Regulatory Compliances

HIPAA

Being a predominantly internet-based service, what security measures do you deploy to safeguard our customers' sensitive network information? Are details encrypted?

We have customers that prefer to do on-premises and safeguard it themselves. For those needing cloud services, we offer the options below.

• AES 256 Bit Encryption.
• Optional Encryption key. Encrypt usernames and passwords with this key. Uploaded files will be encrypted as well using this same key. The default key will encrypt data if you do not have an optional key.
• Built-in 2 Factor Authentication
• Encryption at rest
• Our web servers are not open to the Internet. Our web servers are only accessible by the CloudFlare CDN (Content Delivery Network). You transparently connect to CloudFlare, and they present you with your data. Also, note that CloudFlare handles 10% of the world's web traffic and is very secure.

GDPR

We understand that we need to put measures to protect all user data. We are committed to meeting the GDPR requirements.

Consent for data use

The data residing in our data centers will not be shared or used by IT Portal Inc. or any other entity. You, as a customer, will be the only entity with access to your data. We will notify you to ask for consent before using your data.

Breach Notification

In the event of a data breach, We will notify you, the customer, of any risk within 72 hours.

Right to access

As stated, you have the right to a free electronic copy of your data. We provide a tool called PortalSync used to export all your data into this free electronic format. To request access to PortalSync, contact support.

Right to be forgotten

Expired account data will be retained for 365 days. After this period, the account and related data will be removed. You do have the right to ask for all data to be destroyed. At this point, we will activate a process that will destroy all your data.

Data Portability

Much of our data is encrypted. We also give you the option to use your encryption key. To simplify data transfer, we provide a tool called PortalSync that you can use to export all your data into a readable, non-encrypted format. To request access to PortalSync, contact support.

Privacy by Design

Our IT systems and application design promote compliance with data protection laws. We have proactive measures that ensure the protection of your data while transmitted and stored in our systems.

Data Protection Officers

If you have any concerns regarding GDRP, please fill out the form on this website and ask for Alex Cabral. Your request will be forwarded and addressed appropriately.

Processing Activity

To process an order request, we collect the information below.

• Contact details
• IP address
• We do not store credit card information. Financial information like credit card info is sent directly to a PCI-compliant Credit Card Processor.

PCI

How do you protect customer credit card data? Are payment forms & widgets secure & PCI compliant?

Our site uses Stripe payment processing service to accept credit card data securely. When you fill out the registration form, your credit card data is sent only to Stripe's secure site.

IRAP/ASD

Amazon Web Services (AWS) hosts our infrastructure, and they are IRAP compliant. Direct Link here, but below is an excerpt.

Protecting Australian government data from access, abuse and disclosure remains a prime consideration when procuring and leveraging cloud services. AWS recognises that customers rely upon the secure delivery of the AWS infrastructure and the importance of having features that enable the customer to create more secure environments. AWS enables customers to meet these objectives by prioritising security in the delivery of its services through the establishment of a robust control environment and making available for use a wide range of security services and features. These services provide comprehensive controls over the customer IT control environment, simplify the management of security services and provide improved security outcomes for the Australian Government.

The Information Security Registered Assessors Program (IRAP) enables Australian government customers to validate that appropriate controls are in place and determine the appropriate responsibility model for addressing the needs of the Australian Signals Directorate (ASD) Information Security Manual (ISM).

Law 25

Law 25 Statement

At IT Portal, we are committed to protecting the privacy and personal data of our customers, in alignment with Law 25 of the Quebec Privacy Act. As with our adherence to global standards such as SOC 2, HIPAA, and GDPR, we implement strong security controls and ensure full compliance with Law 25’s privacy and data protection regulations.

Our infrastructure is designed with robust security measures, including AES 256-bit encryption, optional encryption keys for sensitive data, and two-factor authentication, ensuring data protection both at rest and in transit. In accordance with Law 25, we ensure transparency in our data collection, processing, and retention practices, and we do not share customer data without explicit consent. We also provide customers with tools to access, export, or delete their data upon request, in compliance with the right to be forgotten.

If a data breach occurs, we are committed to providing breach notifications promptly within the required 72-hour timeframe. For additional inquiries or to request details on how we comply with Law 25, please contact us at [email protected].

This statement complements our ongoing dedication to providing the highest level of data security and privacy for all our customers.