Version: 1.2
Date: April 2026
Owner: Risto Anton Päärni, CEO
Compliance: GDPR, EU Data Act, NIS2, EU AI Act
1. Lifetime Oy Security Stack
Infrastructure Security
Lifetime Oy Security Stack:
- 🔒 Email: Proton Mail (zero-knowledge E2EE, Switzerland)
- 🔒 File Storage: Proton Drive (zero-knowledge E2EE, Switzerland)
- 🔒 Code Repository: Proton Drive sync (encrypted at rest)
- 🔒 No US cloud services for CONFIDENTIAL data (FISA 702 protection)
Email Communication Security
All Business Email via Proton Mail
Lifetime Oy policy:
- ✅ ALL business email handled through Proton Mail (risto@lifetime.fi)
- ✅ Zero-knowledge encryption: Proton cannot read email contents
- ✅ Switzerland-based: Not subject to US FISA 702 surveillance
- ✅ GDPR-compliant: Swiss adequacy decision (EU Commission)
Email Classification
| Email Type | Proton Mail Features | Security Level |
|---|---|---|
| CONFIDENTIAL | E2EE to Proton recipients, password-protected to others | 🔒🔒🔒 Highest |
| INTERNAL | Standard encryption (TLS), no password needed | 🔒🔒 High |
| PUBLIC | Standard encryption (TLS) | 🔒 Medium |
Sending CONFIDENTIAL Data via Email
Option 1: Recipient has Proton Mail
- Compose email in Proton Mail
- Attach file or write sensitive content
- Send normally → Automatic E2EE
- ✅ Both sender and recipient encrypted end-to-end
Option 2: Recipient uses Gmail/Outlook/Other
- Compose email in Proton Mail
- Enable: "Encrypt for non-Proton users"
- Set password (share via SMS separately)
- Recipient clicks link → Enters password → Reads email
- ✅ Message encrypted, recipient cannot forward/copy (security mode)
Option 3: Use Proton Drive link (preferred for large files)
- Upload file to Proton Drive
- Create password-protected link
- Send link via Proton Mail
- Send password via SMS
- ✅ File never leaves encrypted environment
Email Retention
| Classification | Retention Period | Archive Location |
|---|---|---|
| CONFIDENTIAL | 7 years (GDPR/tax law) | Proton Mail Archive (encrypted) |
| INTERNAL | 3 years | Proton Mail Archive |
| PUBLIC | 1 year | Proton Mail Archive |
2. EU Compliance Requirements
GDPR (General Data Protection Regulation)
Lifetime Oy complies with EU GDPR requirements:
- ✅ Data minimization: Only store necessary personal data
- ✅ Right to erasure: Delete personal data on request (Article 17)
- ✅ Data transfers: Only to countries with adequacy decision (Switzerland ✅, USA ❌)
- ✅ Storage: Encrypted local database + Proton Drive (EU-compliant)
EU AI Act (Regulation 2024/1689)
DWS IQ 6 = Limited Risk AI system (Annex III: construction safety)
- ✅ Article 10: Document all AI tools used
- ✅ Article 52: Transparency - inform users about AI usage
- ✅ Article 11: Technical documentation (AI systems inventory)
NIS2 Directive (EU 2022/2555)
Lifetime Oy = Essential entity (construction sector)
- ✅ Article 21: Cybersecurity risk management
- ✅ Encryption: E2EE for CONFIDENTIAL data (Proton Drive + SQLCipher)
- ✅ Access control: Multi-factor authentication (MFA)
- ✅ Incident reporting: Data breaches reported within 24h
3. Data Residency
All production data is stored in EU regions:
- ✅ Google Cloud: europe-north1 (Finland)
- ✅ Supabase: eu-central-1 (Frankfurt)
- ✅ AWS S3: eu-north-1 (Stockholm)
- ✅ Proton Services: Switzerland (EU adequacy decision)
4. Contact and Questions
Policy owner:
Risto Anton Päärni, CEO
Email: risto@lifetime.fi
Report security incident:
Email: security@lifetime.fi
Urgent: CEO directly (risto@lifetime.fi)
Document history:
2025-12-13: v1.0 — Initial policy created
2025-12-20: v1.1 — Updated with security stack, email communication, EU compliance
2026-04-01: v1.2 — Q2 2026 quarterly review; fixed region name (europe-north1 = Finland)
Next review: 2026-07-01 (quarterly)