Smart office data security

Why industry leaders trust Nimway

 


 

Prominent Fortune 500 companies trust Nimway as their smart office solution. Why? It’s simple. Nimway is based on a philosophy of security by design—meaning that even the most security-conscious companies in banking and pharmaceuticals can have peace of mind. Here are the features baked into Nimway from day one that establish trust in your smart office.

Article overview

 

What data does Nimway collect? 

Email address, name, profile photo: The email address, name, and profile photo (optional) of users are collected through the Nimway mobile app. This data is used to represent the user in the Nimway service. Also, a user’s corporate email address is what authenticates them, and users can only access data within their email domain.

 

Calendar appointments: Data about users’ calendar appointments is collected remotely from the company calendar server. Nimway stores the start and end times, meeting title, and meeting room. This data supports Nimway wayfinding on the digital floorplans and is used to manage time-to-go notifications on mobile apps.

 

Device ID: Device ID is collected in most API requests. This data is used to separate data when a user has multiple mobile devices.

 

Facility data: Nimway collects and stores building data. Static information is collected initially and can be modified in the Nimway management tool e.g., building maps and meeting room details. Dynamic information is continuously and automatically updated e.g., live room occupancy status from occupancy sensors and room booking data from the room booking system.

 

Location data (optional): Only if users choose to, Nimway applications can estimate the location of mobile devices indoors. Location data is used for wayfinding and sharing with colleagues. To protect the user’s privacy:

  1. Location sharing is disabled by default. Employees can enable it if they desire.
  2. Locations in sensitive areas, such as restrooms, are not shared.
  3. Employees are only allowed to search for others when they’re in the office.
  4. Employees are notified when searched for.
  5. Employees can see earlier searches in a search log.

Office access data (optional): If the office access feature is enabled by the customer, Nimway stores the dates of which a user has office access bookings. Users can decide through a setting (disabled by default) if colleagues can see their upcoming bookings.

 

Parking reservation data (optional): If the parking reservation feature is enabled by the customer, Nimway stores the dates of which a user has parking reservations.

 

Who can access the data?

What employees can see: Nimway users can only access the names, email addresses, and profile photos of other users who have the same company email domain. In addition, users can access the indoor location of other users who have enabled the location sharing feature, but only if they are both at the office.

 

What office management can see: In the workplace analytics web interface, facility management teams can see building utilization data generated from the room booking system and sensors. Here, it is not possible to identify individual users. The optional features “office access” and “parking reservations” offer an optional secure API where the email addresses of users that have valid reservations can be accessed for integration with entrance access systems.

 

What the Nimway team at Sony can see: A limited group of people in the Nimway development team have access to customers’ personal data, in so far as they need it to develop and maintain the service.

 

How does Nimway store the data?

Data collected by Nimway is retained only for a brief amount of time. Storage times for personal data are:

  • 24 hours for calendar data, by default. Calendar data is cached for the maximum number of days in advance a room or desk booking can be made.
  • 60 seconds for the user’s locations, unless otherwise agreed with the customer.
  • The user’s email, name, and profile photo are saved as long as the user has an account.
  • Up to 30 days, for the personal bookings in the optional features "office access" and "parking reservation".

Nimway cloud is hosted on AWS (Amazon Web Services), under a Sony contract. The personal data is stored on S3, DynamoDB, and Postgres. Personal Identifiable Information (PII) is always encrypted at rest. Sony also uses AWS S3 checksums and encryption to ensure integrity for stored data and uses encrypted transfers. Sony is the controller of most personal information collected by Nimway unless otherwise specified in the contract with customer. Sony has a controller to processor agreement with Amazon because we use their servers to store information.

 

What makes Nimway data secure?

Our company—the Space Solutions Division within Sony Network Communications Europe—is ISO27001 certified for our information security infrastructure. Here are some of the things that helped us achieve this certification.

The Sony development process ensures that Nimway undergoes continuous security reviews and has automated source code analysis to prevent security degrades from being introduced in the production environment. On top of that, the Nimway service includes several security controls for personal data:

  • HTTPS with HTTP Strict Transport Security (HSTS) enabled from web clients.
  • Encryption of all personal data in transfer and at rest.
  • Penetration test for servers, applications, and local hardware, conducted by Sony IT Security.
  • Continuous endpoint vulnerability scanning by Sony IT Security.
  • Amazon Web Services accounts authenticated using multi-factor authentication.
  • Audit logging is enabled for Amazon Web Services.

In addition, we’ve ensured that personal data can be removed entirely from Nimway. It is possible to have an entire user account deleted when signing out from the Nimway application. The AWS S3 mechanism ensures secure deletion from physical media. All backups of personal data will also have the same retention limits and be deleted automatically on a schedule.

 

A rigorous approach. Because trust is everything.

As you can tell, the Nimway solution fully protects users’ right to not share location and other personal data with their employer or colleagues. In fact, our privacy standards go above and beyond industry regulations. If you want to monitor real-time office space utilization, offer seamless room booking, and create a modern workplace experience—all while building trust with your employees—let’s talk.