FAQs
The following is a public summary of our response to a potential data breach.
If you suspect there has been a data security breach, please contact us via our Contact Us form on our web site to intiate an investigation.
SUMMARY
In the event of a suspect data breach, we will notify affected customers. This notification will include the following information, where available:
- Extent of the data breach
- Type and volume of personal data involved
- Cause or suspected cause of the breach
- Whether the breach has been rectified
- Measures and processes that we implemented at the time of the breach
- Information on whether affected individuals of the data breach were notified and if not
- Contact details at Hosted in Canada Surveys with whom your organization can liaise for further information or clarification
Where specific information of the data breach is not yet available, we will send an interim notification comprising a brief description of the incident.
DATA BREACH MANAGEMENT PLAN
Upon being notified of a (suspected or confirmed) data breach either by a customer or via our automated systems, we activate our data breach & response plan.
Our data breach management and response plan is:
- Confirm the Breach
- Contain the Breach
- Assess Risks and Impact
- Report the Incident
- Evaluate the Response & Recovery to Prevent Future Breaches
CONFIRM THE BREACH
Immediately upon suspicion or a report of a data breach, we will confirm that the data breach has occurred. At this point, we may proceed to Contain the Breach on the basis of an unconfirmed reported data breach, depending on the likelihood of the severity of risk.
CONTAIN THE BREACH
We consider the following measures to Contain the Breach, where applicable:
- Shut down the compromised system that led to the data breach.
- Establish whether steps can be taken to recover lost data and limit any damage caused by the breach.
- Prevent further unauthorized access to the system.
- Reset passwords and public/private keys if accounts and / or passwords have been compromised.
- Isolate the causes of the data breach, and where applicable, change the access rights to the compromised system and remove external connections to the system.
ASSESS RISKS AND IMPACT
Knowing the risks and impact of data breaches helps us determine whether there could be serious consequences to affected individuals, as well as the steps necessary to notify the individuals affected.
Risk and Impact on Customers
- How many custtomers were affected?
A higher number may not mean a higher risk, but assessing this helps overall risk assessment. - Whose personal data had been breached?
Iddentify which accounts have been affected, and what data has been compromised. - What types of personal data were involved?
This will help to ascertain if there are risk to reputation, identity theft, safety and/or financial loss of affected individuals. - Any additional measures in place to minimize the impact of a data breach? eg: a lost device protected by a strong password or encryption could reduce the impact of a data breach.
Risk and Impact on organizations
- What caused the data breach?
Determining how the breach occurred (through theft, accident, unauthorized access, etc.) will help identify immediate steps to take to contain the breach and restore service. - When and how often did the breach occur? Examining this will help us better understand the nature of the breach (e.g. malicious or accidental).
- Who might gain access to the compromised personal data?
This will ascertain how the compromised data could be used. In particular, affected customers must be notified if personal data is acquired by an unauthorized person.
REPORT THE INCIDENT
We will notify affected customers if their data has been breached. This encourages individuals to take preventive measures to reduce the impact of the data breach.
Who to Notify:
- Notify customers whose personal data have been compromised.
- Notify other third parties such as banks, credit card companies or the police, where relevant.
- The relevant authorities (eg: police) should be notified if criminal activity is suspected and evidence for investigation should be preserved (eg: hacking, theft or unauthorized system access by an employee.)
When to Notify:
- Notify affected customers within 24 hours if a data breach involves sensitive personal data. This allows them to take necessary actions early to avoid potential abuse of the compromised data.
- Notify affected customers when the data breach is resolved
How to Notify:
- Use the most effective ways to reach out to affected individuals, taking into consideration the urgency of the situation and number of individuals affected (e.g. media releases, social media, mobile messaging, SMS, e-mails, telephone calls).
- Notifications will be simple to understand, specific, and provide clear instructions on what customers can do to protect themselves.
What to Notify:
- How and when the data breach occurred, and the types of personal data involved in the data breach.
- What we have done or will be doing in response to the risks brought about by the data breach.
- Specific facts on the data breach where applicable, and actions individuals can take to prevent that data from being misused or abused.
- Contact details and how affected individuals can reach the organization for further information or assistance (e.g. support phone numbers, e-mail addresses or website).
EVALUATE THE RESPONSE & RECOVERY TO PREVENT FUTURE BREACHES
After steps have been taken to resolve the data breach, we will review the cause of the breach and evaluate if existing protection and prevention measures and processes are sufficient to prevent similar breaches from occurring, and where applicable put a stop to practices which led to the data breach.
Operational and Policy Related Issues:
- Were there issues with our regular audits of both physical and IT-related security measures?
- Are there processes that can be streamlined or introduced to limit the damage if future breaches happen or to prevent a relapse?
- Were there weaknesses in existing security measures such as the use of outdated software and protection measures, or weaknesses in the use of portable storage devices, networking, or connectivity to the Internet?
- Were the methods for accessing and transmitting personal data sufficiently secure, eg: access limited to authorized personnel only?
- Should support services from external parties be enhanced, such as vendors and partners, to better protect personal data?
- Were the responsibilities of vendors and partners clearly defined in relation to the handling of personal data?
- Is there a need to develop new data-breach scenarios?
Resource Related Issues:
- Were sufficient resources allocated to manage the data breach?
- Should external resources be engaged to better manage such incidents?
- Were key personnel given sufficient resources to manage the incident?
Employee Related Issues:
- Were employees aware of security related issues?
- Was training provided on personal data protection matters and incident management skills?
- Were employees informed of the data breach and the learning points from the incident?
Management Related Issues:
- How was management involved in the management of the data breach?
- Was there a clear line of responsibility and communication during the management of the data breach?
We take our users’ security and privacy concerns seriously. We strive to ensure that user data is kept securely, and that we collect only as much personal data as is required to provide our services to users in an efficient and effective manner. We use some of the most advanced technology for Internet security that is commercially available today. This Security Statement is aimed at being transparent about our security infrastructure and practices, to help reassure you that your data is appropriately protected.
Data Storage Location
All data associated with our service is stored only in Canada -- we are a 100% Canadian service, with all infrastucture and data storage physically in Montreal, Quebec, Canada. In addition, all staff are located in Canada.
Who Owns Your Survey Data
You own all the data data collected by your survey including any data you import into your account including participant data. When you terminate your account, all data is irrevocably removed from our infrastructure including related backups. If you use our panel engagement, we give you the option of storing a unique key with your responses to confirm a participant engaged via the panel engagement. Neither you nor Hosted in Canada Surveys can use this key to link individual responses to personally identifying participant details.
No data in your account is shared with third parties, excluding a random SHA256 salted-hash value used in participant panel engagements. While you have the option of implementing Google Analytics at your account or survey level, you do this at your own discretion. We do not use third parties to collect usage data.
Application and User Security
SSL/TLS Encryption: Users can determine whether to collect survey responses over secured, encrypted SSL/TLS connections. This is an add-on to our services that users can opt to include if they are collection personal information. All other communications with the Hosted in Canada Surveys website are sent over SSL/TLS connections. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) technology (the successor technology to SSL) protect communications by using both server authentication and data encryption. This ensures that user data in transit is safe, secure, and available only to intended recipients.
Data Encrypt At Rest: We offer optional 256bit-AES Data at Rest Encryption on our all our Enterprise packages,
User Authentication: User data is isolated to each customer's survey system instance. User accounts have unique usernames and passwords that must be entered each time a user logs on. Hosted in Canada Surveys issues a session cookie only to record encrypted authentication information for the duration of a specific session. The session cookie does not include the password of the user.
User Passwords: User application passwords have minimum complexity requirements. Passwords are individually salted and hashed. Passwords are automatically generated by our software.
Data Encryption: Certain sensitive user data, such as credit card details and account passwords, is stored in encrypted format.
Data Portability: Hosted in Canada Surveys enables you to export your data from our system in a variety of formats so that you can back it up, or use it with other applications.
Privacy: We have a comprehensive privacy policy that provides a very transparent view of how we handle your data, including how we use your data, who we share it with, and how long we retain it.
Physical Security
Data Centers: Our information systems infrastructure (servers, networking equipment, etc.) may be collocated at secure data centers located in Canada, AWS Region Central (Montreal), and our own non-AWS/non-cloud infrastructure. No servers are located outside of Canada.
Data Center Security: Data centers are staffed and surveilled 24/7. Access is secured by security guards, visitors logs, and entry requirements such as passcards and biometric recognition.
Environmental Controls: Data centers are maintained at controlled temperatures and humidity ranges which are continuously monitored for variations. Smoke and fire detection and response systems are in place.
Location: All user data is stored on servers located in Canada. No data is stored outside Canada.
Service Availability
Connectivity: Fully redundant IP network connections with multiple independent connections to a range of Tier 1 Internet access providers.
Power: Servers have redundant internal and external power supplies. Data center has backup power supplies, and is able to draw power from the multiple substations on the grid, several diesel generators, and backup batteries.
Uptime: Continuous uptime monitoring, with immediate escalation to Hosted in Canada Surveys staff for any downtime.
Network Security
Uptime: Continuous uptime monitoring, with immediate escalation to Hosted in Canada Surveys staff for any downtime.
Testing: System functionality and design changes are verified in an isolated test “sandbox” environment and subject to functional and security testing prior to deployment to active production systems.
Firewall: Firewall restricts access to only required ports for the operation of our platform.
Software Patching: Latest security patches are applied to all operating system and application files to mitigate newly discovered vulnerabilities.
Access Control: Secure VPN, PKI, multifactor authentication, and role-based access is enforced for systems management by authorized engineering staff.
Virus and Exploit Scanning: All systems are protected by ClamAV anti-virus protection and real-time exploit scanning.
Logging and Auditing: Central logging systems capture and archive all internal systems access including any failed authentication attempts.
Intrusion Detection: Our servers are proactively monitored for any malicious intrusion attempts.
Storage Security
Backup Frequency: Backups occur bi-hourly internally, and daily to a centralized backup system for storage in a separate data centre cluster in Canada.
Organizational & Administrative Security
Employee Screening: We perform background screening on all employees. Staff who have access to customer data agree to our internal privacy policies.
Training: We provide security and technology use training for employees.
Service Providers: We screen our service providers and bind them under contract to appropriate confidentiality obligations if they deal with any user data.
Access: Access controls to sensitive data in our databases, systems and environments are set on a need-to-know / least privilege necessary basis.
Audit Logging: We maintain and monitor audit logs on our services and systems.
Information Security Policies: We maintain internal information security policies, including incident response plans, and review and update them as required.
Software Development Practices
Stack: We code in PHP and run on MySQL Server and Linux (LAMP). Our servers are built on CentOS.
Coding Practices: Our developers use best practices and industry-standard secure coding guidelines to ensure secure coding, focused around OWASP best practices. Development, testing, and production environments are separated.
Information Security Incident Management
Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if Hosted in Canada Surveys learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under various provincial and federal laws and regulation, as well as any industry rules or standards that we adhere to. Notification procedures include providing email notices or posting a notice on our website if a breach occurs.
Click to read our public Information Security Breach Policy.
Your Responsibilities
Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems, to keep any survey data you download to your own computer away from prying eyes. We offer SSL to secure the transmission of survey responses, but it is your responsibility to ensure that your surveys are configured to use that feature (where appropriate).
Data Protection: PIPEDA and PHIPA Compliance
We adhere to the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs how private sector Canadian organizations collect, use and disclose personal information in the course of commercial business.
All data collected via our platform is stored only on infrastructure physically located in Canada. We have no affiliates outside of Canada, and no foreign body has authority to compel the production of information.
We are compliant with PIPEDA (The Personal Information Protection and Electronic documents Act) which helps companies meet the mandatory provisions of the protection of person information. These provisions include, but are not limited to, the following:
- Consent must be garnered for collection of personal information
- Collection of personal information limited to reasonable purposes
- Limits use and disclosure of personal information
- Limits access to personal information
- Stored personal information must be accurate and complete
- Designates the role of the Privacy Officer
- Policies and procedures for breaches of privacy
- Measures for resolution of complaints
- Special rules for employment relationships
Hosted in Canada Surveys is PHIPA (Personal Health Information Protection Act) compliant. PHIPA is comparable to HIPAA (Health Insurance Portability and Accountability Act) and is often considered the Canadian equivalent. Customers should note that as part of the PHIPA compliancy, information stored and user consent is given to the data provider (i.e you) that obtains and maintains the data, not the hosting provider. Hosted in Canada Surveys is 100% Canadian owned and operated and all servers and infrastructure are located in Canada.
As the IT service/hosting provider, Hosted in Canada Surveys fulfills the requirements indicated by the Information and Privacy Commissioner of Ontario (www.ipc.on.ca). We ensure the following:
- Send a notification of any privacy breach to the custodian as soon as possible
- Provide a plain language description of our services
- Prepare an audit trail feature to track the use of our database
- Have our own written privacy policies (read our Privacy Policy)
- We offer optional 256bit-AES Data at Rest Encryption on our all our Enterprise packages, for clients who will be collecting sensitive data and need to meet the requirements of PHIPA (Personal Health Information Protection Act).
Hosted in Canada Surveys is 100% owned and operated in Canada.
Data we collect about you
When you register to use Hosted in Canada Surveys, we collect very basic information including but not limited to: email and name. If you are paying for our service, we ask for more information including but not limited to your address. This personal information is private, we will not share it.
After registering with the site, we use your email address to provide you with occasional email newsletters and product updates. These communications are used to give you a better understanding of the site, what it offers, and how it is best utilized. As always, you have the option not to receive these types of communications.
Cookies
Cookies are required when using Hosted in Canada Surveys. We use cookies to identify unique visitors, provider per-user customization, and maintain user state between page changes. We don’t share our cookies, nor do we use cookies to track your behavior on other sites.
How we use the data collected about you
We reserve the right to contact you, regarding your account or any other matter regarding your use of Hosted in Canada Surveys. With your authorization, we may use some information collected from you to help diagnose technical problems, and improve the quality and types of services delivered. We may use and share non-identifiable aggregated usage and statistical information. We may also share information with third parties in limited circumstances including when complying with legal processes, preventing fraud or imminent harm, ensuring security of network and services and due to violation of the terms of service.
Service-related Announcements
We will send you strictly service-related announcements when it is necessary to do so. For instance, if our service is temporarily suspended for maintenance, we might send you an email. Service-related emails are also sent confirming billing transactions, account upgrades, and account cancellations.
Generally, you may not opt-out of these communications, which are not promotional in nature. If you do not wish to receive them, you have the option to cancel your account.
Customer Service
Based upon the personally identifiable information you provide us, we will send you a welcoming email to verify your username and password as well an account manager contact information. We will also communicate with you in response to your inquiries, to provide the services you request, and to manage your account.
Choice/Opt-out
If you no longer wish to receive our product updates, you may opt-out of receiving them by following the instructions included in each product update email.
Clear GIFs
We use clear gifs in our HTML-based emails to let us know which emails have been opened by recipients. This allows us to gauge the effectiveness of certain communications and the effectiveness of our marketing campaigns.
Security
Our servers are protected with generally available security technologies, including firewalls and data encryption. Our servers are located in a PCI-DCSS compliant, secure data centre in Montreal, Quebec. The PCI-DCSS security standard was created by the Security Standards Council. These technologies are designed to prevent unauthorized access, but due to the nature of the Internet, no guarantee can be made that your information and data will be secure from intrusions and unauthorized released to third parties.
Contact
Any questions regarding this policy should be addressed to support@hostedincanadasurveys.ca.
These policies are effective as of March 01, 2018.
Hosted in Canada Surveys reserves the right to change this policy at any time by notifying its users of the existence of a new policy. The policies outlined in this document are not intended to and do not create any contractual or other legal rights in or on behalf of any party.
When you cancel any survey we are hosting, the data is permanently deleted from the Hosted in Canada Surveys server (you may download a backup of the survey for your own archival purposes).
In addition, you can delete responses manually from a survey at any time (individually or in bulk).
Our system administrator does have access to the data for the purposes of providing technical support in the event it is required. Our server admin has government-grade security clearance.
No other individuals or organizations have access to your survey data.
Every Hosted in Canada Survey account is stored on a separate subdomain, and has its own version of both the survey software and the survey database. Your data is never accessible by any other account holder.
Accounts are stored on a shared server; however, each account is a separate web space accessible only to you.
We offer Virtual Private Servers and Dedicated Servers if you have this requirement. This is a "customized" solution, and certainly can be accommodated -- our OneRate pricing does not apply to this arrangement, so please contact us for a personalized quote.
All our packages include SSL in-transit encryption in addition to 256-bit AES at rest data encrption at the database layer, for those organizations who need to meet PHIPA or other Health Record Act privacy requirements.
With the combination of SSL and at rest data encryption, you can be assured of the complete encrpytion of all data from browser to server and at server level database.
PCI-DSS is security standard created by the Security Standards Council that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. The data centre and servers where Hosted in Canada Surveys is located adheres to these standards.
Customers include ...
