At DiliTrust, our business is focused on the security of our client’s data. Data security is key in ensuring that the solutions that you choose for your legal and board governance software are compliant with Canadian and international regulations on data privacy. DiliTrust Exec and DiliTrust Governance meet and exceed all applicable data privacy regulations, and DiliTrust has a number of measures in place to ensure that the over 1 million documents we store for our customers are secure. We’ll examine both the regulations which govern data privacy in Canada, and the data security measures we employ to keep your data safe.
Why Your Data is Safest With DiliTrust
Using DiliTrust Governance as your governance software solution and DiliTrust Exec as your board management solution is much safer than using anything else which is hosted either on your own on-premise servers or by third-party cloud hosting services. Those options frequently include servers and equipment that are not managed by seasoned security specialists, which means that they aren’t constantly upgraded and protected from the latest cybersecurity threats. Government organizations, in particular, are faced with the problem of having legacy server solutions in place due to lack of budget for upgrades. These systems are highly vulnerable to attacks.
On the other hand, using a company which specializes in SaaS, such as DiliTrust, ensures that your data is hosted by a dedicated team whose job it is to keep it secure, and make sure all IT infrastructure is constantly upgraded and kept up to highest security standards.
What Regulations Need To Be Met in Canada?
The primary regulation that needs to be considered for how your business handles data privacy is the Personal Information Protection and Electronic Documents Act (PIPEDA). This is a federal regulation administered and enforced by the Office of the Privacy Commissioner of Canada. DiliTrust’s easy reporting and dashboards allow you to respond to any information requests easily and with the full set of data required to satisfy information requests required by any regulatory body.
DiliTrust’s data security measures keep any information stored by your business on our solutions safe according to the requirements of PIPEDA, and much more. If your business is compliant with PIPEDA, it will usually meet all international data privacy requirements, with the exception of two international regulations: GDPR and HIPAA, which are discussed in more detail below.
The secondary regulations that need to be considered within Canada are provincial regulations, some of which require that data is stored in Canada. PIPEDA does not yet require Canadian data residency. However, storing data outside of Canada makes that data subject to the regulations of the country in which it is stored. If it is stored in the US, this means that the data can be accessed by the Department of Homeland Security under the Freedom Act and the Cloud Act.
What International Regulations Need To Be Met By Canadian Businesses?
There are two other regulations that can apply to data stored in Canada which may not be adequately addressed by adherence to Canadian regulations, depending on your business and the geographic location of your clients.
1: European Union General Data Protection Regulation (GDPR)
GDPR legislation came into effect in May 2018. The most important thing that Canadian businesses need to know about the GDPR is that if your organization is found in violation of it, you can be penalized with massive fines. If an European Union (EU) country citizen’s information is breached in any way, your business could be found to be in violation of the GDPR if proper notification protocols are not followed – even if your business is based in Canada. All DiliTrust software solutions are GDPR compliant.
2: Health Insurance Portability and Accountability Act (HIPAA)
This is an American regulation which governs the transmission and collection of the healthcare data of patients. If your business works with American healthcare organizations or clients, your data collection and privacy needs to be up to HIPAA standards. DiliTrust Governance and DiliTrust Exec are both HIPAA compliant.
How DiliTrust Keeps Canadian Data Safe
The data of our Canadian clients is stored via physical servers located in Canada. This removes any complications that may arise from storing data outside of Canada, and is particularly important for government and healthcare organizations that need to comply with federal and provincial data residency policies and regulations. In addition to Canadian data residency, DiliTrust undertakes the following measures to safeguard your data:
- Password protection above and beyond industry best practices
Our password protection goes above and beyond industry best practices. Default password protection required for all users is “strong”, and admins have no ability to change this. Passwords are encrypted using 256-bit unidirectional encryption. We strongly suggest using optional two-factor authentication, which only allows users to log in once they’ve received and entered a one-time code via text message or email, in addition to their usual password.
- ISO-27001 certified
Our Canadian solution is certified ISO/IEC 27001:2013. This standard requires an Information Security Management System for data safety, and also defines specific control measures to ensure data safety, including regular updates and audits.
- 256-Bit Encryption of data on servers & mobile devices
All of our systems use an Advanced Encryption Standard (AES) with a 256-bit key for all data both on our servers and any data downloaded to mobile devices of users.
- Security measures for data transmission
Our data is transmitted using TLS encryption with the highest level of 256-bit encryption. We do not allow any unencrypted traffic. For this reason, only newer browsers can be used for DiliTrust solutions as older browsers have security vulnerabilities and may allow unencrypted traffic.
- Separate security audits & penetration testing
We undertake independent security audits and penetration testing, for which we hire forensic security experts to try to hack our data. No client data is accessible during any of these tests, and any findings are immediately addressed.
You can find out more about our additional security measures in place for all our clients here. If you have any questions about data security and compliance with Canadian regulations for any DiliTrust solution, contact us today.