Privacy & Security Policy
Privacy & Security Policy

Privacy & Security Policy

Privacy Policy

Our company is committed to protecting your privacy and ensuring the security of your personal information. This policy outlines how we collect, use, and protect your personal information.

Collection of Personal Information

We collect personal information from you when you contact us for services or when you engage us for our services. We may also collect information automatically through the use of cookies and other tracking technologies on our website. This information may include your name, email address, phone number, and other relevant information necessary for the provision of our services.

Use of Personal Information

We use your personal information only for the purpose of providing our services to you. We will not share your personal information with any third party unless we are legally required to do so.

Third-Party Service Providers

We may use third-party service providers to help us operate our business and provide services to clients. These providers may have access to personal information in order to perform their services. We will only work with service providers who have appropriate safeguards in place to protect personal information.

Protection of Personal Information

We take reasonable measures to protect your personal information from unauthorized access, use, or disclosure. We maintain physical, technical, and administrative safeguards to protect your personal information. All our employees are trained on our privacy policy and are required to adhere to it.

Retention of Personal Information

We will retain your personal information only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable law.

Project Confidentiality

We hold the confidentiality of our client's information and project details with the utmost importance. During the development phase, we implement stringent measures to ensure that all client information and proprietary project details are securely managed and accessed only by authorized personnel directly involved in the project. We employ a combination of physical, electronic, and managerial procedures to safeguard and secure the information we collect, ensuring that confidentiality is maintained throughout the project lifecycle and beyond.

While we do not disclose any proprietary or sensitive information about our work with clients, we believe in transparency and the value of sharing our experiences. Therefore, we may discuss general aspects of past projects with prospective clients as case studies to illustrate our capabilities and expertise. These discussions are carefully curated to avoid revealing any confidential or proprietary information, focusing instead on the challenges we faced, the solutions we implemented, and the outcomes achieved, all while maintaining the confidentiality of our clients' specific data and intellectual property.

Intellectual Property Rights

We want our clients to feel secure in the knowledge that the innovative solutions we develop together are unequivocally owned by them. To this end, any design, development work, or any other creative output produced by our team in the course of a client project is assigned to the client upon completion, barring any specific agreements to the contrary. This ensures that our clients can leverage the full value of the solutions we develop, free from any concerns about ownership or rights.

In instances where third-party software or components are integrated into a solution, we ensure clear communication and documentation regarding the licensing and ownership of these elements. We meticulously adhere to the terms of use and licensing agreements of third-party solutions to avoid any potential legal complications. It's also worth noting that if Always August develops an internal product, the IP for such products remains with Always August, distinguishing between client-commissioned projects and our proprietary developments.

GDPR and FIPPA Compliance

As a digital agency, we are committed to protecting the personal data of our clients and website visitors. We are compliant with the General Data Protection Regulation (GDPR), which is a comprehensive data privacy regulation that governs the collection, use, and storage of personal data for individuals located in the European Union. Additionally, as a digital agency based in Ontario, we are subject to Ontario's Freedom of Information and Protection of Privacy Act (FIPPA). FIPPA sets out rules for the collection, use, and disclosure of personal information by public institutions in Ontario. We will comply with both GDPR and FIPPA in our handling of personal information.

Compliance and Legal Adherence

As a Canadian company, we are committed to complying with all applicable laws and regulations, both domestically and in the jurisdictions of our clients. This commitment extends to industry-specific standards and regulations relevant to our clients' projects, ensuring that the solutions we develop not only meet but exceed the required legal and regulatory standards.

We understand that our clients operate in diverse industries, each with its unique regulatory landscape. Therefore, we take a customized approach to compliance, working closely with legal experts and regulatory bodies to ensure that every project adheres to the relevant laws and industry standards. This meticulous attention to legal and regulatory compliance not only protects our clients but also enhances the trust and reliability that are the foundation of our client relationships.

Your Rights

You have the right to access, correct, or delete your personal information. You can also object to the processing of your personal information, and you have the right to lodge a complaint with a supervisory authority if you believe that we have violated your rights.

Changes to the Privacy Policy

We may make changes to this privacy policy from time to time, and any changes will be posted on our website.

Security Policy

Access Control Policy

The purpose of this policy is to ensure that access to sensitive data is granted only to authorized personnel. Access will be granted based on the principle of least privilege, which means that employees will only be granted access to the data they need to perform their job duties. All employees will be required to use strong passwords and keep them confidential. Any access requests will be logged and reviewed periodically.

Password Management Policy

The purpose of this policy is to ensure that passwords are strong and kept confidential. All employees will be required to create strong passwords that are at least eight characters long and contain a combination of uppercase and lowercase letters, numbers, and special characters. Passwords will be changed every 90 days, and employees will not be allowed to reuse the same password within a year. Passwords will be kept confidential and should not be shared with anyone. In case of a suspected password compromise, employees will be required to report it immediately.

Software/Hardware Acquisition Policy

The purpose of this policy is to ensure that all software and hardware acquisitions are properly vetted and approved. Any software or hardware purchases must be approved by the designated employee before they are made. All software and hardware must be acquired from reputable vendors and must be licensed properly. Any employee-owned devices that are used for work purposes must be approved by the designated employee and must be compliant with the security policies of the agency.

Third-Party Service Providers

As part of our commitment to protecting personal information, we perform security assessments of third-party companies with which we share data. Here's a description of how we perform these assessments:

  1. Identification of Third-Party Companies We maintain a record of all third-party companies with which we share personal information. We identify these companies through a variety of means, including contractual agreements, service provider agreements, and other business arrangements.
  2. Risk Assessment We assess the risks associated with sharing personal information with third-party companies. We consider factors such as the sensitivity of the information being shared, the nature of the relationship with the third-party company, and the company's security posture.
  3. Due Diligence We conduct due diligence on third-party companies to ensure they have appropriate security measures in place to protect personal information. This may include reviewing the company's security policies and procedures, conducting vulnerability assessments or penetration testing, and verifying the company's compliance with relevant regulations and standards.
  4. Contractual Protections We ensure that appropriate contractual protections are in place to protect personal information when it is shared with third-party companies. This may include provisions related to data security, confidentiality, and data breach notification.
  5. Ongoing Monitoring We continually monitor the security posture of third-party companies with which we share personal information. This may include regular assessments, audits, or other monitoring activities.

By performing security assessments of third-party companies with which we share personal information, we aim to ensure that appropriate safeguards are in place to protect this information from unauthorized access, use, or disclosure.

Change Management Policy

The purpose of this policy is to ensure that all changes made to the agency's systems and applications are properly documented and tested. Any changes to the systems or applications must be approved by the designated employee before they are made. All changes must be documented and tested to ensure that they do not introduce any security vulnerabilities. Any changes that are found to be potentially harmful or are unsuccessful must be rolled back immediately.

Separation/Segregation of Duties Policy

The purpose of this policy is to ensure that no single employee has complete control over any sensitive data or systems. All job duties will be separated and segregated in such a way that no single employee has complete control over any sensitive data or systems. Any changes to job duties will be reviewed and approved by the designated employee.

Remote Access Policy

The purpose of this policy is to ensure that remote access to the agency's systems is secure and protected. All remote access will be granted only to authorized personnel and will be monitored and reviewed periodically. Remote access will be granted using a secure connection, such as a VPN, and employees will be required to use strong passwords and keep them confidential.

Data Handling Policy

The purpose of this policy is to ensure that all sensitive data is handled and stored in a secure manner. All data will be classified based on its level of sensitivity, and appropriate security measures will be implemented based on the data classification. All data transmissions will be encrypted using industry-standard encryption protocols, such as SSL or TLS. All sensitive data will be stored in an encrypted format, and the encryption keys will be stored separately from the data. Access to sensitive data will be granted only to authorized personnel based on the principle of least privilege. Any data that is no longer needed will be securely deleted or destroyed. All data-handling activities will be logged and reviewed periodically to ensure compliance with the agency's data-handling policy.

Consequences of Non-Compliance

The security policies outlined above are critical to protecting the agency's and its clients' sensitive information. Any non-compliance with these policies may result in disciplinary action, up to and including termination of employment, depending on the severity and frequency of the non-compliance. Any intentional or malicious non-compliance may also result in legal action. All employees are responsible for adhering to these policies, and any violations must be reported to the designated employee immediately.

Compliance with Privacy Laws and Regulations

The agency is committed to protecting the privacy of our clients and their customers' data. We comply with all applicable privacy laws and regulations, including but not limited to, the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). To ensure compliance with these regulations, we have implemented the following procedures:

  • Regular audits: We conduct regular audits of our security policies and practices to ensure compliance with privacy laws and regulations. These audits are conducted by internal and external auditors who are experts in privacy and data security.
  • Privacy impact assessments: We conduct privacy impact assessments (PIAs) for all new products and services that we develop. PIAs help us identify and address any privacy risks associated with our products and services.
  • Staff training: We provide regular training to all employees on privacy laws and regulations, as well as our policies and procedures related to privacy and data security.
  • Third-party vetting: We thoroughly vet all third-party vendors and service providers to ensure they are compliant with privacy laws and regulations.
  • Incident response plan: We have an incident response plan in place to quickly and effectively respond to any privacy or security incidents that may occur.

By implementing these procedures, we are committed to maintaining the security, confidentiality, and protection of our clients' and their customers' data in compliance with all applicable privacy laws and regulations.

Encryption Policy Standards

The purpose of this policy is to ensure that all sensitive data is protected with encryption when it is in transit or at rest. All data transmissions will be encrypted using industry-standard encryption protocols. All sensitive data will be stored in an encrypted format, and the encryption keys will be stored separately from the data.

Security Incident Response/Reporting/Handling Policy

The purpose of this policy is to ensure that any security incidents are properly identified, reported, and handled in a timely and effective manner. All employees will be required to report any security incidents or suspected security incidents immediately to the designated employee. The designated employee will investigate the incident and determine the appropriate response, which may include notifying affected parties and implementing remedial measures. All security incidents will be logged, and a report will be generated for each incident, documenting the date of the incident, the nature of the incident, and the response taken.

Disaster Recovery and Business Continuity

The agency understands the importance of having a comprehensive disaster recovery and business continuity plan in place to ensure the continued operation of our business and the protection of our clients' and their customers' data in the event of a disaster or disruption. To that end, we have implemented the following measures:

  • Backup and recovery: We regularly back up all critical data and systems to ensure that data can be restored in the event of a disaster or disruption.
  • Alternative site: We have identified an alternative site where we can relocate our operations in the event that our primary site becomes unavailable.
  • Redundant systems: We have implemented redundant systems to ensure that critical operations can continue in the event of a system failure or disruption.
  • Testing: We regularly test our disaster recovery and business continuity plan to ensure that it is effective and up-to-date.

By implementing these measures, we are committed to ensuring the continued operation of our business and the protection of our clients' and their customers' data in the event of a disaster or disruption.

Manual Recovery Procedures

While we have implemented redundant systems and regular backups to ensure automatic recovery in the event of a disaster or disruption, we also recognize the possibility of automatic recovery failure. To mitigate this risk, we have documented and practiced manual recovery procedures to be used in case of automatic recovery failure. These manual recovery procedures include:

  • Backup recovery: In the event that automatic backup recovery fails, we have documented procedures for manual backup recovery.
  • Alternative site: In the event that our alternative site becomes unavailable, we have documented procedures for identifying and setting up a new alternative site.
  • Redundant systems: In the event that redundant systems fail, we have documented procedures for restoring and recovering data and systems using alternative methods.
  • Testing: We regularly test our manual recovery procedures to ensure that they are effective and up-to-date.

By documenting and practicing manual recovery procedures, we are prepared to quickly and effectively respond to any disaster or disruption, ensuring the continued operation of our business and the protection of our clients' and their customers' data.

Privacy Breach Notification Process

Our privacy breach notification process is designed to ensure that we are transparent with our customers in the event of a breach, while taking all necessary steps to contain and prevent similar incidents in the future.

  1. Containment: The first step in addressing a privacy breach is to contain it. This means that we will take immediate action to stop the breach and prevent further unauthorized access or disclosure of customer data.
  2. Assessment: Once the breach has been contained, we will conduct an assessment to determine the nature and extent of the breach, including the types of personal information that were involved and the potential impact on affected customers.
  3. Notification: If the breach involves the unauthorized access or disclosure of customer data or accounts, we will notify affected customers as soon as possible. The notification will include information about the nature of the breach, the types of personal information involved, and steps that affected customers can take to protect themselves.
  4. Investigation: We will conduct a thorough investigation to determine the root cause of the breach and take steps to prevent similar breaches from occurring in the future.

In terms of prevention, we take the following measures:

  1. Access Control: We restrict access to customer data and accounts to authorized personnel only, and limit the access to only the necessary data required to perform their duties.
  2. Encryption: We use industry-standard encryption methods to protect customer data both in transit and at rest.
  3. Regular Security Assessments: We perform regular security assessments of our systems to identify and address potential vulnerabilities.
  4. Employee Training: We provide regular security training to our employees to ensure that they are aware of best practices for handling customer data and accounts.
  5. Data Retention: We retain customer data only for as long as necessary to provide our services, and securely dispose of it once it is no longer required.

Our privacy breach notification process is designed to ensure that we are transparent with our customers in the event of a breach, while taking all necessary steps to contain and prevent similar incidents in the future.

Process for Granting and Revoking User Access

A clear and structured process can help prevent unauthorized access to sensitive information, while ensuring that authorized users have the appropriate level of access.

The following is an example of a proposed process for granting, modifying, reviewing, and terminating user access:

  1. Granting User Access:

When a new employee joins the organization or when an existing employee requires additional access to a specific system, the following steps should be taken:

  • The user's manager should submit a request for access to the appropriate system or application.
  • The IT department should verify the user's identity and ensure that the request is authorized.
  • The IT department should provision the user's account with the appropriate level of access, based on their role and responsibilities.
  • The user should be notified of their new access and provided with the necessary credentials and instructions for logging in.
  1. Modifying User Access:

There may be occasions when a user's access needs to be modified, for example, when an employee changes roles or responsibilities. The following steps should be taken:

  • The user's manager should submit a request for the necessary changes to the user's access.
  • The IT department should verify the request and determine the appropriate level of access required for the user's new role.
  • The IT department should modify the user's account as required, ensuring that the user only has access to the systems and applications that are necessary for their job responsibilities.
  • The user should be notified of any changes made to their access.
  1. Reviewing User Access:

It is important to review user access periodically to ensure that users only have access to the systems and applications necessary for their job responsibilities. The following steps should be taken:

  • The IT department should conduct regular reviews of user access, identifying any accounts that have not been accessed for a specific period of time or accounts that have access beyond what is necessary for the user's job responsibilities.
  • The user's manager should be notified of any access that needs to be modified or revoked.
  • The IT department should modify or revoke access as required.
  1. Terminating User Access:

When an employee leaves the organization or no longer requires access to a specific system or application, it is important to terminate their access to prevent unauthorized access. The following steps should be taken:

  • The user's manager should submit a request to terminate the user's access to the appropriate system or application.
  • The IT department should verify the request and ensure that it is authorized.
  • The IT department should disable or delete the user's account and revoke any access that the user had to the systems or applications.
  • The user's manager should be notified that the access has been terminated.

Process and Procedure to Review and Update Privilege Accounts

Process and procedure for reviewing and updating the access list(s) for privileged accounts:

  1. Identify privileged accounts:

The first step in reviewing and updating the access list(s) for privileged accounts is to identify which accounts are considered privileged. These accounts typically have elevated permissions or access to critical systems or data.

  1. Review access list(s):

The IT department should review the access list(s) for privileged accounts regularly, at least once every six months, to ensure that access is limited to authorized users. The review process should include the following steps:

  • Identify the individuals who currently have access to each privileged account.
  • Determine whether each individual still requires access to the account based on their job responsibilities.
  • Verify that each individual's access to the account is appropriate and necessary.
  • Document the results of the review.
  1. Update access list(s):

Based on the results of the review, the IT department should update the access list(s) for privileged accounts as necessary. The following steps should be taken:

  • Remove access for any individuals who no longer require it or whose access is inappropriate or unnecessary.
  • Add access for any individuals who require it based on their job responsibilities.
  • Update access levels as necessary to ensure that individuals have only the access they require to perform their job responsibilities.
  1. Document the changes:

All changes to the access list(s) for privileged accounts should be documented, including the reason for the change and the date it was made. This documentation should be maintained in a secure location and made available for audit purposes.

  1. Review and test the changes:

After the access list(s) for privileged accounts have been updated, the IT department should review and test the changes to ensure that they were implemented correctly and that access is limited to authorized users. This review and testing should include the following steps:

  • Verify that the changes were made as documented.
  • Test access to each privileged account to ensure that it is limited to authorized users.
  • Document the results of the review and testing.

In summary, regularly reviewing and updating the access list(s) for privileged accounts is critical to maintaining the security and integrity of your systems. The process should be documented and followed consistently to ensure that only authorized users have access to privileged accounts. The process should include identifying privileged accounts, reviewing the access list(s), updating the access list(s), documenting the changes, and reviewing and testing the changes.

Last updated December 2023

If you have any questions or concerns about this privacy policy or how we use your personal information, please contact us at legal@alwaysaugust.co.