Askele's Privacy and Security Statement and Terms of Service for Productized Integrations

Terms of Service

For the latest Terms of Service, click here.

Privacy Statement

In this privacy statement, we explain how personal data is processed in our productized integrations.

We are committed to handling our customers' valuable and confidential personal data responsibly in all our activities.

We process personal data in accordance with the Finnish Data Protection Act (1050/2018, as amended), the European Union's General Data Protection Regulation (EU 2016/679, as amended, "GDPR") and other applicable national and EU-wide data protection legislation. We also follow the guidelines and decisions of the data protection authorities.

Definitions

• Customer means a person who purchases our services.
• Personal data is any information that allows a person to be identified, either directly or indirectly. This statement clarifies the types of personal data we process in our productized integrations.
• By Services, we refer to all of our productized integrations provided by Askele Oy, such as the Askele Insights app and the HubSpot-Severa integration.

Processing of personal data

We process personal data in connection with the Services in the role of processor of personal data, with our client company acting as data controller.

Askele Oy, as the controller, is responsible for the processing of personal data related to customer relationships and contractual relations.

The Services process personal data on the customer's business systems through interfaces with the customer's authorisation.

Types of personal data processed

All productized integrations

• Subscriber and user data related to the customer and contractual relationship
• Personal data of users of the customer's business systems (ERP and/or CRM), such as first name, last name, email address, telephone number, country, language, technical identifier.

Askele Insights Hours

• Sensitive data of users of the customer's ERP system, such as type, date and duration of absence.

HubSpot-Severa

• Personal data of the customer's HubSpot and Severa contacts such as first name, last name, email address, phone number, title, technical id.
• Name and business ID of the customer's HubSpot and Severa companies (if the company is a private entrepreneur)

Grounds for processing personal data

In our Services, we process personal data for the purposes set out below:

Contractual relationship and provision of services

We process personal data to provide services and fulfill the contract. This includes, for example

• the provision and delivery of the service
• detecting and correcting faults and errors
• communication
• customer and contract management

Legal obligations

We process personal data to fulfil legal obligations, such as for accounting and regulatory purposes.

Consent

We may process personal data for the purposes for which you have given your explicit consent.

Legitimate interest

We process personal data on the basis of legitimate interest where the processing is necessary, for example, for service development, quality control or to prevent abuse, and the processing does not undermine the rights or freedoms of the data subject.

Safeguarding personal data

Data security and the protection of customer data are our top priorities and we are committed to ensuring the availability, accessibility, integrity and security of personal data. We implement appropriate procedures to protect the processing of personal data and to prevent and detect unauthorized access and data loss.

In practice, this means, for example, the following measures:

• All traffic between the service and the customer's system is protected by TLS encryption.
• All data stored in the database is encrypted with strong AES-256 bit encryption.
• We use multi-factor authentication to access the technical environment.
• We follow the principle of least privilege in managing access rights.
• The security of the service is regularly audited.
• Software and network component versions are kept up to date to minimise potential vulnerabilities.
• Access to the technical development environment and logs is restricted to only those individuals who need them for their work.

We take systematic action to protect our customers' rights and ensure the security of our staff, data, information systems and premises. We pay particular attention to the protection of personal data in all our processes.

In designing our security measures, we take into account the privacy and business risks associated with the processing of personal data, the opportunities offered by technology and the key threats. Our activities are based on applicable legislation, regulatory requirements and contractual obligations.

Disclosure of personal data to third parties

We may disclose personal information as required and permitted by applicable law, such as in response to a request from a government authority, in legal proceedings or in connection with a business arrangement.

In addition, we may disclose personal data to subcontractors acting on behalf of Askele who process personal data on the basis of an assignment given by us. When we use subcontractors, we will take appropriate steps to ensure that the processing of personal data is carried out in accordance with the service agreement and the privacy statement. The subcontractors referred to here include application development partners or IT service providers.

All our productized integrations are hosted in Microsoft Azure's Western and Northern European data centres, which means that the data remains within the EU.

Askele Insights uses Twilio SendGrid to send emails, which means that personal data of users of the customer's ERP system may also be transferred outside the EU. SendGrid is a GDPR-compliant provider.

Storage of personal data

Personal data will only be kept for as long as it is necessary for the purposes specified in the service agreement and the privacy statement, unless longer retention is required by law. Outdated or unnecessary data will be deleted.

Data collected during the contractual relationship will be kept for the duration of the contract or for as long as the provision of the service requires. When the contract or service ends, personal data will continue to be retained where necessary, for example for the purposes of unfinished business, invoicing or complaints, usually for a maximum of six months after the end of the contract or service.

In cases provided for by law, data may be processed and stored for as long as required by law. For example, accounting and money laundering legislation may require personal data to be kept for 5-6 years.

Rights of the data subject

As a party to a service agreement, you have the following data subject rights:

• to obtain information on the processing of their personal data
• of access to their data
• to rectification of their data
• to the erasure of their data and to be forgotten
• to restrict the processing of their data
• to data portability
• to object to the processing of their data
• not to be subject to a decision based solely on automated processing.

If you believe that Askele Oy has acted in breach of the Privacy Statement or applicable law, you have the right to lodge a complaint. In addition, if necessary, you can refer the matter to the Office of the Data Protection Ombudsman, which monitors the lawfulness of the processing of personal data.

Changes

We will update the Privacy Statement as necessary as our operations and Services evolve.

Contact

Questions relating to the processing of personal data or the Privacy Statement, as well as complaints or requests to exercise rights in relation to the processing of personal data:

Askele Oy
Brahenkatu 4
53100 Lappeenranta

Business ID 2645207-2

Data protection officer: security@askele.fi
Customer service: support@askele.fi

Security Statement

In this security statement, we describe how we implement security in our productized integrations.

Security is at the heart of our business. We understand its importance to our customers and want to ensure that customer data remains secure at all stages of the service. We handle customer data responsibly and appropriately and are committed to maintaining data security in accordance with applicable laws and regulations.

Data security means the secure handling of all data, regardless of its format. Security covers the confidentiality, integrity and availability of data and includes both administrative and technical measures. It is proactively maintained and actively monitored.

In our productized integrations, security is reinforced by concrete technical solutions. All traffic between the service and the customer's system is protected by TLS encryption, and data stored in the database is encrypted with strong AES-256 bit encryption. We use multi-factor authentication to access the technical environment and apply the principle of least privilege in access management. The security of the service is regularly audited, and versions of software and network components are kept up to date to minimise potential vulnerabilities.

For customers, this means that their data is protected at every stage - from data transmission to storage and use.

Technical environment

Our productized integrations are hosted in the Microsoft Azure cloud, in data centres in Western and Northern Europe. The Microsoft Azure cloud is GDPR compliant and ISO certified.

We take advantage of the built-in security features provided by Microsoft Azure, such as firewalls, threat detection and automatic security updates. All data retrieved and sent by the service is protected by TLS encryption protocol, and data stored in the database is encrypted with strong AES-256 bit encryption.

Data from the customer's systems is retrieved via the REST API provided by the systems. We only store data when it is necessary for the functionality of the service, for example for user identification or reporting purposes. Even then, we primarily store technical identifiers and aggregated data in order to minimise the processing of personal data.

We keep up-to-date versions of operating systems, software and network components to help reduce security vulnerabilities.

Access to the technical development environment is restricted and we apply the Principle of Least Privilege in managing access rights.

Development process

We have built privacy and security measures into our software development process. Security is taken into account during the application development phase, and data protection is continuously developed in line with risks and cost-effective solutions. We comply with the Finnish Data Protection Act and the EU General Data Protection Regulation (GDPR) when processing data. Our software development partners are also contractually committed to complying with the high security requirements defined by Askele.

Usage monitoring

We collect the following log data on the use of our applications to ensure the quality, security and development of the service:

• Error logs: record errors and exceptions that occur in the application.
• Performance logs: track application response times, resource usage and other performance-related information.
• Usage logs: record user activities and service usage rates.
• Email logs: record information about emails sent and received by the service and any errors.
• Integration logs: record data transfers and events between different systems (e.g. REST API calls).
• Security log: tracks logins, authentications and possible security breaches.
• Infrastructure logs: Include, for example, firewall logs provided by the cloud service (Azure) and other events in the technical environment.

Access to all logs is restricted to the product development team. Logs are only used for service maintenance, development and security purposes.

Partners and suppliers

We rely on trusted partners and suppliers to deliver the service. We contractually ensure that confidentiality and a high level of security are maintained in our cooperation.

Our partners

Adafy Oy, Business ID: 2480016-8

Our supplier

Contact

If you have any questions or concerns about security, or would like to receive detailed information about our security measures, please contact us by email at security@askele.fi. Messages sent to this email address will be treated confidentially by Askele's security team. We take all security-related communications seriously and will endeavour to respond as quickly as possible.