Product: Emill

Last edited 01.09.2023

MET-1-1.1 Who gave the information?

Manufacturer/service provider

MET-1-2.1. Brief introduction of the product

Emill on selaimella ja mobiilissa toimiva ryhmäperustainen yhteisöllinen applikaatio. Yksinkertaisimmillaan se soveltuu tuotteen käyttäjätuen järjestämiseen tai vastaavasti monipuoliseksi toiminnanohjauksen, perehdytyksen tai oppimisen strukturoiduksi ympäristöksi.

Emill tarjoaa välineet digitaaliseen monimediaiseen tuottamiseen, henkilökohtaiseen viestintään, teemaperustaiseen keskusteluun avoimissa ja suljetuissa ryhmissä. Emilliä voi hyödyntää niin koulutus- ja liiketoiminnassa kuin organisaation sisäisissä prosesseissa tai hankkeiden ja tapahtumien aineistojen, viestinnän ja tehtävien tuottamisen, kokoamisen ja jakamisen ympäristönä.

Emillin vahvuus on mobiilieditori, joka mahdollistaa selkeästi jäsennetyn sisällön tuottamisen missä tahansa — paikan päällä.

MET-1-3.1 Introduction page (if any)

1-5 categories describing the product.

Activation applications, Discussion channels, Learning platforms/environments, Social media, Collaboration

GEN-1-3.1 Is there an age limit for users in the service?

Yes
Additional information
Avoimen palvelun ikäraja on 18 vuotta, mutta organisaatiotileillä voidaan soveltaa alempaa ikärajaa

GEN-1-5.1 Country of manufacture/home country of the service provider

Suomi

GEN-1-6.1 ISO certifications

Blank/not answered

GEN-1-7.1 Is there a mobile app for the service?

iOS, Android

GEN-1-8.1 License type

Named user, Organization license, Other

GEN-1-9.1 Is virtualization possible?

No
Additional information
Koska pilvipalvelu, virtualisoinnin mahdollisuutta ei tarvita.

GEN-2-1.1 Service-specific Privacy Notice (if any)

GEN-2-2.1 Data security description of the service (if any)

GEN-2-3.1 Contact information of the data protection officer

Andrei Kolmakow

GEN-2-4.1 Are there advertisements or links to commercial services in the service?

No

GEN-2-5.1 Does the service use cookies for which users' consent is asked?

No

UMA-1-1.1 Is the service used with personal usernames?

Yes

UMA-1-2.1 Are there at least two user levels in the user management of the service: administrator and end user?

Yes

UMA-1-3.1 Can access rights be limited according to the employees' job duties, taking into account the rights of different user groups?

Yes

UMA-1-4.1 What options does the service have to integrate user management into the organization's centralized user registry and single sign-on (SSO)?

Blank/not answered

UMA-1-5.1 Is it possible to log in with usernames of other service providers?

Yes
Additional information
Google ja Apple

UMA-1-6.1 Can multi-factor authentication (MFA) be used for logging in?

No

UMA-1-7.1 Is strong user authentication possible?

No

UMA-2-1.1 Are comprehensive log data about the activities of all logged-in users saved?

Yes

UMA-2-2.1 Is every access to personal data saved in a log?

Yes

TDP-1-1.1 What kind of integrations (interfaces) are involved in the system and how are they protected from outsiders?

Järjestelmää ei ole integroitu ulkoisiin palveluihin

TDP-2-1.1 Does all personal data processing in the service take place in such a way that the network connection is encrypted and the user or the parties to the data transfer are verified?

Yes

TDP-2-2.1 Is it possible to use the service so that all personal data is stored only in encrypted form?

Yes

TDP-3-1.1 Is the data content of the service backed up at least once a day and is it possible to restore the backup quickly if necessary?

Yes

TDP-4-2.1 Can multi-factor authentication (MFA) be required on all users at login?

No

TDP-5-1.1 Are security updates for software components related to the service installed regularly without any delay?

Yes

TDP-5-2.1 Has data security been audited by an external party? If so, by whom?

No

TDP-5-3.1 Are regular data security and vulnerability tests performed on the service?

Yes
Additional information
Tietoturva- ja haavoittuvuustestaukset ovat osa jatkuvaa ylläpito- ja kehitystyötä

DPR-1-2.1 What role does the service provider give itself in terms of data security?

For the role of controller and processor

DPR-1-4.1 Is it possible to make the name of the client organization and a link to its own privacy notice visible to users in the service?

No

DPR-1-5.1 Does the service provider have access to personal data stored by the client organization?

Yes
Additional information
Palveluntarjoaja tarjoaa osana palvelua aktiivista sisällöllistä tukea sekä sisältöjen luontia. Tästä johtuen palveluntarjoajan "superadmin" roolissa olevat henkilöt pääsevät asiakkaiden henkilötietoihin.

DPR-1-6.1 Does use of the service generate a register of which the service provider is a joint controller with the client organization?

Yes
Additional information
Palveluntarjoaja tarjoaa aktiivista tukea asiakasorganisaatioille ja tässä ominaisuudessa tarvittaessa ylläpitää myös tunnuksia. Tässä tilanteessa palveluntarjoaja ja asiakas toimivat yhteisrekisterinpitäjinä ja -käsittelijöinä.

DPR-1-7.1 Is a personal data register of users generated for the service provider of which it is the controller?

Yes
Additional information
Asiakkaiden kirjautumistiedot tallennetaan käyttäjärekisteriin.

DPR-1-8.1 Does the service provider have, for each sub-processor, an up-to-date list of sub-processors of personal data, which shows the name, location, processing purpose and possible grounds for transfer outside the EU/EEA area?

Yes

DPR-1-9.1 Link to the list of sub-processors (if any)

Blank/not answered

DPR-1-10.1 Does the service provider or one of its sub-processors process personal data outside the EU/EEA area?

No

DPR-1-11.1 If personal data is processed outside the EU/EEA area, on what grounds is personal data transferred?

Not answered
Additional information
Henkilötietoja ei käsitellä EU/ETA-alueen ulkopuolella

DPR-1-12.1 Can personal data be transferred to non-secure third countries such as the United States?

No

DPR-2-1.1 What personal data does the service provider process?

Nimi ja sähköpostiosoite

DPR-2-2.1 Is the service also intended for processing special personal data (e.g. health data)?

No

DPR-2-3.1 Can the required and optional fields related to users be defined by the administrator?

No

DPR-2-4.1 Does the service provider provide users with comprehensive information about the processing of personal data in the service?

Yes

DPR-2-5.1 Does the service provider process personal data in accordance with data protection legislation?

Yes

DPR-2-6.1 What procedures are in place to ensure that data is not used for other purposes?

Blank/not answered

DPR-2-7.1 Does the service have a function for pseudonymizing personal data?

No

DPR-2-10.1 Is there profiling, scoring or evaluation of people in the functions of the service?

No

DPR-2-11.1 Are users' location data processed?

No

DPR-2-12.1 Can the service define the retention periods of personal data or its criteria?

No

DPR-2-13.1 Can users' personal data be anonymized instead of deleted?

Yes

DPR-3-1.1 Has the service provider identified, in its privacy policy, all personal data that is clearly related to the use of the service?

Not answered

DPR-4-1.1 Does the service provider guarantee that the rights of the data subjects are realized in accordance with the EU General Data Protection Regulation (GDPR)?

Yes
Additional information
Vakuutamme

DPR-4-4.1 How and when are personal data deleted?

Henkilötietoja ei poisteta automaattisesti. Yksityistiliä käyttävä käyttäjä voi poistaa oman tunnuksen itse ja organisaatiotunnukset poistetaan erillisten sopimusten mukaisesti.

DPA-1-1.1 Is it possible to enter into a data processing agreement agreement (DPA) with the service provider?

Yes; only one standard DPA

DPA-1-2.1 Link to standard template for a DPA agreement (if available)

Blank/not answered

DPA-1-3.1 Is the personal data to be processed specified in the DPA?

Yes

DPA-1-4.1 Are the purposes of personal data processing specified in the DPA?

Yes

DPA-1-5.1 In connection with the DPA, is it possible to give instructions that the service provider must taken into account when processing personal data?

No

DPA-1-6.1 Does the DPA stipulate that the service provider is responsible for the confidentiality obligation of its employees?

Yes

DPA-1-7.1 Does the DPA stipulate that the service provider allows monitoring and auditing by the controller?

Yes

DPA-1-8.1 Does the service provider have a designated contact person for data protection issues?

Yes
Additional information
Kehittäjän tietosuojavastaava vastaa Emill-palvelun tietosuoja-asioista

DPA-1-9.1 Is deletion of data defined in the DPA?

Yes

DPA-2-1.1 If sub-processors are used in the processing of personal data, is compliance with the EU's General Data Protection Regulation (GDPR) and the implementation of sufficient protective measures ensured in the contract?

Yes
Additional information
Kehittäjä ei käytä alihankkijoita henkilötietojen käsittelyyn

DPA-2-2.1 Sub-processors under the DPA agreement or a link to the list of sub-processors (if any)

Blank/not answered

DPA-3-1.1. The service provider undertakes to report all data security breaches without any delay

Yes

DPA-4-1.1 Does the processor or any of its sub-processors process personal data outside the EEA?

No

DPA-4-2.1 If personal data is processed outside the EEA, on what grounds is personal data transferred?

Not answered

DPA-4-3.1 If the EU Commission's Standard Contractual Clauses (SCC) are used as the grounds for the transfer of personal data, which standard clauses are they?

Not answered

DPA-4-4.1 Can personal data be disclosed to the authorities of a third country?

No

DPA-4-5.1 If data is transferred outside the EU/EEA area, does the service provider have documentation that helps in assessing the effects of data transfer (transfer impact assessment, TIA)?

Not answered

DPA-4-6.1 If data is transferred outside the EU/EEA area, what additional protection measures are used?

Blank/not answered
Check invalid fields