Privacy and Signority’s Data Localization Technology

Signority’s Data Localization Technology

Signority, Privacy, and Data Localization

For governments there has to be a balance between privacy protection and innovating technologies that provide the best accessibility to its citizens. As a global eSignature company, Signority makes every effort to comply with the laws of every jurisdiction globally. To comply with data sovereignty it is not just matter of where the data centre is located.

Signority eSignature Platform (SeSP) has the full competence to implement a data localization solution to isolate customer data within the enterprise’s designated geographic locations, anywhere globally. 

How Ensure Data Localization

Your Choice of Data Centre Locations:

Signority gives options to enterprise customers by offering a dedicated private cloud solution. SeSP is hosted in the state-of-art AWS data re  in Canada for the public cloud and can host on any customer designated geographic locations through AWS’s global zones. 

Your Choice of 3rd party integration vendors

Through Signority RestFul API integrations, customers can replace their qualified vendors to replace the SeSP out-of-box 3rd party vendors, such as email notification vendor, SMS vendor for 2-factor-authentication and digital certificate vendor for document encryption.

Your Choice of Backups and Retention Policy

Through integration, our customers can synchronize and store every signed document to their record management system or network devices. You can configure the retention period and delete signed documents from the Signority cloud after they are fully backed up to your own systems.   

Restricted IP Address Range for Access

Often corporate policy only permits certain access points to access highly sensitive documents. Signority’s enterprise customers can configure their user’s IP address ranges when they log in to their Signority accounts. This also offers a great protection for hacking incidents from unauthorized geographic areas.  

Legal Assurance

Signority has a Data Protection Agreement (DPA) along with an Enterprise Agreement that is based on the European General Data Protection Regulation (GDPR). Our Data Atlas details how the different types of data are processed and managed in SeSP.  

Empower Signority Employees with Processes and Training to Protect Your Privacy

Security training is a mandatory objective in every employee’s annual performance review. Customer Success staff must go through a rigid privacy training to what to ask and how to ask when confronted with sensitive data. Customer Service is important, and is not outsourced overseas. We believe people that represent Signority must share the same value and the same security and privacy awareness.  

The Signority Enterprise Solution allows for customized location, scale, and backup format. No matter where you are, Signority, as a global player, aims to provide an  efficient eSignature technology.

I encourage you to read two of our previous blogs about Signority’s security practice:

How Signority Secures Your Data 

Security Features You Need in An eSign Platform

Where do you “warehouse” your data?

If you were warehousing physical goods, you would want to know what laws apply to your goods. The data centre location question is equivalent: foreign location means foreign legislation.

Privacy Officers, Legal Counsel, or the Compliance Teams of your organization have an understanding of the risks factors associated with data residency requirements. Signority has the full capability of meeting your needs. If you’d like to learn more, contact us:

  • Phone:  833-222-1088
  • using the chat icon on the bottom right of your screen,
  • or through our contact form

Frequently Asked Questions

A company has a “.ca” domain name. Does it mean the data centre  is in Canada? 

Not at all. Having a  “.ca” website has nothing to do with data centre locations.  To get a “.ca” domain you must meet the Canadian Presence Requirements: 

Once you have the “.ca” domain name, the hosting servers can be anywhere in the world.

A company claims on the website that their data is located in Canada for Canadian customers but refused to sign our privacy act that has clear requirements for Canadian data residency. Why is this?

No matter what the marketing collateral statements, signing your privacy agreement is the actual commitment. If this ever occurs, please question their business integrity. Privacy has become a prominent risk factor. Do not compromise on that unless your Privacy Officer has completed a Privacy Impact Assessment (PIA) and agreed to it.  

Canadian Privacy Acts At A Glance

Canadian Privacy Acts

Canadian Privacy Acts At A Glance

There are many blogs about government privacy acts. However, consumers – people – don’t see the connection between their daily lives and privacy acts.  Here, we will summarize Canadian privacy acts while sparing you the legal language.  

Canadian governments (federal and provincial) set the direction for Canadian organizations and businesses when adopting cloud technologies to protect consumers’ privacy. We can debate governmental restrictions and protections, but all in all, restrictions are imposed on organizations and businesses that collect sensitive information. As a technology company, we take a collaborative approach to complying  with legislation.  

There are two levels of Canadian privacy acts: federal and provincial levels. 

Federal Privacy Acts Regarding Data Residency

Two federal privacy laws are enforced by the Office of the Privacy Commissioner of Canada: 

  • The Privacy Act covers how the federal government handles personal information;
  • The Personal Information Protection and Electronic Documents (PIPEDA) covers how private-sector organizations handle personal information in the course of for-profit, commercial activities across Canada. 
  • Provincial privacy laws cover municipalities, public-sector organizations, crown corporations, and not-for-profit and charity groups. 

The federal government categorizes sensitive data into four protected information levels, Protected A, Protected B, Protected C, and Classified Information. 

For Protected B, Protected C, or Classified information. they must be stored “in a government of Canada approved data centre located within the geographic boundaries of Canada or the premises of a Government of Canada department located abroad such as a diplomatic or consular mission.” 

Refer to Direction for Electronic Data Residency.  

The white paper Data Sovereignty and Public Cloud from the Government of Canada website provides insights about data sovereignty with different cloud deployments, Public cloud, Hybrid Cloud, Private Cloud, and non-cloud. Here is the explanation of the cloud option through Wikipedia if you’d like to know the nitty and gritty details. 

The Treasury Board of Canada has provided valuable and detailed recommendations and use cases published on the Federal government’s website for public and private-sector organizations to follow.  

Provincial Privacy Acts Regarding Data Residency

Provinces either follow the federal PIPEDA or set their own privacy acts to guide public-sector organizations and healthcare providers who manage and process personal data. Provincial privacy acts differ from one to another and are constantly evolving with amendments to provide the best privacy protections while allowing the flexibility of adopting the best and the latest global technologies. Provinces have been debating data residency (whether to keep the data in-province or allow nationwide or outside of Canada storage) for their own public sector organizations, including healthcare providers. 

If any specific organization decides to host those sensitive information outside of Canada, the company must adhere to the provincial privacy acts, conduct a thorough Privacy Impact Assessment (PIA) and must inform individuals, and have their consent. One example is the Ontario Physiotherapy Clinic’s terms of agreement, where they disclose what apps they are using and where your health data is stored.       

Nova Scotia defined the Personal Information International Disclosure Protection Act, PIIDPA. Under PIIDPA, public bodies and municipalities are required to ensure that any personal information held by them (or any service provider acting on their behalf), remains in Canada, is accessed, and is disclosed only in Canada, unless certain circumstances exist. This FAQ provides the context of  data sovereignty under PIIDPA. 

Both the federal and provincial governments have specific legislation concerning data location. We have seen the outline of such legislation. Now, if you are responsible for a lot of your customer’s data, one hopes you will do the due diligence, and select your technology partners responsibly.  

References for Canadian Provincial Privacy Laws

Your Privacy, Not Sharing Is Caring

Your Privacy, Not Sharing is Caring

Your Privacy, Not Sharing Is Caring

Our Canadian business and enterprise customers often ask us: what does “Data Centre” in Canada mean? This sounds like a simple question, but actually it isn’t. Let’s dive into what data location means to you. 

Privacy is the main driving force for using data centres with a determined location.  For financial and medical records, for example, we would like governmental or legal protection of that data.  But inevitably, everybody uses multiple cloud applications for business and  personal purposes: Gmail, Office 365, iCloud, Facebook, etc…. Google Maps keeps the last 10 years of your travel itinerary. Google gives me a map of everywhere I have been in the last month. By data mining, shopping, and whatever other interests you and your family may have, are potentially exposed. My robot vacuum cleaner has my household floor plan.  Without governmental restrictions and law, the Cambridge Analytics scandal will happen over and over. 

Using cloud applications (also referred as (Software-as-a-Service), consumers, for the most part, interact with the service provider directly.  Major service providers leverage at least one or several infrastructure providers (also referred as (Infrastructure-as-a-Service) for data hosting, email notifications, or SMS messaging. Infrastructure companies are transparent to end-users: what server, where, and what type of infrastructure hosts the cloud application uses, is not visible to the end-user. 

"As an end- user, reading the “Term of Service” may be boring, but it's the responsible thing to do before you hit the “I Agree” button. "

"... reading the “Term of Service” may be boring, but it's the responsible thing to do..."

For privacy, a commitment from  the entire chain, from the application on your phone, to the cloud application, and the infrastructure is required.  While your service provider may not set out to violate your privacy, infrastructure companies  may not care so much about your data sovereignty. The end-user has no control over the complexity of the multiple layers involved in using that app.  

As an end- user, reading the “Term of Service” may be boring, but it’s the responsible thing to do before you hit the “I Agree” button. Personal information is at risk, and it’s good to know your exposures. The convenience of cloud applications is great, but reading the “Terms of Service” is a habit that must be adopted.

Signority seeks to protect the end-user. Our customers demand it. Signority has been offering  eSignature applications for over 10 years. We make a point of having the Canadian data handled by our Canadian customers stay in Canada.

Canadian governmental organizations, not-for-profits, and private companies, enjoy using Signority services, from Canadian servers,  to serve  Canadian residents. Information such as insurance forms, finances, medical data, HR data such as employee social insurance numbers, pay rates, job offers, even a primary school’s field trip waivers with health card numbers, are all located in Canadian servers for Canadian residents. For Signority, the end customer is the owner of the data, and we protect that by data colocation. We do not allow 3rd parties to mine our customers’ data, nor do we allow “metadata” analysis. Signority avoids  the ramifications of cross-border storage of data by simply not crossing the border.       

When considering your eSignature provider, consider your customers privacy and security. This applies to both the public and private sector. Signority offers a private cloud with a complete data localization solution that alleviates the worry of where your customer data is anywhere complying with global legislations. For privacy, Signority is your technological partner. Read our blog about Signority’s data localization solution.

Your Privacy Is In The Details

Your Privacy is in the Details

Your Privacy is in the Details

A few years ago, we received a postal letter from one of the investment funds to which we subscribe: a privacy policy change notice with many pages, small font on paper,  thick legal jargon seemingly designed to discourage people from reading through them.  It was a bank letter designed by lawyers. 

There was a ‘deny’ form at the end: only mail the letter back if we disagreed with the financial institution moving the data centre outside of Canada. We read the entire document and strongly disagreed with the international data centre proposal. As Canadians, our data is not as protected on foreign soil as is in Canada. This was definitely not acceptable. This would change the Data Location, where our bank stores our personal information,  from Canada to outside of Canada.

“Data location” is also called “data residency”. In principle, everybody should have the ownership of their own personal data: we should have “Data Sovereignty”. But in practice, we are far from there. If you have accounts on Facebook, Google, or Microsoft, then you know your data is very likely in the United States (U.S.). 

But what about your financial, and medical data? Once upon a time, your records were on paper, locked up somewhere nearby. Turns out that the Internet is a more convenient place to store those records. 

Data Location can Affect Data Privacy

Here is another real life example from a friend. 

My friend had a recent encounter with an Ontario psychologist. The psychologist used a free Gmail account.  Right off, my friend was put off by the unprofessionalism. Their services were  $250/hour, the clinic should at least use a professional domain name.

I had a chance encounter with my friend. After some discussion, it turns out that more clinics use Gmail accounts. My friend decided to go with the flow and sign a contract, book appointments, get invoices to/from the Gmail account. But here is something that my friend, and the clinics, should know:

Fact: in Ontario, healthcare organizations must comply with the Ontario government’s Personal Health Information Protection Act, PHIPA. Under the PHIPA, healthcare professionals must disclose and receive consent if they would store your medical information outside of Canada.

The contract that my friend received had lots of legal jargon, she didn’t read it, but signed it anyway. Reviewing the contract, it does mention a couple of specialized apps that could be introduced to the patient. But there is no mention of Gmail, nor consent to Gmail.

Then the assessment reports started coming in. Medical information was now being sent via Gmail. Now clearly in violation of PHIPA rules, with medical information being sent. 

"Under the PHIPA, healthcare professionals must disclose and receive consent if they would store your medical information outside of Canada."

Personal Information (PI) is information that can identify you unequivocally as an individual. An email address by itself is not personal information, but when that email contains a name and street address, that is “Personal Information” as far as the PHIPA rules go. Furthermore, her  Personal Health Information (PHI) is being sent via Gmail.

Cybersecurity and privacy concerns simply did not exist in the past. Your doctor, for example, would simply lock away your records in the filing cabinet. But now, we must look out for our own privacy. You can make some assumptions: a big hospital in Ontario is very likely to be following PHIPA rules, but smaller clinics may not be. 

You can ask the clinic if they follow PHIPA rules, or maybe where they store their patient’s data. In the case of my friend’s psychologist, we have taken the time to inform him of the rules, the PHIPA rules specifically, that he should be following. Ultimately, that psychologist could have been reported to the College of Psychologists of Ontario, but that would have been an extreme measure.

Bottom line: vigilance is required every day for all interactions on the Internet. Your privacy is always at risk. The more private information you give, the more you have to think about your own cybersecurity. If the information is important to you, then you must consider the location of your information.