Data Policy
Introduction
Our Data Protection policy indicates that we are dedicated to and responsible for processing the information of our employees, customers, stakeholders and other interested parties with absolute caution and confidentiality. This policy describes Sabytel’s data lifecycle, including data collection, use, storage, protection, retention, and disposal, transparently and with confidentiality. This policy ensures that Sabytel follows good practices to protect the data gathered from its customers, employees, partners, and stakeholders. The rules outlined in this document apply regardless of the method used for data storage.
Policy Elements
As a key part of our operations, we gather and process any Personally Identifiable Information (PII) or data on a need-to-know basis, This information is collected only with the full consent, cooperation and knowledge of interested parties. Once this information is available to Sabytel, the following rules apply:
Our data will:
Be precise and consistently updated;
Be collected legitimately and with a clearly stated purpose;
Be processed by the company in line with its legal and ethical binds;
Have protection measure that protects it from any unauthorized or illegal access by internal or external parties.
Be disclosed only through authorized channels, under formal agreements, and in strict compliance with our policies and PIPEDA.
Our data will not:
Be communicated informally or on an ad-hoc basis;
Exceed the specified amount of time stored; therefore, personal data of employees, customers and affiliates who no longer use Sabytel services will be archived for 3 years and deleted afterwards;
Be transferred to organizations, states, or countries that do not acquire proper data protection policies without the individual’s knowledge;
Be shared to any party unless consent has been obtained from the individual, except where disclosure is required or permitted by law, including in response to lawful requests from law enforcement authorities.
Roles and responsabilities
Everyone who works for/with Sabytel is responsible for ensuring that the collection, storage, handling, and protection of data is being done appropriately. The designated contact responsible for managing data protection matters is the Compliance Manager, reachable at [email protected] .
The Compliance Manager is responsible for:
Strictly complying with all Sabytel policies related to non-disclosure, non-competition and confidentiality of information;
Ensuring that access to the personal data registered on the Sabytel website is restricted only for authorized personnel;
Ensuring that access to the personal data registered on the Sabytel website will not be shared with or provided to unauthorized personnel.
Legal Applicability and Scope
This policy is designed to ensure compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) for commercial activities conducted by Sabytel. Where Sabytel processes PII on behalf of, or in support of, Canadian federal institutions, applicable obligations under the Privacy Act are applied, and where applicable for international stakeholders, GDPR compliance is also implemented.
General guidelines
Access to data covered by this policy should be restricted only to those who need it for their work.
Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.
Sabytel provides comprehensive training to all employees to help them understand their responsibilities when handling data.
Employees should keep all data secure, by taking sensible precautions and following the data storage guidelines specified below.
Strong passwords must be used and they should never be shared.
Personal data should not be disclosed to unauthorized people, neither within the company or externally.
Employees should request help from their line manager or the Data Protection Officer at [email protected] if they are unsure about any aspect of data protection.
Consent
While visiting or using this website, Sabytel obtains consent for the collection, use, and disclosure of personal information via a Privacy Notice Statement. Consent may be expressed or implied depending on the sensitivity of the information, and the individual’s reasonable expectations. Individuals may withdraw consent at any time, subject to legal or contractual restrictions.
Data Retention
The Company retains personal information, including Personally Identifiable Information (PII), only as long as necessary to fulfil the identified purposes for which it was collected or as otherwise required by law, in strict accordance with Principle 5 of Schedule 1 to the Personal Information Protection and Electronic Documents Act (PIPEDA) (Limiting Use, Disclosure, and Retention). In compliance with PIPEDA, Sabytel has established and maintains documented retention guidelines and procedures that specify appropriate minimum and maximum retention periods for each category of PII, taking into account the sensitivity of the data, applicable legal and regulatory obligations, contractual requirements, and the reasonable expectations of the individuals concerned. Once the applicable retention period expires or the PII is no longer required to serve its original purpose, it is securely destroyed, erased, or rendered anonymous using industry-standard irreversible methods designed to prevent reconstruction or unauthorized access. These retention practices are reviewed periodically to ensure ongoing alignment with PIPEDA and other applicable privacy laws.
Data storage
Sabytel stores Personally Identifiable Information (PII) in both paper and electronic formats using reasonable physical, technical, and administrative safeguards designed to protect against unauthorized access, use, disclosure, alteration, or destruction. Paper-based records containing PII are maintained in locked filing cabinets or secure, access-controlled facilities with entry restricted to authorized personnel on a need-to-know basis. Electronically stored PII is maintained on encrypted servers and systems protected by industry-standard security controls, including encryption, firewalls, multi-factor authentication, and role-based access controls, and isa transmitted and stored in accordance with applicable privacy laws. All storage practices are subject to periodic security reviews and are conducted in a manner consistent with the sensitivity of the information and the reasonable expectations of the individuals to whom it relates.
Data Disposal
Clients may request erasure of their personal information at any time by email or through the digital form available on Sabytel’s website. Prior to processing any deletion request, clients will be provided with all relevant information and must review the Data Protection Officer’s statement outlining the potential consequences of erasure. In accordance with Principle 5 of Schedule 1 to the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Office of the Privacy Commissioner of Canada’s Personal Information Retention and Disposal: Principles and Best Practices, Sabytel disposes of PII and other personal information by securely destroying, erasing, or rendering it anonymous once it is no longer required to fulfil the identified purposes or as otherwise required or permitted by law. For paper-based or physical records, approved disposal methods include cross-cut shredding to a level that prevents reconstruction, disintegration, pulverization, incineration, or melting of the media. For electronic or digital records and storage media (including hard drives, removable devices, tapes, and mobile devices), the Company employs secure overwriting using multi-pass software techniques degaussing of magnetic media, cryptographic erasure through secure deletion of encryption keys, or complete physical destruction of the media through disintegration, shredding, pulverization, or melting.
Data Transfer
Upon verified request, personal information provided to an individual will be transmitted using appropriate security safeguards. Where electronic transmission is requested, information will be protected using strong encryption, and the decryption key will be communicated via a separate verified channel. It is the responsibility of the recipient to ensure they have the necessary capability to securely access the encrypted information.
Cross border data transfer
Sabytel may transfer, store, or process your personal information outside of Canada to fulfill the purposes for which it was collected or for legitimate business needs such as cloud hosting, payment processing, or customer support. Sabytel remains fully accountable under PIPEDA and implements contractual or other appropriate safeguards to ensure that the receiving organization provides a level of protection comparable to that required under Canadian privacy law. You acknowledge and consent to these transfers by using Sabytel’s services. Please note that personal information transferred outside Canada may be subject to access by foreign courts, law enforcement, or national security authorities in accordance with the laws of the destination country.
Disclosing data
In certain circumstances, when required, Sabytel can disclose data to law enforcement agencies without the consent of the data subject. However, the Compliance Manager will ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisers where necessary. This privacy policy states how data relating to customers, stakeholders, employees and other parties involved is used within Sabytel.
Children
Our website is not intended to attract or be directed to children under the age of 16. Sabytel does not knowingly collect PII from persons under the age of 16 and is committed to complying with applicable requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA), guidance issued by the Office of the Privacy Commissioner of Canada (OPC) and where applicable, the European Union General Data Protection Regulation (EU GDPR). If you are a parent or a guardian and believe that a child under the age of 16 has provided personal information to Sabytel, please contact us at [email protected] .
What is your data protection rights?
Sabytel would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:
The right to access: You have the right to request Sabytel for copies of your personal data. We may charge you a small fee for this service.
The right to erasure: You have the right to request that Sabytel erase your personal data.
The right to restrict processing: You have the right to request that Sabytel restrict the processing of your personal data.
The right to object to processing: You have the right to object to Sabytel’s processing of your personal data.
The right to data portability: You have the right to request that Sabytel transfer the data that we have collected to another organization, or directly to you.
Disclosing Breaches
In the event of a suspected or confirmed data breach, Sabytel follows a structured and documented process to contain, assess, mitigate, and remediate the incident.
All employees, contractors, and agents are required to immediately report any suspected or actual privacy breach to the Data Protection Officer.
Upon discovery, the Data Protection Officer in coordination with incident response team will promptly initiate containment measures. These may include isolating affected systems, suspending or revoking access, securing compromised information, and preserving evidence to support investigation and remediation.
The Data Protection Officer, in consultation with the incident response team — which may include IT security personnel, legal counsel, and senior management — will assess the breach to determine whether it poses a real risk of significant harm (RROSH) to affected individuals, as defined under the Personal Information Protection and Electronic Documents Act (PIPEDA).
This assessment will be documented and completed as soon as feasible following confirmation of the breach. The Office of the Privacy Commissioner of Canada’s (OPC) Privacy Breach Risk Assessment Tool may be used to support and guide this evaluation.
Where it is determined that a RROSH exists, Sabytel will notify affected individuals as soon as feasible after confirming the breach, unless prohibited by law. Notifications will be direct (e.g., via email, phone, or mail) and will include sufficient information to allow individuals to understand the breach and take steps to mitigate potential harm. Indirect notification (e.g., via website or media) may be used in limited circumstances, where direct notification is not feasible or could cause further harm. Additionally, the breach will be reported to the Office of the Privacy Commissioner of Canada in writing and may notify other relevant organizations (such as law enforcement agencies and credit reporting agencies) where doing so may help reduce the risk of harm to individuals.
Sabytel maintains records of all breaches, regardless of whether they pose a RROSH. These records are retained for a minimum 24 months from the date of discovery in accordance with PIPEDA requirements and are stored securely in a centralized breach log managed by the Data Protection Officer. Breach records are reviewed periodically to support continuous improvement of privacy and security safeguards.
If you make a request, we have 30 business days to respond to you. If you would like to exercise any of these rights, please contact us at
[email protected]
.
SABYTEL TECHNOLOGIES INC.
116 Albert Street, Suite 300
Ottawa, Ontario, K1P 5G3
Canada
Phone: +1 (613) 235-9999
Email: [email protected]
OUR SERVICES
- SCloud9
- Preliminary Cybersecurity Assessment
- Comprehensive Cybersecurity Assessment
- Artificial Intelligence (AI) Certification Support Service
- Compliance and Certification
- Cybersecurity Engineering
- ISO Training and Certification
© Sabytel Technologies Inc. All rights reserved.