Measures of pseudonymisation and encryption of personal data 

  • Data transfers are encrypted where possible.  This includes from IoT gateways and also to the Talva and support applications. 

  • Data is stored on encrypted storage. 

  • Customers using TKStar GPS devices should be aware that data transfers are not end to end encrypted 

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services 

  • APIs and access control is used to ensure that authorised users can only access data appropriate to their access level. 

  • Services provided by Nemlia are configured to have geographic storage redundancy with live replication to an alternative physical location. In addition they store point in time backups to allow restoration of data to an earlier checkpoint.  

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident 

  • Nemlia services are deployed in the Azure cloud which has multiple geographic locations. In the event that a location stops being available we have processes to restore service to another location.  

  • Data is constantly replicated to a backup region to ensure that we do not lose customer data during a location outage. 

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing 

  • Nemlia has dashboards and support processes to check the correct functioning of the systems. Sub processors have additional security controls to monitor and protect systems from security issues. 

  • Nemlia has onboarding and offboarding processes to ensure that access is only available to appropriate staff members. Where possible single sign on and 2FA is used for Nemlia staff. 

Measures for user identification and authorisation 

  • Nemlia uses Auth0 to provide user authentication of customers, support staff and partners. User permissions are restricted as part of the authentication process ensuring that authenticated users can only access data specifically available to them. 

  • For technical support (platform, engineering) all users are authenticated using Azure 2FA. 

Measures for the protection of data during transmission 

  • Data in transmission to between Nemlia backend and the Talva and Support front ends is encrypted using modern web encryption standards. Only authenticated users can access the platform and their access level is restricted as appropriate to their role.  

  • Where possible data transfers do not include personal information. For example sensor readings only include the sensor identifier. Notifications transmitted to users may include personal information if the customer has configured them to include personal information. 

Measures for the protection of data during storage 

  • Data storage media are encrypted.  

  • Customer data is backed up to a second geographic location to ensure high availability. 

Measures for ensuring physical security of locations at which personal data are processed 

Customer Data is stored in the Azure cloud which has strong physical access controls.  


Measures for ensuring events logging 

Nemlia uses several different event logging systems to ensure customers are receiving a secure and reliable service. These systems include application reliability monitoring, subsystem logging and authentication logging. 


Measures for ensuring system configuration, including default configuration 

Where possible Nemlia uses continuous deployment systems to deploy new software. 


Measures for ensuring data minimisation 

Nemlia only collects data required to provide and support the contracted service to customers. Customers can disable sensors and Nemlia can disconnect them from the system temporarily or permamently. 


Measures for ensuring limited data retention 

Nemlia has automated processes for deleting automatically collected sensor measurements. Nemlia will remove other information 30 days after an organisation or account has been marked for archiving which occurs at the end of the contract. Backups are retained for a further 30 days and these may include deleted data. If a restore is conducted data previously archived data will be removed automatically. 


Measures for allowing data portability and ensuring erasure 

A manual data export of data directly associated to a user or resident can be requested by customers.  Erasure of customer data can be conducted upon request, however this may reduce the service provided to customers. 



The current list of Nemlia’s subprocessors and any updates thereto can be found here https://nemlia.com/dpa 

Company name, address (including country) 

Services to be provided 

Processing outside of the EU/EEA (y/n) 

  1. Microsoft Ireland Operations, Ltd. 

Microsoft EU Data Protection Officer 

One Microsoft Place, South County Business Park, Leopardstown, D18 P521, Ireland 

Telephone: +353 (1) 706-3117 

  • Cloud services including data storage, transmission, processing, storage and backup of all customer data. 
  • Storage of usage and debugging logs that may include information such as GPS positions, IP addresses and notifications sent to end users.  
  • Nemlia uses Microsoft Azure to provide all core aspects of the Talva product including storing customer and user information. 
  • Email and document storage services (Office) used for running the Nemlia business. This may include information related to customers, deployments and users. 
  • Authentication of users 


  1. Amazon Web Services EMEA SARL 

38 Avenue John F. Kennedy, L-1855, Luxembourg 

Telephone: +352 2789 0057 

  • Cloud services, including transfer of information from devices and sensors. 
  • Transfer of location information from GPS and indoor tracking devices 



  1. Firebase Google LLC OR Google Ireland Limited, 

1600 Amphitheatre Parkway, Mountain View, California 94043 USA 

  • Sending customer configured push notifications to end users 




  1. Twilio Inc 

375 Beale Street, Suite 300, San Francisco, CA 94105, USA 


  • Sending customer configured SMS notifications to end users 
  • Configuring GPS devices on behalf of customers 


DPA Terms: https://www.twilio.com/legal/data-protection-addendum 


  1. Auth0 Limited 

10800 NE 8th Street, Suite 700, Bellevue, WA 98004, USA 

  • Authenticating users including customers, partners and Nemlia support staff 
  • Additional security checks on users and access logs 



  1. Hubspot Limited 

25 First Street, Cambridge, MA 02492 U.S.A. 

  • Sales contact and information 
  • Tickets relating to customers and information related to problem and resolution  


DPA Terms: HubSpot_Signed_DPA_SCC_UK_15Nov2022.pdf (hubspotusercontent-na1.net) 

  1. Sense Solutions ApS 

CVR 42750158 
Industrial Park 35 – 37 
DK-2750 Ballerup, Denmark 

  • Cloud services, including transfer of information from devices and sensors. 
  • Transfer of location information from GPS and indoor tracking devices 
  • Documentation and/or photographs of installations including identifiers related to the installation 



  1. Indoor Atlas 

Kampinkuja 2, 00100 Helsinki, Finland 

  • Determining indoor locations of residents or users 
  • Identifying what zone, floor, room or coordinate a user or resident is located at 
  • Storage of floor plans and signal maps to provide this service 



  1. Etracker 

Erste Brunnenstraße 1 
20459 Hamburg 
+49 40 55 56 59 50 

  • Nemlia public website visitor and performance analytics                                                  


  1. Mapbox 

740 15th Street 

NW, 6th Floor, Washington DC 20005 

  • Displaying of maps to end users and organisation administrators