Apptimate | Blog
page-template,page-template-blog-large-image,page-template-blog-large-image-php,page,page-id-98,page-child,parent-pageid-3161,dwpb-push-page,dwpb-allow-close,ajax_fade,page_not_loaded,,select-child-theme-ver-1.0.0,select-theme-ver-4.1,wpb-js-composer js-comp-ver-5.1.1,vc_responsive


Sensative launches Yggio – a technology-independent, open and secure platform and marketplace for property services

Lund/Las Vegas. 5th January 2017.

Sensative proudly announces the launch of its open, secure connectivity platform and marketplace for property services, called Yggio. Pronounced igg-io, Yggio enables multipoint-to-multipoint communications, offers device and service interoperability and secures personal data privacy via an encrypted permission layer for all data exchange activities.

Yggio lets property owners and tenants enjoy full control over devices and utilities used for property and tenant services in their building — eliminating excessive costs and lack of synergies. Technology and service partners use the open, secure Yggio platform and service marketplace to rapidly deliver their service applications within facility management, elderly and home care services, home security, smart apartments, homes and smart agriculture and more.

The name Yggio is based on the tree of life in Nordic mythology, called Yggdrasil, which plays a major role gathering and distributing all knowledge and wisdom through its roots and branches. The Norse gods gathered at Yggdrasil, where they settled matters in their community. The Yggio platform and marketplace firmly connect all Internet-of-Things (IoT) devices with high-value service delivery solutions. The platform uses a public API, which makes it possible for device manufacturers and service providers to use the Yggio platform.

Yggio is a major new investment area for Sensative, and it follows Sensitive’s global success with its ultra-thin sensor called “Strips”, which was launched at CES 2015. Sensative is in the process of establishing many IoT services onto Yggio, working closely together with a range of innovative technology, device and service partners. Several IoT services are piloting and testing Yggio with end-users and customers in Sweden within the areas of home security, facility management, heating, ventilation, and eHealth.

“Already before the launch of our Strips sensors we knew that our mission in life would lead us to build a secure and open connectivity platform for IoT services”, states founder and CEO Mats Pettersson. “Given our strong background in mobile technology developing from closed dialing devices to open platforms for millions of digital services, we all knew we just had to use this know-how to build a very scalable, open and multi-purpose platform. Now we are looking forward to building a strong and dedicated eco-system of partners for the property services market. We are grateful that our partner CTS supports our efforts and is displaying Yggio and some of our service partners in their stand at CES. Our service partners include Apptimate, Cenvigo, FM Technology, Alleato and Goda Grannen.”

About Sensative. Sensative is a rapidly-growing innovation company of practical Internet-of-Thing solutions. Its ultra-thin Strips sensor enables invisible mounting on windows and doors, up to 10-year carefree operations and instant integration with home security systems. It’s open, secure connectivity platform and marketplace for property services, called Yggio, enables multipoint-to-multipoint communications and true hardware and software interoperability. Sensative was founded in 2013 and is based in Lund (Sweden) and employs around 25 people, many with extensive backgrounds in mobile and cloud technology. Visit Sensative online at or contact Mats Pettersson, Chief Executive Officer, through

About CTS. Founded in 1998, Connection Technology System Inc. (CTS) has continuously focused on the market segments of FTTX Triple Play and Industrial solutions. Today CTS is one of the top solution providers for network operators, service providers, and telecom companies worldwide.

About Apptimate. Apptimate offers secure object broker with end-to-end payload encryption services for IoT and Mobile Communications.

About Cenvigo. Cenvigo design, develop and implement digital applications and smart sensor systems to promote the next generation of health- and elderly care.

About FM Technology. FM Technology is an IoT company offering facility management services.

About Alleato. Alleato has developed an end-to-end concept for and health and safety services for the home.

About Goda Grannen. Goda Grannen (“The Good Neighbour”) has developed a service for neighborhood watch where residents in a neighborhood watch out for each other in matters related to security and safety.

About Z-Wave. Z-Wave technology and is an open, internationally recognized ITU standard (G.9959). It is the leading wireless home control technology in the market today, with over 1200 certified interoperable products worldwide. Represented by the Z-Wave Alliance, and supported by more than 300 companies around the world, the Z-Wave standard is a key enabler of smart living solutions for home safety and security, energy, hospitality, office and light commercial applications. Z-Wave® is a registered trademark of Sigma Designs and its subsidiaries in the United States and other countries.

About Z-Wave Alliance. Formed in January 2005, the Z-Wave Alliance is a consortium of leading companies in the home technology space dedicated to solidifying Z-Wave as the standard for wireless home control products. The principal members include; ADT, Evolve Guest Controls, FAKRO, Ingersoll-Rand, Jasco Products, LG Uplus, Nortek Security & Control, SmartThings and Sigma Designs. Alliance members lead the home controls market, providing leading edge products and systems that deliver increased comfort, convenience, energy conservation, safety and security. For more information on the Z-Wave Alliance, please visit

Z-Wave Alliance Press Contacts Caster Communications Inc. at +1.401.792.7080 Kimberly Lancaster,

About CES. For 50 years, CES has been the launch pad for new innovation and technology that has changed the world. Held in Las Vegas every year, it is the world’s gathering place for all who thrive on the business of consumer technologies and where next-generation innovations are introduced to the marketplace. For more information on CES, please visit


EU GDPR: General Data Protection Regulation

The upcoming EU privacy regulation is relevant not only for European organizations but any business looking at Europe because of its extended scope of applicability.

The new European General Data Protection Regulation (GDPR) is expected to lead to a revolution in the privacy world.  It will come into force by mid-2018, but time is short and there’s a lot of changes that must be implemented.

What it is

GDPR entered into force on the 5th of May 2016, and European Union member states must transpose it into their national law by 6th of May 2018.

The Regulation updates and modernizes the principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights.

It focuses on:

  • reinforcing individuals’ rights
  • strengthening the EU internal market
  • ensuring stronger enforcement of the rules
  • streamlining international transfers of personal data
  • setting global data protection standards

The changes will give people more control over their personal data and make it easier to access it. They are designed to make sure that people’s personal information is protected – no matter where it is sent, processed or stored – even outside the EU, as may often be the case on the internet.

Most importantly, it aims at changing the way organizations that operate in the EU or that collect personal data from the Union’s citizens, approach data privacy.

The people, business, organization or other bodies that collect and manage personal data are collectively called “data controllers“. They must all respect EU law when handling the data entrusted to them.

What it means for individuals

Mandatory consent

  • People will have to receive the consent form in an easily accessible and intelligible form, containing the purpose of data processing.
  • They will have the right to withdraw their consent as easily as they gave it, this being particularly relevant for subjects who have given their consent as a child, or were not fully aware of the risks involved by processing.

The right to be forgotten

  • People will also have “The right to be forgotten”, or data erasure, which means that the company processing and holding his data will be obliged to delete it all, including copies.
  • This obligation is extended to third parties that have access to that data.
  • To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data. In doing so, that controller should take reasonable steps.

Protect private data

  • Data protection by design’ and ‘Data protection by default’ are now essential elements in EU data protection rules.
  • Data protection safeguards will be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm – for example on social networks or mobile apps.
  • Citizens will have the right to be informed about a data breach that affected their personal data in maximum 72 hours from the data holder becoming aware of the breach.


  • Individuals will have the right to access information that contains a list specifying which data is being processed and the purpose of the data collection and management.
  • People will have the right to data portability, which means transmitting their personal data to another data controller.

What it means for companies

Harmonized rules

  • There will be a single set of rules throughout the European Union, which will cut costs of doing business in the EU. They will only have to report to one supervisory body.
  • Companies whose main activity consist of processing data systematically obtained by monitoring data subjects at a large scale or special types of data or data related to criminal activity, will need to have in place a Data Protection Officer (DPO). The DPO will have to respect the internal record keeping requirements.
  • GDPR will have to be respected by both companies that originate from Europe, but, also those offering services to EU citizens.

User data

  • Online identifiers including IP address, cookies and so forth will now be regarded as personal data if they can be (or are capable of being) without undue effort linked back to the data subject.
  • There is no distinction between personal data about individuals in their private, public or work roles – the person is the person.
  • Companies will have the legal obligation to inform users in the event of a data breach in maximum 72 hours from the moment they found out.
  • Data controllers will have to provide an electronic copy of all personal data free of charge, at request.
  • At the request of the users, companies must erase all their personal data, stop collecting it and have third parties delete it as well.
  • Also at citizens’ request, data must be transmitted to another entity, at users’ choice.

Security and privacy by design

  • Companies will have to design their systems with privacy in mind, rather than adding them. This mean that they must do all efforts to protect the privacy of their users.
  • Data controllers will hold and process data only if it is absolutely necessary for the completion of their duties.
  • Companies should implement techniques such as anonymisation (removing personally identifiable information where it is not needed), pseudonymization (replacing personally identifiable material with artificial identifiers), and encryption (encoding messages so only those authorized can read it) to protect personal data.
  • “Big data” analytics requires anonymised or pseudonymised data.

Substantial fines

  • The maximum fines can go up to 4% of the company’s annual global turnover, or €20 Million, whichever is higher. These are applied in the cases when the data subjects’ rights have been infringed, such as the cases when data has been processed without a legal basis, or cross-border transfers have been performed.

  • Other infringement could attract fines of up to 2% of the annual worldwide turnover or €10 Million, whichever is greater. This is applied for example when companies cannot prove they have adequate security, haven’t appointed a DPO, or haven’t established a data processor agreement.

How to prepare

  1. Put in place an accountability framework that will prove you meet the required standards.
  2. Design your product with security and privacy in mind, not add it later.
  3. Establish clear policies and procedures in the event of a data breach, so you can notify people in time.
  4. Verify your privacy policies and notices, so that it is easy to understand and accessible.
  5. Be prepared for citizens to exercise their newly gained rights, often with unrealistic expectations.
  6. If you are carrying out cross-border data transfers, including intra-group one, make sure you have a legitimate reason for transferring personal data to jurisdictions that don’t have adequate data protection regulations.

Security recommendations for IoT by BITAG

This is an extract of the excellent BITAG report “Internet of Things (IoT) Security and Privacy Recommendations”, published courtesy of BITAG, Broadband Internet Technical Advisory Group.


We highly recommend downloading and reading this report. And, even more importantly, to implement these recommendations, where the Apptimate platform can be a valuable part of your developer toolkit.


The full report can be found here.

BITAG believes the recommendations outlined in this report may help to dramatically improve the security and privacy of IoT devices and minimize the costs associated with collateral damage. In addition, unless the IoT device sector—the sector of the industry that manufactures and distributes these devices—improves device security and privacy, consumer backlash may impede the growth of the IoT marketplace and ultimately limit the promise that IoT holds.

BITAG recommended several security standards for IoT devices, including timely, automated software updates and password protection. The organization also said there should be more testing of customization options and an implementation of encryption best practices. BITAG also highly recommended allowing IoT devices to function if internet connectivity or the cloud fails, especially in the case of home alarm systems.

In the past few years, many devices now being connected to the Internet are not only personal computers but also a variety of devices embedded with Internet connectivity and functions. This class of devices has generally been described as the Internet of Things (IoT) and has brought with it new security and privacy risks.

Although consumers face general security and privacy threats as a result of any Internet-connected device, the nature of consumer IoT is unique because it can involve non-technical or uninterested consumers; challenging device discovery and inventory on consumer home networks as the number and variety of devices proliferate; negative effects on the Internet access service of both the consumer and others that run on shared network links; and effects on other Internet services when these devices are compromised by malware and become a platform for unwanted data traffic—such as spam and denial of service attacks—which can interfere with the provision of these other services. Importantly, the number and diversity of consumer IoT devices is growing rapidly, and these devices often function autonomously, without human intervention.

Several recent incidents have demonstrated that some devices do not abide by rudimentary privacy and security best practices. In some cases, devices have been compromised and allowed unauthorized users to perform Distributed Denial of Service (DDoS) attacks, perform surveillance and monitoring, gain unauthorized access or control, induce device or system failures, and disturb or harass authorized users or device owners.

Potential issues contributing to the lack of privacy and security best practices include: lack of IoT supply chain experience with security and privacy, lack of incentives to develop and deploy updates after the initial sale, lack of secure overthe-network software updates, devices with malware inserted during the manufacturing process, and more.


IoT Devices Should Use Best Current Software Practices

IoT Devices Should Ship with Reasonably Current Software

BITAG recommends that IoT devices should ship to customers or retail outlets with reasonably current software that does not contain severe, known vulnerabilities.


IoT Devices Should Have a Mechanism for Automated, Secure Software Updates

Software bugs should be minimized, but they are inevitable. Thus, it is critical for an IoT device to have a mechanism for automatic, secure software updates.  BITAG recommends that manufacturers of IoT devices or IoT service providers should therefore design their devices and systems based on the assumption that new bugs and vulnerabilities will be discovered over time. They should design systems and processes to ensure the automatic update of IoT device software, without requiring or expecting any type of user action or even user opt-in.


IoT Devices Should Use Strong Authentication by Default

BITAG recommends that IoT devices be secured by default (e.g. password protected) and not use common or easily guessable user names and passwords (e.g., “admin”, “password”).


IoT Device Configurations Should Be Tested and Hardened

Some IoT devices allow a user to customize the behavior of the device. BITAG recommends that manufacturers test the security of each device with a range of possible configurations, as opposed to simply the default configuration.

IoT Devices Should Follow Security & Cryptography Best Practices

Manufacturers should take care to avoid encryption methods, protocols, and key sizes with known weaknesses. Additional encryption best practices include:

  • Encrypt Configuration (Command & Control) Communications By Default
  • Secure Communications To and From IoT Controllers
  • Encrypt Local Storage of Sensitive Data
  • Authenticate Communications, Software Changes, and Requests for Data
  • Use Unique Credentials for Each Device
  • Use Credentials That Can Be Updated
  • Close Unnecessary Ports and Disable Unnecessary Services
  • Use Libraries That Are Actively Maintained and Supported

IoT Devices Should Communicate Securely

IoT Devices Should Be Restrictive Rather Than Permissive in Communicating

When possible, devices should not be reachable via inbound connections by default. IoT devices should not rely on the network firewall alone to restrict communication, as some communication between devices within the home may not traverse the firewall.


IoT Devices Should Continue to Function if Internet Connectivity is Disrupted

BITAG recommends that an IoT device should be able to perform its primary function or functions (e.g., a light switch or a thermostat should continue to function with manual controls), even if it is not connected to the Internet because Internet connectivity may be disrupted due to causes ranging from accidental misconfiguration to intentional attack. IoT devices that have implications for user safety should continue to function under disconnected operation to protect the safety of consumers.


IoT Devices Should Continue to Function If the Cloud Back-End Fails

Many services that depend on or use a cloud back-end can continue to function, even if in a degraded or partially functional state, when connectivity to the cloud back-end is interrupted or the service itself fails.

IoT Devices Should Be Maintained Securely

Manufacturers should support an IoT device throughout the course of its lifespan, from design to the time when a device is retired, including transparency about the timespan over which they plan to provide continued support for a device, and what the consumer should expect from the device’s function at the end of the device’s lifespan.

More detailed recommendations can be found in the report here.