Technical and Organizational Measures for the Protection of Personal data
This document describes the practical technical measures taken to protect personal data managed and stored in the Service (Showell platform).
1. Characteristics of personal data
Showell processes personal data for two groups of people:
- Showell Users; those individuals who have personal credentials to access Showell
- Share Recipients; those individuals who receive files shared from Showell
The data stored for Showell Users (User Data) includes name, email, phone, title, user image, unique device identifiers, app version, and general Usage Data (for analytics purposes).
The data stored for Share Recipients include email and general Usage Data (for analytics purposes). The collection of email addresses is optional.
The Usage Data contains information about the user's device (model, type of device), Showell app (iOS, Android, Windows, Web), browser information (browser version), the last login, session length, files the user has viewed, and for how long and features the user has used.
This data also includes IP addresses. Usage Data can be pseudonymized if requested by the Client (meaning there is no such data collected that can link the Usage Data to a specific person).
2. The purpose of processing personal data
The personal data of Showell Users are processed to be able to provide the basic functionality of the Service (e.g. signing in to the platform) and also to provide a better user experience for Share Recipients by displaying a sender's profile image, name, and contact details. Additionally, the data is processed to ensure the security of the platform (e.g. by logging the user’s actions).
The personal data of Share Recipients is processed in order to provide the Client notifications and analytics about the access and usage of shared files.
3. Data storage, retention, and backups
Data is retained in backups for one year.
Additional backups are available on a monthly, weekly, and day-of-week basis.
Daily backups are made at a 6-hour interval.
Data is erased from the system within 30 days after the Client has terminated the contract
The Service and the Data is hosted in Amazon Web Services (AWS) cloud, in the EU.
4. Client’s ability to process the personal data
The personal data can be exported from the Service by the Client using graphic user interfaces and programming interfaces (APIs).
The User Data can be managed by the Client (including removal of the data).
The Usage Data can be removed upon request by the Client.
5. Use of 3rd parties for processing the data
Showell doesn’t send personal data to 3rd parties or use 3rd party services for processing the personal data.
6. Personnel security
All personnel participates in regular security training.
Access control is role-based and only selected (few) people have access to personal data.
Access to Client data must be approved by the Client.
7. Personnel security
Our Cloud Service Provider (CSP) has certification for compliance with ISO/IEC 27001:2013, 27017:2015, 27018:2019, 27701:2019, 22301:2019, 9001:2015, and CSA STAR CCM v3.0.1 - which ensures very high standards for data processing facilities.
The personal data is not stored on personal devices or on any other devices besides the CSPs devices.
Access to office spaces is restricted, and doors are always locked and equipped with security alarms.
The office buildings have a visitor management system, where visitors are identified and a host is summoned to escort the visitor. The doors of the office buildings are locked during non-office hours.
The use of personal devices is forbidden for accessing personal data.
8. Personnel security
All data stored by Service on the server is encrypted at rest and in transit.
Only secure encryption algorithms (like AES-256) are used.
Sensitive data (like passwords) is additionally either hashed or encrypted again.
The data stored by the client application (Showell App) is not encrypted.
The organizations should ensure that the client devices (e.g. Windows laptops) have disk encryption enabled (e.g. BitLocker).
The personal data collected for analytics purposes can be pseudonymized if requested by the Client.
9. Security incidents
The process for handling security incidents is established and documented as part of Showell’s Information Security Management documentation. Incidents affecting the Client are reported to the Client.
10. Additional technical measures
Comprehensive logs are collected both on the client and server-side to ensure that incidents and users’ actions can be traced.
Multi-factor authentication is available with Single-Sign-On setups when the Identity Provider supports MFA.
Scanning of vulnerabilities is automated for Open Source Software components used in the Service.
The Service is based on Serverless technologies to minimize the need for manual server maintenance and ensure a high level of security.
Software and its components are tested using component-level unit tests, integration tests, and end-to-end tests.
Software is audited by a 3rd party security agency.
Code written for the Service is reviewed using a peer-review process, where another developer reviews the code before it is deployed to production.
Static code analysis tools are used to maintain high standards of the code produced for the Service.
11. About us
This Service is operated by Showell Oy, a Finnish limited liability company (Company ID FI24758801) with the HQ address at Piippukatu 11, 40100, Jyväskylä, Finland.
12. Contact us
If you have any questions or suggestions, do not hesitate to contact us: email@example.com