Security and privacy of information is a top priority of the ComplyWorks. Providing a solution that ensures that all information providers are always in control of who can access their data is critical to our success, since we are entrusted with the stewardship of highly sensitive, confidential information.
ComplyWorks has deployed its technical infrastructure using the latest distributed architecture (Cloud) technologies. This provides for 99.99% guaranteed scheduled up time, eliminating the pitfalls of Disaster Recovery and Business Continuity (DRBC) processes and plans. With automatic integral failover across multiple servers in separate locations delivery is ensured.
The ComplyWorks servers are installed in two separate, secure data centers. The data centers are located in Calgary, Alberta and Vancouver, British Columbia, Canada. Both centers are connected to the North American Internet backbone using two separate major network providers at both locations.
Each data center houses a minimum of two large capacity physical servers owned by ComplyWorks. Each physical server in each data center is configured to run multiple virtual servers. The database server clusters run on virtual servers, separate from the web application and file system virtual servers. All virtual servers on one physical server are paired with a matching virtual server on the other physical server.
The servers run as high availability fail-over clusters, whereby each “slave” server (server in standby mode) monitors its “master” and assumes control if the master fails. The file systems and database clusters are mirrored between all server pairs and between each data center, providing for full redundancy across four hardware platforms distributed across two North American Locations.
The ComplyWorks server platform resides in secure, bunkered data hosting facilities. The facility provides:
The software, computing and communications hardware that enable the ComplyWorks platform is protected by firewalls and surveillance equipment.
The importance of correct handling of sensitive information is ingrained in our corporate culture..
The following security features are being incorporated into the Web Service:
ComplyWorks Privacy Guidelines incorporate the provisions of Part 1 of the Personal Information and Electronic Documents Act (PIPEDA - Government of Canada), the principals of the Personal Information Protection Act (PIPA - Government of Alberta) and the ten principles of the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information.
ComplyWorks has appointed a Privacy Officer who is responsible for ensuring compliance with ComplyWorks Privacy Policy and Guidelines. Responsibility rests with the Privacy Officer even though other individuals within ComplyWorks may be responsible for the day-to-day collection and processing of personal information. The privacy officer for ComplyWorks is the manager of customer support.
ComplyWorks is responsible for all personal information in its possession or control, including information that has been transferred to a third party for processing.
ComplyWorks will use contracts or other means to provide an appropriate level of protection when a third party processes information on behalf of the company. ComplyWorks will, from time to time, establish procedures to implement its commitment to privacy, including:
ComplyWorks identifies the purposes for which personal information is collected at or before the time the information is collected, and documents those purposes.
ComplyWorks collects only that information necessary for the purposes that have been identified.
ComplyWorks specifies (verbally, electronically or in writing) and explains the identified purpose(s) to the individual at or before the personal information is collected.
When personal information is collected for a purpose not previously identified, the new purpose is communicated to the individual prior to use. In such cases, the consent of the individual is required before the information is re-used.
ComplyWorks collect personal information from individuals in order to:
ComplyWorks is not responsible for the management of Personal Information collected by its customers through use of ComplyWorks products and services. For information on the privacy, protection and management of this information, applicants must contact these organizations directly. However, ComplyWorks employs reasonable measures to ensure the safety and protection of its customers’ information by employing policies and procedures for the safety and protection of this information. These measures are outlined in the contracts signed by customers of ComplyWorks. Furthermore, ComplyWorks considers all information collected by its customers as strictly confidential and does not access or use its customer’s information other than for data maintenance, auditing or trend analysis to provide feedback and benchmarking purposes.
ComplyWorks uses reasonable efforts to ensure that individuals understand how their personal information will be used. ComplyWorks obtains consent as required for the collection, use and disclosure of personal information, except where inappropriate.
When determining the form of consent, ComplyWorks considers the sensitivity of the information and the reasonable expectations of the individual. Express consent will be obtained when the information is likely to be considered sensitive; implied consent may be appropriate when information is less sensitive. Consent may also be given through an individual’s authorized representative (such as a legal guardian or a person having power of attorney).
ComplyWorks obtains consent for the collection, use or disclosure of information through various means, including verbal, written (e.g. signed forms) or electronic processes.
In rare circumstances, ComplyWorks may collect and use personal information without the individual’s knowledge or consent. For example:
ComplyWorks generally seeks to obtain consent at the same time personal information is collected. ComplyWorks may, however, seek consent to use and disclose personal information after it has been collected, but before it is used or disclosed for a new purpose (e.g. before disclosing board member information to a funding organization if this purpose was not previously contemplated).
Consent may be withdrawn at any time, subject to legal or contractual restrictions and reasonable notice.
ComplyWorks and/or the Privacy Officer informs individuals of the implications for withdrawing consent.
ComplyWorks limits the amount and type of personal information collected to that which is necessary for the identified purpose.
ComplyWorks collects information by fair and lawful means.
ComplyWorks may collect the following information from employees and contractors:
ComplyWorks may collect the following personal information from customers of ComplyWorks:
ComplyWorks may collect personal information through the following means:
ComplyWorks does not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
Notwithstanding the above, ComplyWorks may disclose personal information without consent:
ComplyWorks obtains consent for all other disclosures of personal information for purposes other than those for which the information was initially collected (e.g. to provide references regarding current or former employees. ComplyWorks does not require consent to confirm an individual’s employment record (e.g. confirm years of employment, and position held)).
Only ComplyWorks employees, contractors or volunteers with a business need-to-know, or whose duties so require, are granted access to personal information.
ComplyWorks has developed guidelines and implemented procedures with respect to the retention of personal information. ComplyWorks retains personal information only as long as it is necessary for the identified purpose, or as required by law. Where personal information is used to make a decision about an individual, ComplyWorks retains the information, or the rationale for making the decision, long enough to allow the individual access to the information after the decision has been made.
Personal information that is no longer required to fulfill the identified purposes or required by law to be retained is destroyed, erased or made anonymous.
ComplyWorks provides our best efforts to ensure that personal information collected, used and disclosed is as accurate, complete and up-to-date as necessary for the intended purpose.
Personal information is kept sufficiently accurate, complete and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the subject individual.
ComplyWorks updates personal information as and when necessary to fulfill the identified purpose or upon notification by the individual who is the subject of the information.
ComplyWorks protects personal information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction, regardless of the format in which it is held.
ComplyWorks has developed and implemented information security policies and procedures that outline physical, organizational, and technological measures in place to protect personal information as appropriate to the sensitivity of the information. These same measures are employed in the safeguarding and protection of information resources of ComplyWorks customers.
ComplyWorks protects personal information disclosed to, or processed by third parties by contractual agreements which address the following as necessary:
ComplyWorks ensures that all employees and volunteers are aware of its privacy policies and procedures, and understand the importance of maintaining the confidentiality of personal information.
Care shall be taken in the disposal or destruction of personal information to prevent unauthorized parties from obtaining access to the information.
Upon request, ComplyWorks makes available specific information about its policies and practices relating to the management of personal information, including:
To make an inquiry or lodge a complaint about ComplyWorks personal information handling policies and procedures, contact:
ComplyWorks Privacy Officer
235 17th Ave SE,
Calgary, Alberta
Canada T2G 1H5
info@complyworks.com
Upon request, ComplyWorks provide individuals with access to their personal information held by the company. Individuals have the right to challenge the accuracy and completeness of their personal information held by ComplyWorks, and to have it amended as appropriate.
All requests by individuals (e.g. customers, employees, volunteers, contractors) to access their personal information held by ComplyWorks, or to correct or amend their personal information, should be directed to the designated Privacy Officer. Such requests should be in writing.
ComplyWorks respond to requests for access to personal information within 30 business days.
Responding to an individual’s request for information is usually done at no or minimal cost to the individual. However, a fee for reasonable costs incurred may be charged when responding to more complex requests, provided the individual is informed in advance.
In order to safeguard personal information, ComplyWorks may request sufficient information from the individual to verify that person’s identity.
Limitations to Individual Access
ComplyWorks provides individuals access to their personal information subject to limited and specific exceptions. ComplyWorks will refuse access to personal information if:
If access to information is refused, ComplyWorks shall, in writing, inform the individual of the refusal, the reason(s) for the refusal, and any recourse the individual may have to challenge ComplyWorks decision.
Correction/Amendment of Personal Information
ComplyWorks corrects or amends personal information as required when an individual successfully demonstrates the inaccuracy or incompleteness of the information. Amendment may involve the correction, deletion, erasure, or addition to any personal information found to be inaccurate or incomplete.
Any unresolved differences as to accuracy or completeness shall be noted in the individual’s file. Where appropriate, ComplyWorks shall inform any third parties having access to the personal information in question as to any amendments, or the existence of any unresolved differences between the individual and ComplyWorks.
ComplyWorks investigate all complaints concerning compliance with its Privacy Policy, Guidelines and practices, and responds within 30 days of receipt of a complaint. If a complaint is found to be justified, ComplyWorks takes appropriate measures to resolve the complaint including, if necessary, amending its policies and procedures. Individuals shall be informed of the outcome of the investigation regarding their complaint.
Complainants may address inquiries or complaints concerning compliance with these policies or guidelines by contacting ComplyWorks Privacy Officer as set out in these Guidelines under Principle 8 (Openness). A complaint may also be addressed in writing to the Privacy Commissioner of Canada at 112 Kent Street, Ottawa, Ontario, K1A 1H3 -or- to the Office of the Information and Privacy Commissioner of Alberta, #410 - 9925 - 109th Street, Edmonton, AB, T5K 2J8, 780-422-6860, www.oipc.ab.ca.