This document describes the practical technical measures taken to protect personal data managed and stored in the Service (Showell platform).

1. Characteristics of Personal Data

Showell processes personal data for two groups of people:

1. Showell Users; those individuals who have personal credentials to access Showell
2. Share Recipients; those individuals who receive files shared from Showell

The data stored for Showell Users (User Data) includes name, email, phone, title, user image, unique device identifiers, app version, and general Usage Data (for analytics purposes).

The data stored for Share Recipients include email and general Usage Data (for analytics purposes). The collection of email addresses is optional.

The Usage Data contains information about the user's device (model, type of device), Showell app (iOS, Android, Windows, Web), browser information (browser version),  the last login, session length, files the user has viewed, and for how long and features the user has used. 

This data also includes IP addresses. Usage Data can be pseudonymized if requested by the Client (meaning there is no such data collected that can link the Usage Data to a specific person).

2. The Purpose of Processing Personal Data

The personal data of Showell Users are processed to be able to provide the basic functionality of the Service (e.g. signing in to the platform) and also to provide a better user experience for Share Recipients by displaying a sender's profile image, name, and contact details. Additionally, the data is processed to ensure the security of the platform (e.g. by logging the user’s actions). 

The personal data of Share Recipients is processed in order to provide the Client notifications and analytics about the access and usage of shared files.  

3. Data Storage, Retention, and Backups

Data is retained in backups for one year.

Additional backups are available on a monthly, weekly, and day-of-week basis.

Daily backups are made at a 6-hour interval.

Data is erased from the system within 30 days after the Client has terminated the contract

The Service and the Data is hosted in Amazon Web Services (AWS) cloud, in the EU.

4. Client’s Ability to Process the Personal Data

The personal data can be exported from the Service by the Client using graphic user interfaces and programming interfaces (APIs).

The User Data can be managed by the Client (including removal of the data).

The Usage Data can be removed upon request by the Client.

5. Use of 3rd Parties for Processing the Data

Showell does not disclose personal data to third parties and does not use third-party services, other than those listed as sub-contractors for processing personal data. The list of these sub-contractors.

6. Showell Personnel

All Showell personnel participate in regular security training and must follow strict security policies set by the company.

Access control is role-based and only selected (few) people have access to personal data.

Access to Client data must be approved by the Client.

7. Cloud Service Security

Showell's cloud service provider ("CSP"), Amazon Web Services, has certification for compliance with ISO/IEC 27001:2013, 27017:2015, 27018:2019, 27701:2019, 22301:2019, 9001:2015, and CSA STAR CCM v3.0.1 - which ensures very high standards for data processing facilities.

The personal data is not stored on personal devices or any other devices besides the CSP.

8. Office Premises Security

Access to office spaces is restricted, and doors are always locked and equipped with security alarms.

The office buildings are equipped with a comprehensive visitor management system, where visitors are identified and a host is summoned to escort them. Additionally, the premises are secured with surveillance cameras, an advanced alarm system, and trained security guards to ensure safety around the clock. The doors of the office buildings remain locked during non-office hours to further enhance security measures.

9 Data Security and Encryption Practices

All data stored by Service on the server is encrypted at rest and in transit.

Only secure encryption algorithms (like AES-256) are used.

Sensitive data (like passwords) is additionally either hashed or encrypted again.

The data stored by the client application (Showell App) is not encrypted.

Showell's employee devices (e.g. Windows laptops) have disk encryption enabled (e.g. BitLocker) and have firewalls and an anti-virus system in place.

The use of personal devices is forbidden for accessing personal data.

The personal data collected for analytics purposes can be pseudonymized if requested by the Client.

10. Security Incidents

The process for handling security incidents is established and documented as part of Showell’s Information Security Management documentation. Incidents affecting the Client are reported to the Client.

11. Additional Technical Measures

Comprehensive logs are collected both on the client and server-side to ensure that incidents and users’ actions can be traced.

Multi-factor authentication is available with Single-Sign-On setups when the Identity Provider supports MFA.

Scanning of vulnerabilities is automated for Open Source Software components used in the Service.

The Service is based on Serverless technologies to minimize the need for manual server maintenance and ensure a high level of security.

Software and its components are tested using component-level unit tests, integration tests, and end-to-end tests.

Software is audited by a 3rd party security agency.

Code written for the Service is reviewed using a peer-review process, where another developer reviews the code before it is deployed to production.

Static code analysis tools are used to maintain high standards of the code produced for the Service.

11. About Us

This Service is operated by Showell Oy, a Finnish limited liability company (Company ID FI24758801) with the HQ address at Piippukatu 11, 40100, Jyväskylä, Finland.

12. Contact Us

If you have any questions or suggestions, do not hesitate to contact us: info@showell.com

 

Document updated: 12/2023