Compliance

We take our users’ security and privacy concerns seriously. We strive to ensure that user data is kept securely, and that we collect only as much personal data as is required to provide our services to users in an efficient and effective manner. We use some of the most advanced technology for Internet security that is commercially available today. This Security Statement is aimed at being transparent about our security infrastructure and practices, to help reassure you that your data is appropriately protected.

Data Storage Location

All data associated with our service is stored only in Canada -- we are a 100% Canadian service, with all infrastucture and data storage physically in Montreal, Quebec, Canada. In addition, all staff are located in Canada. 

Who Owns Your Survey Data

You own all the data data collected by your survey including any data you import into your account including participant data. When you terminate your account, all data is irrevocably removed from our infrastructure including related backups. If you use our panel engagement, we give you the option of storing a unique key with your responses to confirm a participant engaged via the panel engagement. Neither you nor Hosted in Canada Surveys can use this key to link individual responses to personally identifying participant details.

No data in your account is shared with third parties, excluding a random SHA256 salted-hash value used in participant panel engagements. While you have the option of implementing Google Analytics at your account or survey level, you do this at your own discretion. We do not use third parties to collect usage data.

Application and User Security

SSL/TLS Encryption: Users can determine whether to collect survey responses over secured, encrypted SSL/TLS connections. This is an add-on to our services that users can opt to include if they are collection personal information. All other communications with the Hosted in Canada Surveys website are sent over SSL/TLS connections. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) technology (the successor technology to SSL) protect communications by using both server authentication and data encryption. This ensures that user data in transit is safe, secure, and available only to intended recipients.

Data Encrypt At Rest: We offer optional 256bit-AES Data at Rest Encryption on our all our Enterprise packages,

User Authentication: User data is isolated to each customer's survey system instance. User accounts have unique usernames and passwords that must be entered each time a user logs on. Hosted in Canada Surveys issues a session cookie only to record encrypted authentication information for the duration of a specific session. The session cookie does not include the password of the user.

User Passwords: User application passwords have minimum complexity requirements. Passwords are individually salted and hashed. Passwords are automatically generated by our software.

Data Encryption: Certain sensitive user data, such as credit card details and account passwords, is stored in encrypted format.

Data Portability: Hosted in Canada Surveys enables you to export your data from our system in a variety of formats so that you can back it up, or use it with other applications.

Privacy: We have a comprehensive privacy policy that provides a very transparent view of how we handle your data, including how we use your data, who we share it with, and how long we retain it.

Physical Security

Data Centers: Our information systems infrastructure (servers, networking equipment, etc.) may be collocated at secure data centers located in Canada, AWS Region Central (Montreal), and our own non-AWS/non-cloud infrastructure. No servers are located outside of Canada.

Data Center Security: Data centers are staffed and surveilled 24/7. Access is secured by security guards, visitors logs, and entry requirements such as passcards and biometric recognition.

Environmental Controls: Data centers are maintained at controlled temperatures and humidity ranges which are continuously monitored for variations. Smoke and fire detection and response systems are in place.

Location: All user data is stored on servers located in Canada. No data is stored outside Canada.

Service Availability

Connectivity: Fully redundant IP network connections with multiple independent connections to a range of Tier 1 Internet access providers.

Power: Servers have redundant internal and external power supplies. Data center has backup power supplies, and is able to draw power from the multiple substations on the grid, several diesel generators, and backup batteries.

Uptime: Continuous uptime monitoring, with immediate escalation to Hosted in Canada Surveys staff for any downtime.

Network Security

Uptime: Continuous uptime monitoring, with immediate escalation to Hosted in Canada Surveys staff for any downtime.

Testing: System functionality and design changes are verified in an isolated test “sandbox” environment and subject to functional and security testing prior to deployment to active production systems.

Firewall: Firewall restricts access to only required ports for the operation of our platform.

Software Patching: Latest security patches are applied to all operating system and application files to mitigate newly discovered vulnerabilities.

Access Control: Secure VPN, PKI, multifactor authentication, and role-based access is enforced for systems management by authorized engineering staff.

Virus and Exploit Scanning: All systems are protected by ClamAV anti-virus protection and real-time exploit scanning.

Logging and Auditing: Central logging systems capture and archive all internal systems access including any failed authentication attempts.

Intrusion Detection: Our servers are proactively monitored for any malicious intrusion attempts.

Storage Security

Backup Frequency: Backups occur bi-hourly internally, and daily to a centralized backup system for storage in a separate data centre cluster in Canada.

Organizational & Administrative Security

Employee Screening: We perform background screening on all employees. Staff who have access to customer data agree to our internal privacy policies.

Training: We provide security and technology use training for employees.

Service Providers: We screen our service providers and bind them under contract to appropriate confidentiality obligations if they deal with any user data.

Access: Access controls to sensitive data in our databases, systems and environments are set on a need-to-know / least privilege necessary basis.

Audit Logging: We maintain and monitor audit logs on our services and systems.

Information Security Policies: We maintain internal information security policies, including incident response plans, and review and update them as required.

Software Development Practices

Stack: We code in PHP and run on MySQL Server and Linux (LAMP). Our servers are built on CentOS.

Coding Practices: Our developers use best practices and industry-standard secure coding guidelines to ensure secure coding, focused around OWASP best practices. Development, testing, and production environments are separated.

Information Security Incident Management

Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if Hosted in Canada Surveys learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under various provincial and federal laws and regulation, as well as any industry rules or standards that we adhere to. Notification procedures include providing email notices or posting a notice on our website if a breach occurs.

Click to read our public Information Security Breach Policy.

 

Your Responsibilities

Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems, to keep any survey data you download to your own computer away from prying eyes. We offer SSL to secure the transmission of survey responses, but it is your responsibility to ensure that your surveys are configured to use that feature (where appropriate).

Data Protection: PIPEDA and PHIPA Compliance

We adhere to the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs how private sector Canadian organizations collect, use and disclose personal information in the course of commercial business.

All data collected via our platform is stored only on infrastructure physically located in Canada. We have no affiliates outside of Canada, and no foreign body has authority to compel the production of information.

We are compliant with PIPEDA (The Personal Information Protection and Electronic documents Act) which helps companies meet the mandatory provisions of the protection of person information. These provisions include, but are not limited to, the following:

  • Consent must be garnered for collection of personal information
  • Collection of personal information limited to reasonable purposes
  • Limits use and disclosure of personal information
  • Limits access to personal information
  • Stored personal information must be accurate and complete
  • Designates the role of the Privacy Officer
  • Policies and procedures for breaches of privacy
  • Measures for resolution of complaints
  • Special rules for employment relationships

Hosted in Canada Surveys is PHIPA (Personal Health Information Protection Act) compliant. PHIPA is comparable to HIPAA (Health Insurance Portability and Accountability Act) and is often considered the Canadian equivalent. Customers should note that as part of the PHIPA compliancy, information stored and user consent is given to the data provider (i.e you) that obtains and maintains the data, not the hosting provider. Hosted in Canada Surveys is 100% Canadian owned and operated and all servers and infrastructure are located in Canada.

As the IT service/hosting provider, Hosted in Canada Surveys fulfills the requirements indicated by the Information and Privacy Commissioner of Ontario (www.ipc.on.ca). We ensure the following:

  • Send a notification of any privacy breach to the custodian as soon as possible
  • Provide a plain language description of our services
  • Prepare an audit trail feature to track the use of our database
  • Have our own written privacy policies (read our Privacy Policy)
  • We offer optional 256bit-AES Data at Rest Encryption on our all our Enterprise packages, for clients who will be collecting sensitive data and need to meet the requirements of PHIPA (Personal Health Information Protection Act).

Hosted in Canada Surveys is 100% owned and operated in Canada.