not end to end encrypted.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

APIs and access control is used to ensure that authorised users can only access data appropriate to their access level.

Services provided by Nemlia are configured to have geographic storage redundancy with live replication to an alternative physical location. In addition they store point in time backups to allow restoration of data to an earlier checkpoint.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Nemlia services are deployed in the Azure cloud which has multiple geographic locations. In the event that a location stops being available we have processes to restore service to another location.
Data is constantly replicated to a backup region to ensure that we do not lose customer data during a location outage.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Nemlia has dashboards and support processes to check the correct functioning of the systems. Sub processors have additional security controls to monitor and protect systems from security issues.
Nemlia has onboarding and offboarding processes to ensure that access is only available to appropriate staff members. Where possible single sign on and 2FA is used for Nemlia staff.

Measures for user identification and authorisation

Nemlia uses Auth0 to provide user authentication of customers, support staff and partners. User permissions are restricted as part of the authentication process ensuring that authenticated users can only access data specifically available to them.
For technical support (platform, engineering) all users are authenticated using Azure 2FA.

Measures for the protection of data during transmission

Data in transmission to between Nemlia backend and the Talva and Support front ends is encrypted using modern web encryption standards. Only authenticated users can access the platform and their access level is restricted as appropriate to their role.
Where possible data transfers do not include personal information. For example sensor readings only include the sensor identifier. Notifications transmitted to users may include personal information if the customer has configured them to include personal information.

Measures for the protection of data during storage

Data storage media are encrypted.

Customer data is backed up to a second geographic location to ensure high availability.

Measures for ensuring physical security of locations at which personal data are processed

Customer Data is stored in the Azure cloud which has strong physical access controls.

Measures for ensuring events logging

Nemlia uses several different event logging systems to ensure customers are receiving a secure and reliable service. These systems include application reliability monitoring, subsystem logging and authentication logging.

Measures for ensuring system configuration, including default configuration

Where possible Nemlia uses continuous deployment systems to deploy new software.

Measures for ensuring data minimisation

Nemlia only collects data required to provide and support the contracted service to customers. Customers can disable sensors and Nemlia can disconnect them from the system temporarily or permamently.

Measures for ensuring limited data retention

Nemlia has automated processes for deleting automatically collected sensor measurements. Nemlia will remove other information 30 days after an organisation or account has been marked for archiving which occurs at the end of the contract. Backups are retained for a further 30 days and these may include deleted data. If a restore is conducted data previously archived data will be removed automatically.

Measures for allowing data portability and ensuring erasure

A manual data export of data directly associated to a user or resident can be requested by customers. Erasure of customer data can be conducted upon request, however this may reduce the service provided to customers.

ANNEX IV: LIST OF SUB-PROCESSORS

The current list of Nemlia’s subprocessors and any updates thereto can be found here https://nemlia.com/dpa

Company name, address (including country)

Services to be provided

Processing outside of the EU/EEA (y/n)

Microsoft Ireland Operations, Ltd.

Microsoft EU Data Protection Officer

One Microsoft Place, South County Business Park, Leopardstown, D18 P521, Ireland

Telephone: +353 (1) 706-3117

Cloud services including data storage, transmission, processing, storage and backup of all customer data.
Storage of usage and debugging logs that may include information such as GPS positions, IP addresses and notifications sent to end users.
Nemlia uses Microsoft Azure to provide all core aspects of the Talva product including storing customer and user information.
Email and document storage services (Office) used for running the Nemlia business. This may include information related to customers, deployments and users.
Authentication of users

Amazon Web Services EMEA SARL

38 Avenue John F. Kennedy, L-1855, Luxembourg

Telephone: +352 2789 0057

Cloud services, including transfer of information from devices and sensors.
Transfer of location information from GPS and indoor tracking devices

Firebase Google LLC OR Google Ireland Limited,

1600 Amphitheatre Parkway, Mountain View, California 94043 USA

Sending customer configured push notifications to end users

https://firebase.google.com/terms/firebase-sccs-eu-p2p

Twilio Inc

375 Beale Street, Suite 300, San Francisco, CA 94105, USA

Sending customer configured SMS notifications to end users
Configuring GPS devices on behalf of customers

DPA Terms: https://www.twilio.com/legal/data-protection-addendum

Auth0 Limited

10800 NE 8th Street, Suite 700, Bellevue, WA 98004, USA

Authenticating users including customers, partners and Nemlia support staff
Additional security checks on users and access logs

Hubspot Limited

25 First Street, Cambridge, MA 02492 U.S.A.

Sales contact and information
Tickets relating to customers and information related to problem and resolution

DPA Terms: HubSpot_Signed_DPA_SCC_UK_15Nov2022.pdf (hubspotusercontent-na1.net)

Sense Solutions ApS

CVR 42750158
Industrial Park 35 – 37
DK-2750 Ballerup, Denmark

Cloud services, including transfer of information from devices and sensors.
Transfer of location information from GPS and indoor tracking devices
Documentation and/or photographs of installations including identifiers related to the installation

Indoor Atlas

3377288-3
Kampinkuja 2, 00100 Helsinki, Finland

Determining indoor locations of residents or users
Identifying what zone, floor, room or coordinate a user or resident is located at
Storage of floor plans and signal maps to provide this service

https://www.indooratlas.com/terms/

Etracker

Erste Brunnenstraße 1
20459 Hamburg
+49 40 55 56 59 50
privacy@etracker.com

Nemlia public website visitor and performance analytics

Mapbox

740 15th Street

NW, 6th Floor, Washington DC 20005

Displaying of maps to end users and organisation administrators

Y
https://www.mapbox.com/legal/dpa