Legal & Policies
Security and Compliance
Updated 27.5.2023
At Mapita, we take data protection seriously. We are committed to compliance with legislation and standards governing data security, privacy, and accessibility, both in the European Union and globally. Maptionnaire is developed with the assumption that the service can, and will, be used to collect personal information, including sensitive personal information.
All aspects of Maptionnaire are designed from the ground up to take this premise into account and to ensure that the information collected is secure at all stages of its lifecycle. We use administrative, organizational, technical, and physical safeguards to protect the personal data we collect and process. Our security controls are designed to maintain an appropriate level of data confidentiality, integrity, availability, resilience and ability to restore the data.
Maptionnaire is committed to providing an open and accessible engagement platform that is available to the widest possible audience. Maptionnaire is compliant with the AA-level of the Web Content Accessibility Guidelines (WCAG 2.1). Accessibility is a top priority for us and we are always striving to ensure that our platform follows the highest accessibility standards and best practices. We do this, for instance, by making sure that all questionnaire elements have been coded accordingly, and that screen readers and other assistive technology can help respondents in using the service.
Our service is ISO 27001 certified, meaning that our information security management systems meet international standards. You can find our certificate here.
The Service is developed in-house in Helsinki, Finland.
1. Privacy
Maptionnaire does not use the response data that clients collect with the Maptionnaire service. Response data is only accessed at the specific request from clients in conjunction with consulting work or support tickets.
Maptionnaire is fully compliant with the European Union’s General Data Protection Regulation (GDPR). In particular we strive to minimize the number of sub-processors and ensure that only well established, reliable and GDPR compliant sub-processors are used.
Maptionnaire is designed to make it easy for our customers to comply with applicable data regulations. We provide built in mechanisms for consent management including the ability for respondents to view, alter, and remove their own responses from the service.
Maptionnaire is a web service that has legitimate needs for monitoring service usage, errors, and performance. We also provide integrations with various third party services. Below is a detailed description how each of these impact a visitor to the service.
Visiting the Maptionnaire service
When you visit the Maptionnaire service, we record your IP address and browser information as standard practice in our server logs. These logs are only available to authorized Maptionnaire personnel for the purpose of diagnosing service issues, and are retained for a maximum period of 12 months.
Maptionnaire uses Matomo Analytics (matomo.org), a privacy focused open source tool for collecting usage statistics. The collected data is used internally by Maptionnaire for diagnosing issues and improving the service. Maptionnaire also makes specific aggregate statistics such as the number of page views available to the client who created and owns the page in question.
Maptionnaire also uses an external service, Sentry (sentry.io), for error and performance tracking. This means that if you happen to experience an issue while browsing the service, your IP address and browser information may be processed by Sentry and retained for a maximum of 90 days. Sentry was chosen because it is a well-established and reliable service provider, and Maptionnaire has an appropriate Data Processing Agreement (DPA) including the European Commission’s Standard Contractual Clauses (SCC) in place to govern the sub-processing and transfer of this data.
Visiting Maptionnaire Questionnaires with maps
Maptionnaire questionnaires are quite often map based, which means that when you visit a questionnaire, you may be retrieving maps from a third party. In that case the map provider will receive your IP address and browser information as well as information about which area of the map is being loaded.
Maptionnaire offers two third party map providers for creators to use in their questionnaires: MapTiler and Mapbox. Both companies are well established, reliable providers of mapping services. Mapbox is a USA based company and Maptionnaire has an appropriate DPA including SCCs in place to govern the sub-processing and transfer of this data. MapTiler is based in Switzerland and has a strong emphasis on privacy including a maximum retention time of 20 minutes for data that is being processed by them.
Creators can also choose to use other mapping providers in questionnaires. In that case it is the responsibility of the creator of the questionnaire to ensure a suitable DPA is in place, and to give proper notification thereof to visitors of the questionnaire.
Youtube and Vimeo
Maptionnaire allows creators to embed Youtube and Vimeo videos in questionnaires and pages. When you reach a page that contains such an embedded video, your IP address and browser information will be processed by the relevant company. Maptionnaire only uses privacy preserving “do not track” version of the media players provided by Youtube and Vimeo.
Youtube and Vimeo only provide DPAs for content creators on their platform. It is thus the responsibility of the creator of the questionnaire to ensure a suitable DPA is in place, and to give proper notification thereof to visitors of the questionnaire or page.
Social sharing buttons
Maptionnaire provides the ability to include social media sharing buttons in questionnaires and pages. Maptionnaire ensures that these sharing buttons do not transmit data unless and until the button is pressed by a visitor.
Accounts and Login providers
Maptionnaire allows users to create accounts on the service by using a functioning email address and password. As an alternative to password based authentication, users can create accounts using Facebook and Google as authentication providers. In the latter case Maptionnaire ensures that no data is transferred to the authentication providers unless and until the respective “Login with…” button is pressed by a visitor.
When using an authentication provider Maptionnaire receives the email address associated with the provider account as well as an application specific unique authentication token. We only requests the minimal possible set of information from the provider and ensure that only the email address and authentication token are used by Maptionnaire.
2. Security
Maptionnaire’s primary aim is to guarantee the confidentiality, integrity, and availability of response data collected by our customers. To achieve this goal, Maptionnaire has implemented technical and organizational controls in accordance with the ISO27001 standard for information security management. Maptionnaire also conducts regular security reviews and penetration testing by accredited external reviewers. Below is a non-exhaustive list of some of the most important controls in place.
Application
Application servers and databases have secure access controls in place and run recent, security supported OS / database versions with automatic security updates enabled. Maptionnaire uses security-supported, recent versions of all software and packages needed for providing the service.
Application deployment ensures continuity by using version control, continuous deployment, continuous integration, and automated testing for zero downtime updates with last known good state fallbacks. Maptionnaire runs in a fault-tolerant, redundant configuration with automated recovery, and servers are continuously monitored for performance issues and deviations from expected behaviour.
Network
All network connections to Maptionnaire are encrypted and we actively maintain an A+ rating on SSLLabs’s SSL Server Test. Internally Maptionnaire servers and databases operate in redundant Virtual Private Networks (VPN) with strict access control. In particular database servers are only accessible from within the VPN, and administrative access to application servers is limited to PEM certificate based authentication from whitelisted IP addresses.
Data
Data is encrypted at rest and during transfer. Application servers and databases make regular encrypted backups with daily, weekly, and monthly retention policies. These backups are retained for a maximum of 2 years. The Maptionnaire service logs access to response data, and these logs are available to users with the appropriate access permissions in their Maptionnaire team.
Maptionnaire is committed to providing access to the response data (for users with the appropriate access permissions) in an open and standard format.
3. Hosting
Maptionnaire is hosted by amazon Web Services (AWS). AWS is a well known, reliable, and secure cloud provider that meets the requirements of several globally recognized security standards including ISO27001 and SOC. Read more about AWS’s security and compliance.
The Maptionnaire service is deployed exclusively in AWS’s Ireland (eu-west-1) data center.
4. Accessibility
Maptionnaire follows the W3C standard and practices for developing web services. Maptionnaire follows the EU Accessibility Directive and commits to implementing level AA of the Web Content Accessibility Guidelines (WCAG2.1) developed by the W3C.
Exceptions
Background maps and other web-based map services are not compatible with assistive technology. Due to this map-based parts of Maptionnaire are inherently incompatible with certain accessibility tools such as screen readers. This is a widely recognized issue and for this reason, the EU Accessibility Directive and the Finnish Act on the Provision of Digital Services explicitly exempt map-based web services.
Level of Accessibility
Maptionnaire aims to make the non-map related parts of the service accessible within the guidelines and standards outlined above. In particular, questionnaire pages and elements should be available to screen readers, and questionnaires should support keyboard-based navigation, including maps where possible. Maptionnaire service features are customizable and clients can inadvertently produce poorly accessible styles. To mitigate this, we ensure proper default values and provide suitable color palettes.
5. Environmental and social responsibility
Mapita is committed to responsible business conduct and strives to promote ethically approved practices. We emphasize social, economic and environmental responsibility as well as fairness and transparency in our relationships with employees, partners, customers, authorities and other interest groups. We are committed to respecting internationally recognised human rights in all our activities and promoting them in practice.
We are committed to ensuring that modern slavery, forced and child labor and human trafficking plays no part in our supply chain or in any part of our business. Mapita complies with international, national, and local laws and regulations, and respects international agreements concerning human and labor rights, such as the United Nations’ Universal Declaration of Human Rights, and condemns the use of forced and child labor.
Mapita makes environmentally conscious choices whenever possible. We want to produce a service that supports our customers in reaching their sustainability goals.
- Our office is paperless. Agreements and other paperwork are handled electronically.
- Energy efficiency is taken into account by everyone having solely laptops. Lighting uses low-energy bulbs, and lights are turned off when the spaces are not being used.
- Our office is located such that anyone can easily use public transportation to get there. Many of us also cycle or walk to work.
- We use electronic means to communicate with our customers, but when flying is necessary, we compensate for the CO2 emissions.
- Circular economy is always our first option when sourcing furniture and other office equipment.
- We are making best efforts to minimize the production of electronic waste, and aim to purchase good quality electronic devices that can be reused within the company.
- We only serve vegetarian food in our events, and our coffee cups contain only plant-based drinks.