Product: Emill

Last edited 18.10.2024

MET-1-1.1 Who gave the information?

Manufacturer/service provider

MET-1-2.1 Brief introduction of the product

Emill is a mobile community application that provides powerful tools for collaboration between users both within and between organizations.

Tools for digital multimedia production, personal communication, theme-based discussion in open and closed groups are easily accessible.

The application can be used in training, as well as a centralized communal support platform.

Creating, compiling and sharing content and ideas has never been this easy!

MET-1-3.1 Introduction page (if any)

1-5 categories describing the product.

Activation applications, Discussion channels, Learning platforms/environments, Social media, Collaboration

GEN-1-3.1 Is there an age limit for users in the service?

Other age limit
Additional information
Avoimen palvelun ikäraja on 18 vuotta. Organisaatiotileillä voidaan soveltaa alempaa ikärajaa// The age limit for the open service is 18 years. A lower age limit may apply for organisational accounts.

GEN-1-5.1 Country of manufacture/home country of the service provider

Suomi

GEN-1-6.1 ISO certifications

Empty/not answered
Additional information
Ei sertifikaatteja/ No certifications

GEN-1-7.1 Is there a mobile app for the service?

iOS, Android

GEN-1-8.1 License type

Named user, Organization license, Other

GEN-1-9.1 Is virtualization possible?

No
Additional information
Koska pilvipalvelu, virtualisoinnin mahdollisuutta ei tarvita.//As a cloud service, there is no need for virtualisation.

GEN-2-1.1 Service-specific Privacy Notice (if any)

GEN-2-2.1 Data security description of the service (if any)

GEN-2-3.1 Contact information of the data protection officer

Christian Alopaeus, christian@emill.fi

GEN-2-4.1 Are there advertisements or links to commercial services on the platform?

No

GEN-2-5.1 Does the service use cookies for which users' consent is asked?

No

UMA-1-1.1 Is the service used with personal usernames?

Yes

UMA-1-2.1 Are there at least two user levels in the user management of the service: administrator and end user?

Yes

UMA-1-3.1 Can access rights be limited according to the employees' job duties, taking into account the rights of different user groups?

Yes

UMA-1-4.1 What options does the service have to integrate user management into the organization's centralized user registry and single sign-on (SSO)?

Empty/not answered
Additional information
SSO-toiminnallisuus on tällä hetkellä kehitteillä, eikä se ole vielä saatavilla tuotantoversiossa/ The SSO functionality is currently in development and is not available in the production version yet

UMA-1-5.1 Is it possible to log in with usernames of other service providers?

Yes
Additional information
Google ja Apple

UMA-1-6.1 Can multi-factor authentication (MFA) be used for logging in?

No

UMA-1-7.1 Is strong user authentication possible?

No

UMA-1-8.1 Is it possible for the service to have guest users or non-logged-in users from outside the customer organization?

Not answered

UMA-2-1.1 Are comprehensive log data about the activities of all logged-in users saved?

Yes

UMA-2-2.1 Is every access to personal data saved in a log?

Yes

UMA-2-3.1 Are the service logs protected from unauthorized viewing and deletion?

Not answered
Additional information
Yes, service logs are read-only for engineers with deployment access

UMA-2-4.1 How long are log data retained, and how are they deleted?

4 viikkoa/ 4 weeks.

TDP-1-1.1 What kind of integrations (interfaces) are involved in the system and how are they protected from outsiders?

Järjestelmää ei ole integroitu ulkoisiin palveluihin.

TDP-1-2.1 How are the transfers of personal data through interfaces to sub-processors and possible disclosures to other parties logged?

Henkilötietoja ei siirretä alihankkijoille/ Personal data is not transferred to sub-processors

TDP-2-1.1 Does all personal data processing in the service take place in such a way that the network connection is encrypted and the user or the parties to the data transfer are verified?

Yes

TDP-2-2.1 Is it possible to use the service so that all personal data is stored only in encrypted form?

Yes

TDP-2-3.1 Has the service's security taken into account independent remote access?

Not answered
Additional information
Etäkäyttö on rajoitettu valituille tuoteinsinööreille, joilla on käyttöönotto-oikeudet. Kaikki muu on automatisoitu eikä vaadi usein tapahtuvaa käyttöä.

Remote access limited to selected engineers with deployment privileges. Everything else is automated and does not require frequent access.

TDP-3-1.1 Is the data content of the service backed up at least once a day and is it possible to restore the backup quickly if necessary?

Yes

TDP-3-2.1 Is the backup restoration process documented and tested?

Yes
Additional information
Kyllä: Varmuuskopiointiin ja palauttamiseen käytettävä hallintatyökalu/ Yes: A management tool used for backup and restoration.

TDP-4-2.1 Can multi-factor authentication (MFA) be required on all users at login?

No

TDP-5-1.1 Are security updates for software components related to the service installed regularly without any delay?

Yes

TDP-5-2.1 Has data security been audited by an external party? If so, by whom?

No

TDP-5-3.1 Are regular data security and vulnerability tests performed on the service?

Yes
Additional information
Tietoturva- ja haavoittuvuustestaukset ovat osa jatkuvaa ylläpito- ja kehitystyötä // Security and vulnerability testing is part of ongoing maintenance and development work

TDP-5-5.1 How have the GDPR requirements, risk-based approach and data protection by default, been taken into account in the system design and its functions?

Turvallisuus ja tietosuoja olivat palvelun arkkitehtuurin tärkeimmät vaatimukset. GDPR:ään liittyvät toimenpiteet on otettu huomioon. //Security and data protection were the key requirements in the architecture of the service. GDPR-related measures are taken into account.

TDP-5-6.1 Does the service provider have procedures for detecting, reporting, and investigating data breaches?

Yes
Additional information
Turvallisuus ja tietosuoja olivat palvelun arkkitehtuurin tärkeimmät vaatimukset. GDPR:ään liittyvät toimenpiteet on otettu huomioon./ Security and data protection were the key requirements in the architecture of the service. GDPR-related measures are taken into account.

DPR-1-1.1 What are the purposes of processing personal data?

Käyttäjän luoma kutsumanimi ja sähköpostiosoite kerätään palveluun kirjautumiseksi (sähköpostiosoite) sekä käyttäjän “tunnistamistarkoituksiin”, jotta hänet voidaan liittää ryhmän jäseneksi. HUOM: Käyttäjä voi nimetä itsensä haluamallaan tavalla ilman aitoa etunimii/sukunimi -yhdistelmää. Muut ryhmän jäsenet eivät näe käyttäjän sähköpostiositetta. Ryhmäadmin näkee käyttäjän sähköpostiosoitteen, jotta voi hallita ryhmän jäsenten rooleja, poistaa jäsenen ryhmästä.
The user-generated username and email address are collected for login (email address) and for "identification" purposes, so that the user can be associated with the group. NOTE: A user can choose to name themselves as they wish without a real first name/last name combination. Other members of the group will not see the user's email address. The group admin sees the user's email address in order to manage the roles of group members, remove a member from the group.

DPR-1-2.1 What role does the service provider give itself in terms of data security?

For the role of controller and processor

DPR-1-3.1 Do end users need to give consent for the processing of personal data related to the service?

Yes; always
Additional information
Käyttäjät antavat suostumuksensa henkilötietojen käsittelyyn hyväksymällä käyttöehdot, joihin sisältyy suostumus sekä mahdollisuus tutustua käyttöehtoihin//
Users give their consent to the processing of personal data by accepting the Terms of Service, which include consent and access to the terms of use.

DPR-1-4.1 Is it possible to make the name of the client organization and a link to its own privacy notice visible to users in the service?

No

DPR-1-5.1 Does the service provider have access to personal data stored by the client organization?

Yes
Additional information
Palveluntarjoaja tarjoaa, osana palvelua, tukea ryhmän hallintaan. Tästä johtuen palveluntarjoajan "superadmin" roolissa olevat henkilöt pääsevät asiakkaiden henkilötietoihin, joita ovat sähköpostiosoite ja käyttäjän itselleen luoma kutsumanimi. Palveluntarjoajalla ei ole pääsyä käyttäjän luomaan sisältöön tai valokuviin/videoihin.

As part of the service, the provider offers active content support and content creation. As a result, persons acting as "superadmins" of the service provider have access to customers' personal data: email address and user-created nickname. The service provider does not have access to user-created content or photos/videos.

DPR-1-6.1 Does use of the service generate a register of which the service provider is a joint controller with the client organization?

Yes
Additional information
Palveluntarjoaja tarjoaa tukea asiakasorganisaatioille ja tässä ominaisuudessa tarvittaessa ylläpitää myös tunnuksia. Tässä tilanteessa palveluntarjoaja ja asiakas toimivat yhteisrekisterinpitäjinä ja -käsittelijöinä. // The service provider will provide support to the client organisations and, in this capacity, will also maintain the credentials where necessary. In this situation, the Service Provider and the Customer act as joint registry administrators and processors.

DPR-1-8.1 Does the service provider have an up-to-date list of personal data sub-processors, including each sub-processor's name, location, processing purpose, and any transfer basis outside the EU/EEA?

Yes

DPR-1-9.1 Link to the list of sub-processors (if any)

Additional information
Perspektives Digital Oy

DPR-1-10.1 Does the service provider or any of its sub-processors process personal data outside the EU/EEA?

No

DPR-1-11.1 If personal data is processed outside the EU/EEA area, on what grounds is personal data transferred?

Not answered
Additional information
Henkilötietoja ei käsitellä EU/ETA-alueen ulkopuolella

DPR-1-12.2 Can personal data be transferred to third countries that are not considered safe?

No

DPR-1-13.1 In which countries are the service provider's servers located?

Suomi, Ruotsi, Ranska // Finland, Sweden, France

DPR-2-1.1 What personal data does the service provider process?

Käyttäjän itse luoma kutsumanimi ja sähköpostiosoite // User-created username and email address
Additional information
Käyttäjä voi luoda itselleen haluamansa kutsumanimen. Käyttö edellyttää aitoa sähköpostiosoitetta. // The user can create a nickname of their choice. Use requires a real email address.

DPR-2-2.1 Is the service also intended for processing special personal data (e.g. health data)?

No

DPR-2-3.1 Can the required and optional fields related to users be defined by the administrator?

No

DPR-2-4.1 Does the service provider provide users with comprehensive information about the processing of personal data in the service?

Yes

DPR-2-6.1 What procedures are in place to ensure that data is not used for other purposes?

Tiedonhallintaryhmä hyväksyy kaiken tietojen viennin ja/tai integroinnin kolmansien osapuolten järjestelmiin.
All data export and/or integration with third-party systems is approved by the data management team.

DPR-2-7.1 Does the service have a function for pseudonymizing personal data?

No

DPR-2-8.1 Can users be asked for separate consents for the processing of certain personal data (e.g., personal identification number or special personal data)?

No

DPR-2-9.1 Is data processed on a large scale in the service?

No

DPR-2-10.1 Can the service's functions involve profiling, scoring, or evaluating individuals?

No

DPR-2-11.1 Can the service involve the processing of location data?

No

DPR-2-12.1 Can the service define the retention periods for personal data or the criteria for determining them?

No

DPR-2-13.1 Can users' personal data be anonymized instead of deleted?

Yes

DPR-3-3.1 Is the scope and duration of personal data processing proportional to the intended benefits?

Not answered
Additional information
Tietoja säilytetään, kunnes käyttäjä pyytää tilin poistamista.// The data is kept until the user request account deletion.

DPR-4-2.1 Can users see all the data stored about them?

Yes

DPR-4-3.1 Can users download or transfer the data they have stored to another service, or import data from another system?

No
Additional information
Ei, tätä toimintoa ei tueta. Käyttäjät voivat pyytää tietojensa poistamista tukipalvelusta/ poistopyyntö integroituna sovellukseen.
No, this functionality is not supported. Users can request an export of their data from support.

DPR-4-4.1 How and when are personal data deleted?

Henkilötietoja ei poisteta automaattisesti. Yksityistiliä käyttävä käyttäjä voi poistaa oman tunnuksen itse ja organisaatiotunnukset poistetaan erillisten sopimusten mukaisesti.//Personal data is not automatically deleted. Users with a private account can delete their own ID themselves and organisational IDs are deleted under separate agreements.

DPR-4-5.1 If a data subject exercises their right to restrict the processing of their personal data, what technical means are used to ensure the implementation of the restriction?

Kaikki henkilötiedot poistetaan pyynnöstä. Kaikkia pyyntöjä seurataan.// All personal data is removed per request. All requests are tracked.

DPR-5-1.1 How is the accuracy of the processed personal data ensured?

Henkilötietoja ei muuteta erityisellä tietojenkäsittelytoiminnolla, ja ne näytetään sellaisenaan. // There is no specific data processing functionality that modifies personal data, and it is displayed “as is”.

DPR-6-1.1 Are automated decisions made in the service, and if so, on what basis?

No
Additional information
No automated decisions are made in the service.

DPR-6-2.1 How are data subjects informed about automated decision-making?

N/A

DPR-6-3.1 How are the conclusions related to the data subject that are based on automated decision-making described to them?

N/A

DPA-1-1.1 Is it possible to enter into a data processing agreement (DPA) with the service provider?

Yes; only one standard DPA

DPA-1-2.1 Link to standard template for a DPA agreement (if available)

Empty/not answered

DPA-1-3.1 Are the personal data to be processed defined in the DPA (Data Processing Agreement)?

Yes

DPA-1-4.1 Are the purposes of personal data processing defined in the DPA (Data Processing Agreement)?

Yes

DPA-1-5.1 Can instructions be provided in conjunction with the DPA (Data Processing Agreement) that the service provider must take into account when processing personal data?

No

DPA-1-6.1 Does the DPA (Data Processing Agreement) stipulate that the service provider ensures confidentiality obligations for its employees?

Yes

DPA-1-7.1 Does the DPA (Data Processing Agreement) stipulate that the service provider allows for monitoring and auditing by the data controller?

Yes

DPA-1-8.1 Does the service provider have a designated contact person for data protection issues?

Yes
Additional information
Kehittäjän tietosuojavastaava vastaa Emill-palvelun tietosuoja-asioista // The developer's data protection officer is responsible for data protection issues on the Emill service

DPA-1-9.1 Is data deletion defined in the DPA (Data Processing Agreement)?

Yes

DPA-1-10.1 Does the service provider use users' personal data for purposes other than the functions and maintenance of the service?

No

DPA-2-1.1 Is compliance with the EU General Data Protection Regulation (GDPR) and the implementation of adequate safeguards ensured in the DPA (Data Processing Agreement) in situations where sub-processors are used for personal data processing?

Yes
Additional information
Kehittäjä ei käytä alihankkijoita henkilötietojen käsittelyyn. // The developer does not use subcontractors to process personal data

DPA-2-2.1 Sub-processors in accordance with the DPA (Data Processing Agreement) or a link to the list of sub-processors (if available).

Perspektives Digital Oy

DPA-2-3.1 Does the service provider comply with the requirements of the General Data Protection Regulation (GDPR) regarding changes to sub-processors?

Yes
Additional information
Yes, change to sub-processors are tracker

DPA-3-1.1 Does the service provider commit to promptly notifying of any data breaches?

Yes

DPA-3-2.1 Does the service provider have a procedure mentioned in the contract for reporting data breaches?

Yes
Additional information
Yes, same procedures as Emill.

DPA-3-3.1 Does the service provider commit to promptly fulfilling requests related to personal data?

Yes
Additional information
The service provider doesn’t store or process any personal data

DPA-4-1.1 Does the processor or any of its sub-processors process personal data outside the EU/EEA?

No

DPA-4-2.1 If personal data is processed outside the EU/EEA, on what basis are the data transfers made?

Not answered

DPA-4-3.1 If the EU Commission's Standard Contractual Clauses (SCC) are used as the grounds for the transfer of personal data, which standard clauses are they?

Not answered

DPA-4-4.1 Can personal data be disclosed to the authorities of a third country?

No

DPA-4-5.1 Does the service provider have documentation to assist with the transfer impact assessment (TIA) when data is transferred outside the EU/EEA?

No

DPA-4-6.1 If data is transferred outside the EU/EEA area, what additional protection measures are used?

N/A
Check invalid fields