Situm is GDPR compliant, because when you use Situm, you trust us with your data. This is why we have implemented all the security and privacy meassures that allow us to protect your data and ensure your rights. We take our obligation to safeguard users’ personal information very seriously and are committed to protecting the privacy and security of our users, while being transparent about our data practices.

What data does Situm store?

The following information is a summary of the data that Situm could processes:  

1. Mobile device information. This information includes: geolocation, sensor readings (e.g. WiFi readings), device information (e.g. OS), app information (e.g. package name, SDK version), etc. All the device information is associated with an unique pseudoanonymous identifier of the device (not of the user) that ensures her privacy.
2. Situm Dashboard users information. We also store some information of the users that are registered on the Situm Dashboard (e.g. the administrator account), such as: email address and contact information provided by the user, OS, cookies, etc.
3. Cartography information of those buildings that are uploaded to the Situm Dashboard: floorplans, points of interest, etc. This information is not considered as personal data of the user.
4. Logging data of user interactions with Situm Services, such as device IP, accessed URL, etc.
5. In case the user activates the "Workforce Tracking" module (Situm MRM), other additional information may be processed, such as: historical relationship of devices (and their IDs) to which each user has been associated with, alarms generated by the users, etc.

The most sensible data that Situm stores is the geolocation data (indoor or outdoor) of each device that runs Situm SDK. To ensure maximum privacy protection, Situm does not associate this information with the user by default, but to a pseudoanonimous identifier of the device (not of the user). 

For a complete list of the data, see Annex I of Situm Master Subscription Agreement.

Where do we store the data?

Situm trusts Microsoft Azure as its cloud provider. Azure has stated that is compliant with the most relevant security and privacy policies, as well as the GDPR provisions. 

By default, Situm stores all the data in Europe (West Europe region). We are also aware that you may prefer to store your data in other geographies, and we offer this option too. 

Just send us an email to sales@situm.com with your case and we will help you in this regard.

Who else will have access to the data?

Situm trusts several data subprocessors to ensure the maximum quality of the service, such as Microsoft Azure or Google Maps. Our Annex II of Situm Master Subscription Agreeent (MSA) contains a full list of subprocessors.

What provisions has Situm put in place to ensure GDPR compliance?

We’ve been working hard to ensure that we’re in compliance with the GDPR. The following is a non-exhaustive list of the main provisions:

1. Situm has appointed a Data Protection Offices that foresees the GDPR compliance of the organization. You can reach to the Situm DPO by writing an email at dpo@situm.com.
2. Situm has adequately put in place a “Data Processing Addendum” that regulates the GDPR provisions for the personal data treatment. It is available for review in our Situm Master Subscription Agreeent (MSA) (Section 8, Exhibit B and Annexes I y II).
3. Situm supervises GDPR compliance by performing the recommended GDPR internal procedures, such as the Privacy Impact Assesment, applying UE standard contractual claususes, etc.
4. Situm has put in place the security meassures & policies required to adequatelly protect you data, including: privacy by design, backup & disaster recovery policy, access control protection, password policy, device inventary policy, data encryption policy, data breach action protocol, security & GDPR staff training, etc.

We’ll continue to review our security measures, as we always do, to warrant the compliance of the GDPR provisions and the European Data Protection Board recommendations.

Can I use Situm Services if I have customers in the UE?

Yes! The main purpose of the GDPR is to protect and grants data subjects specific rights to their personal data. Understanding these rights and how to comply with them as a Data Controller is essential to comply with the GDPR provisions. Situm will be acting as a Data Processor for your customer’s data and will provide ways to comply with all of your data subject’s rights under the GDPR obligations of a data processor.  As Data Controller, you will need to inform to the UE users which data are you collecting that may be considered personal, including the data that Situm Services process from the users, and determinate how you will use the users consent or other lawful basis when Situm will be processing personal data as your Data Processor. You can check our "Data Processing Agreement" at the Exhibit D of the Situm MSA.

Can I use Situm Services if my customers are outside the UE? 

Of course! We warrant the compliance of the GDPR by default because we are stablished at UE, which has one of the highest regulations for security of personal data. If your customers are outside the UE, you will also have these high standard security measures required by the GDPR. In any case, you can also contact our team (dpo@situm.com) for more information on your needs of personal data protection.

Where can I learn more about this topic?

Please check:

1. Section 8, Exhibit B and Annexes I y II of Situm Master Subscription Agreement (MSA). 
2. Our Privacy Policy.

Or write us an email to dpo@situm.com.