vendors and Subcontractors

List of vendors and subtractors used by Lumoa that processes personal data or have access to personal data

LIST OF VENDORS PROCESSING PERSONAL DATA

Name of the CompanyDescription of the Service and LocationMore Information
Microsoft
(subsidiary in Ireland)
Hosting & services

  • Azure app services, Azure hosted Kubernetes clusters, Self hosted virtual machines, Azure database for MySQL, Translator Text API, Cognitive Services / Speech to text

  • Text API: Private data masked and data is never stored when processed


Description

  • Headquarters in the US

  • Personal data processed within EU/EEA

    Lumoame has a paid subscription that guarantees that the personal data will be processed within EU/EEA.





  • Data stored: Feedback, User details

  • DPA signed (English language) https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=67

  • SCC signed

  • Microsoft is committing that they will challenge every government
    request for public sector or enterprise customer data – from any government – where there is a lawful basis for doing so. This strong commitment goes beyond the proposed recommendations of the EDPB.https://blogs.microsoft.com/on-the-issues/2020/11/19/defending-your-data-edpb-gdpr/

  • Second, Microsoft will provide monetary compensation to these customers’ users if we disclose their data in response to a government request in violation of the EU’s General Data Protection Regulation (GDPR). This commitment also exceeds the EDPB’s recommendations. It shows Microsoft is confident that we will protect our public sector and enterprise customers’ data and not expose it to inappropriate disclosure (source: Same as above)



MongoDBAtlas
(subsidiary in Ireland)
Database

  • MongoDB is run in within Microsoft Azure. This means that the data is hosted in the same location and with same logic as Microsoft services.


Description

  • Headquarters in the US

  • Personal data processed within EU/EEA. Lumoame has a paid subscription that guarantees that the data will be processed within EU/EEA.

  • MongoDB personnel does not have access to data stored in
    MongoDB database



  • Data stored: Feedback, User details

  • Data Processing Terms signed as part of Terms of Service: https://www.mongodb.com/cloud-terms-and-conditions

  • Technical and organizational security measures: https://www.mongodb.com/technical-and-organizational-security-measures

  • SCC signed

  • Technical and organizational security measures:
    https://www.mongodb.com/technical-and-organizational-security-
    measures

  • As an additional technical measure Lumoame has entirely restricted the access by all MongoDB personnel as described in the point 4.2.4 in under the above link in Technical and organization security measures

  • MongoDB has confirmed to Lumoa that neither MongoDB nor any other affiliated US entity (collectively, "MongoDB") that processes or has access to personal data that is transferred to MongoDB fall under any of the definitions in 50 U.S.C. § 1881(b)(4) or are directly subject to 50 U.S.C. § 1881a (FISA 702), and MongoDB has not been required to cooperate with US authorities conducting surveillance of communications under EO 12.333.

CloudAMQP Message queue

  • RabbitMQ, Message queue for evening the load to API.


Description

  • Headquarters in Sweden

  • Personal data processed within EU/EEA

    Lumoame has a paid subscription that guarantees that the personal data will be processed within EU/EEA.



Integromat Automation service

  • Used to automate process flows internally.


Description

  • Headquarters in Czech

  • Personal data processed within EU/EEA


Intercom

NOTE: The Lumoame has made a decision to stop using Intercom and switch similar activities use of Intercom is stopped by 31st March 2021
Support services

  • Personalized support, onboarding and in-product announcements.


Description

  • Headquarters in the US

  • Personal data processed in the US

  • Transfer mechanism under GDPR: Standard Contractual Clauses (SCC)



  • Data stored: Only email address of Lumoa user

  • DPA and SCC signed

  • See also Lumoame 10 Frequently asked questions on data transfers.

  • Supplementary measures:
    - Limited amount of personal data processed in the US.
    Intercom only has access to users' email addresses.
    Customer feedback is not processed in the US.
    - All data sent to or from Intercom is encrypted in transit using 256-bit encryption, notification obligation in case of law enforcement requests as well as the right to suspend data transfers in case of non-compliance with the SCC
    - Contractual measures, such as right to suspend the service in case of non-compliance with the SCC.
    - Intercom has also confirmed that they have not received US law enforcement requests under Section 702 FISA or EO 12333.
Inscripta OySpeech recognition service

  • Used only for transcribing speech to text.


Description

  • Headquarters in Finland

  • Personal data processed within EU/EEA



  • Data stored: Call files

  • DPA signed

Enuvo GmbHPartner for surveying


Description

  • Headquarters in Switzerland

  • Personal data processed within EU/EEA


  • Data stored: Responses to surveys

  • DPA signed

MailGun technologiesPartner for sending email notifications (e.g. weekly reports and event notifications) to Lumoa users
Description

  • Headquarters in the US

  • Personal data stored and processed within EU/EEA. The data
    of EU customers, i.e. Lumoame is hosted within EU.



  • Data stored: Email address of Lumoa user, individual feedback (if that is separately enabled to the alert email)

  • DPA signed, SCC signed, and EU model clause signed

  • Additional safeguards:
    - Recipient email address is stored in pseudonymised format
    - Data encryption
    - Data minimization principle

Crisp

Crisp will replace Intercom as a more secure and GDPR compliant solution on March 15th 2021
Partner for sending email notifications (e.g. weekly reports and event notifications) to Lumoa users

Description

  • Headquarters in the US

  • Personal data stored and processed within EU/EEA. The data of EU customers, i.e. Lumoame is hosted within EU.

  • Data stored: Email address of Lumoa user, individual feedback (if alert is created on it)

  • DPA, SCC and EU model clause signed

  • Additional safeguards:
    - Recipient email address is stored in pseudonymised format
    - Data encryption
    - Data minimization principle

List of subcontractors having access to personal data 

Name of the Company Location Description of the Service More information
CTRLC SIA

  • Consultant located in Latvia

  • Personal data processed in the EU/EEA

One person consultancy
Developer with access to customer data.
DPA signed
PQNet SIA

  • Consultant located in Latvia

  • Personal data processed in the EU/EEA

One person consultancy
Developer with access to customer data.
DPA signed