SECURITY AND PRIVACY
Our security commitment
Our customer focused culture makes security a top priority. We are open and transparent with our security practices so that customers, users, and IT decision makers alike can feel safe using our products and services.
We work hard to make this the safest place for you. If you have security questions, contact our security and privacy experts directly at [email protected].
Our technology
We built our technology to safeguard your personal information while providing a reliable collaboration platform that your team can trust.
We transmit and store data through professionally managed services which meet the most demanding data security and privacy standards.
- All data are stored in isolated, at-rest encrypted MongoDB Atlas databases hosted in Canada on the Amazon Web Services platform. Data at rest and in transit are protected by TLS 1.2 using 256-bit Advanced Encryption Standard (AES-256).
- The SparxConnect application and services are deployed on the Microsoft Azure cloud computing service and are hosted as Azure Web Apps. The platform components of Azure App Service are actively secured and have built-in features including encryption in transit and HTTPS when data are transferred in or out of storage.
For individuals at the heart of SparxConnect services, you can see how we share data pertaining to you.
- In the Members list, you can see the name, role, and access permissions for every user who is able to access content in a circle.
- Members with permission can modify or delete content pertaining to you at any time.
- Deleted content is removed from our storage system promptly. Deleted data may stay in our backup system for up to 30 days.
- Detailed access logs record changes made to data in a circle. The organization that pays for your account can request these logs from us at any time.
- For more information see the Privacy Policy.
For all users with personal information stored in SparxConnect, we are committed to managing access to your personal information with care.
- Users are automatically signed out of their account after a period of inactivity to prevent unauthorized access.
- If the organization that pays for your account terminates their agreement with us, we delete your account details and content from our storage system promptly. Deleted data may stay in our backup system for up to 30 days.
- We place strict controls over our employees’ access to any data which personally identifies you. A small number of our employees can access your data to provide you with support should you require it. These employees are only authorized to access data that they reasonably require in order to provide you with the support you need.
- Of course, we must comply with valid legal requests, such as a court order, but otherwise we will not access or disclose your data unless the organization that pays for your account tells us to do so.
- For more information, see the Privacy Policy.
Your data and compliance
As a SparxConnect customer, you own and control all the data created within your organization. We know that data privacy and regulatory compliance are important to you.
Our security and privacy practices have been reviewed by legal experts. We adhere to our requirements under Canadian federal privacy laws.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal privacy law, enacted in April of 2000, for private sector businesses. It sets rules for how businesses must handle personal data in the course of commercial activity. Under PIPEDA, personal information is defined as any factual or subjective information about an identifiable individual. This includes information, such as:
- Age, name, ID numbers
- Opinions, evaluations, or comments
- Employee files, disciplinary actions, or intentions (for example, to change jobs)
For more details, see the Privacy Policy.
We enable our customers in Canada and the United States to comply with local data protection regulations.
For organizations operating in Ontario bound by the Personal Health Information Protection Act, 2004 (PHIPA), you have custody or control of personal health information (PHI) as a result of the work you do. We act as an agent for or on your behalf in respect of collecting, using or disclosing PHI, for your purposes and not our own purposes.
We may act with you as a health information network provider (HINP) as described in PHIPA and its regulation. In the role of HINP, we enable your organization to share your client’s PHI with other health information custodians through electronic means.
Under PHIPA, “personal health information” means any information related to the provisioning of healthcare services and treatment; payment for the provisioning of healthcare services; and mental or physical health information.
For organizations operating in the United States under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Emmetros will safeguard the protected health information it receives or creates on your behalf. We will act as a business associate according to the terms of a business associate agreement between you and us.
Our shared responsibility
When it comes to security, we’re on the same team. We work hard to provide a reliable, and secure solution that your team can trust. We also give you, our customer, the tools you need to manage your user accounts, roles, and permissions with confidence.
- If you’re implementing SparxConnect at your organization, see the Terms of Service for Customers.
- If you’ve been invited to use SparxConnect, see the Terms of Service for Users.
If there's a problem
Despite the care we take to secure your data and our services, we are ready in case an unforeseen problem arises.
- In the event of a major disaster affecting our primary data storage, we have well-tested backup and restoration procedures which we can deploy to restore data to the application quickly.
- In the event of a security vulnerability or breach, we have Privacy Breach Management Procedures under the responsibility of the Emmetros Privacy Officer to respond quickly and effectively to minimize impact to you.
- We will notify any affected customers as soon as we understand the scope of any issue. Please understand that responding to the problem may temporarily take priority over notification.
- We are always seeking better ways to serve and protect you.
- If you believe your account has been compromised, or you discover abuse or misuse of a SparxConnect account please contact us immediately at [email protected].