Overview of security and compliance at Citation Canada
Trusting your data with Citation Canada, formerly HRdownloads, is an important decision, and we take that responsibility very seriously.
Introduction
Citation Canada understands that today’s organizations require an exceptionally high standard of security, privacy, and business continuity management. This is because the confidentiality, integrity, and availability of our clients’ data is vital to their business operations and to our own success.
Citation Canada takes a holistic approach to security, privacy, and business continuity. We achieve this by continually monitoring and improving our platforms, systems, processes, and people to meet the growing demands and challenges of the evolving threat landscape.
This document addresses the common questions we get from our clients when they’re considering using Citation Canada’s services and platform. It aims to provide an overview of the security controls employed by Citation Canada, including:
- Information Security
- Human Resources Security
- Security Training and Awareness
- Physical Security Controls
- Logical Access Controls
- Incident Response and Breach Notification
- Business Continuity and Disaster Recovery
- Web Application Security
- Accreditations and Certifications
Company details
Citation Canada Inc.
727 Exeter Rd
London, ON
Canada
N6E 1L3
https://www.citationcanada.com/
Information Security Management System
Citation Canada continues to maintain an Information Security Framework that includes technical and administrative controls. This framework allows us to take a systemic approach to protecting commercial information, including our client’s data and other critical assets from both internal and external threats.
Our management system follows fundamental information security best practices including:
- Information security, data protection, and business continuity awareness training and education.
- Dedicated teams and individuals responsible for information security, data protection, and business continuity.
- Confidentiality, integrity, and availability incorporated as an essential element of development, networks, and systems.
- Ensuring a risk-based approach to information security management.
- Maintaining the principles of least privilege and need to know via role-based access controls.
- Compliance with relevant laws, rules, and regulations. Notwithstanding the contractual terms agreed between Citation Canada and its stakeholders, including clients, vendors, partners, employees and other applicable third parties.
- Continual monitoring of information security controls and adjusting and improving where necessary.
Human Resources security
Citation Canada conducts reasonable and appropriate background/verification checks on all employees prior to employment this includes, but is not limited to, identity, right to work and employment background checks.
All employees are required to conduct themselves in a manner consistent with the company policies. This includes responsibilities before, during, and after employment with Citation Canada.
Citation Canada employees, partners, and contractors upon joining the company and during their employment period, as well as certain service providers, are required to sign non-disclosure and confidentiality agreements demonstrating their commitment to the company and its information security.
Security training and awareness
Citation Canada has an awareness and education program that includes several initiatives:
- Citation Canada employees undergo security, privacy, and business continuity training as part of the onboarding process.
- Refresher training is provided monthly to reinforce the security, privacy, and business continuity principles, as well as industry best practices and common pitfalls.
- Role-based training ensures the right education is provided to those roles that, based on their responsibilities, access levels, and function may represent a greater risk to Citation Canada.
- Ongoing training includes monthly cyber awareness and simulated phishing campaigns in addition to regular company-wide security communications.
Physical security controls
Citation Canada service is cloud hosted in Amazon Web Services Canada (Central) Region, which have a defined and protected physical perimeter, strong physical controls including, but not limited to, access control mechanisms, tightly controlled outer and inner perimeters with increased security at each level. For further details please refer to the AWS documentation – AWS Data Center Security.
Citation Canada ensures that access to company facilities is tightly controlled through physical access control systems (e.g., key card entry systems). All visitors to company premises must register at reception and are accompanied in secure areas by authorized personnel. Further measures include CCTV and clearly defined policies for physical access.
Technical security controls
Citation Canada has a dedicated, in-house operational security team that are responsible for managing, maintaining, and monitoring the following technical security controls:
- Enterprise-grade anti-malware, endpoint detection and response agents deployed to all Citation Canada endpoints and servers with centralized management and monitoring.
- Enterprise-grade managed detection and response agents deployed to all Citation Canada endpoints and servers.
- Multi-factor authentication enforced for all Citation Canada employees accessing cloud-based workplace services.
- Enterprise-grade, centrally-managed firewalls in place to protect internal networks and external cloud applications and services.
- Security event logs on all Citation Canada devices, ingested and monitored 24/7 by our managed detection and response service.
- Operating systems automatically patched when updates become available.
- Third-party software versions monitored and patched automatically or via centralized software package management.
- Email security policies in place for all Citation Canada staff to protect from spam, phishing, and malware.
- Web content filtering in place on all endpoints to restrict access to suspicious or malicious websites.
- Full Disk Encryption enforced on all Citation Canada workstations.
- Regular vulnerability scanning and analysis across the estate.
- Data loss prevention policies to identify the movement of sensitive data.
Logical access controls
Citation Canada maintains a formal access control policy and employs a centralized access management system. This is configured to control access by Citation Canada employees to client data and to support the secure creation, amendment, and deletion of user accounts.
Citation Canada regularly reviews assigned access rights to ensure that all user accounts and user account privileges are allocated on a need-to-know basis. Upon a change in scope of employment or termination of employment, access rights are removed or modified as appropriate.
Least privilege, Role Based Access Controls (RBAC) are in place across our platforms. Access to highly sensitive systems and cloud infrastructure is controlled by secure log-on processes including multi-factor authentication.
Privileged or administrative access is tightly controlled and is only ever assigned to authorized individuals following an approval process. All privileged user accounts are named to identify the assigned individual and are separate from any standard user activities. Privileged activities are logged and are auditable.
Incident response and breach notification
Citation Canada has a rigorous incident management policy and procedure for events and incidents that may affect the confidentiality, integrity or availability of our systems and data, or that may be a breach of our internal policies, procedures, and standards.
Incidents are classed based on their severity and impact. The incident management policy covers the full incident lifecycle: detection, monitoring, containment, investigation, remediation, notification, and root cause analysis. Each phase has its well-defined goals, guidelines, and responsibilities.
Citation Canada has had no material security incidents or reportable data breaches within the last 24 months.
Business continuity and disaster recovery
Citation Canada has formal, documented disaster recovery and business continuity procedures (BCP), which includes backup solutions, site resilience and contingency plans, that are maintained and reviewed periodically.
The primary goal of the BCP is to ensure organization stability, as well as coordinate recovery of critical business functions and systems in the event of disruption or disaster. Citation Canada stores client data redundantly in its hosting provider’s data centres to ensure greater resilience and availability.
The BCP provides for the restoration of access to client data, a continuation of operations and Citation Canada Services during a range of short-term and long-term disaster events. The plan covers re-establishment of information technology environment(s) following an unplanned event impacting a data centre, infrastructure, data, or systems.
The BCP, disaster recovery plans and related procedures are tested at least annually.
Web platform security
The web-based platform provided by Citation Canada employs the following security measures:
- Optional email-based multi-factor authentication for Citation Canada clients.
- Strong password requirements.
- Secure System Development Lifecycle and release management best practices.
- Fully documented backup and restore procedures, incident response and disaster recovery plan are also in place and tested annually.
- Real-time monitoring of our web and database servers that provide alerts of any suspicious activity for immediate review.
- Routine user access review of Production access requests and release pipeline also occurs.
- Annual penetration testing by third-party accredited specialists.
- Monthly vulnerability scanning.
- Monitoring and blocking of malicious traffic to the application by AWS Web Application Firewall (WAF).
- Comprehensive security logging and monitoring.
Citation Canada’s Sub-processors
Effective Date Septermber 26, 2024
Sub-processors are third-party businesses engaged by a processor to perform data processing on behalf of a controller. Data Protection obligations of sub-processors are to be established by way of contract or other legal acts under Canadian law. Citation Canada imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of individual’s personal data is protected to the standards required by applicable data protection laws.
Citation Canada engages the third-party entities in the table below to perform limited activities in connection with Citation Canada platform and associated services as described in our Terms of Service or any similar service agreements customers may have signed with us.
Governance
Citation Canada partners with organizations that, like us, adhere to global standards and regulations. Citation Canada ensures examination of data protection measures, compliance with Citation Canada security requirements and security audits/questionnaires before close of contract. Agreements include provision of breach notification in the event of unwarranted data incidents, and necessary security measures for data protection.
Agreements
Citation Canada provide all Clients Terms of Service that covers it obligations to processing of personal data. Citation Canada commits to keep this list updated regularly, to enable Controllers to stay informed of the scope of Sub-processors associated with Citation Canada services.
List of Sub-processors
Citation Canada uses the following sub-processors to assist in providing the Services. Depending upon the Services ordered as set out in the agreement, the sub-processors include:
| NAME | PURPOSE | DATA STORED | DATA STORAGE LOCATION | SECURITY POLICY |
| AWS | Cloud service provider | Business User data and End Customer data security | Canada | https://aws.amazon.com/security/ |
| Microsoft Office 365 | Client service using client-provided email addresses | Personal data included in email, documents and other data transferred in an electronic form in the context of using Microsoft services. | United States | https://www.microsoft.com/en-us/trust-center |
| Salesforce | Customer relationship management platform | Business User data including name, email, address, and telephone | United States | https://security.salesforce.com/ |
| LeanData | Revenue orchestration platform for marketing | Business User data in Salesforce | United States | https://leandatahelp.zendesk.com/hc/en-us/articles/360016462253-LeanData-Enterprise-Security-Architecture-Overview |
| Hubspot | Marketing automation and analytics, monitoring website activity and as a communications tool | Personal information including first name, last name, email address, phone number for users who are the primary account or opportunity contact(s) and associated personalized and relevant contact communication. | United States | https://trust.hubspot.com/ |
| DealHub | Configure, price, quote platform to generate and manage contracts with clients and prospects | First name, last name, title, business email. A client’s billing information such as contact phone number and billing address is also collected and stored. | United States | https://dealhub.io/platform/security/ |
| Stripe | Payment processor | Payment details of customer representative (including credit card number, full name on the credit card, expiry date and CVV), email of customer representative, address of place of employment, telephone number of customer representative. | United States | https://stripe.com/docs/security |
| Snowflake | Data warehouse | Business User data and End Customer data | United States | https://www.snowflake.com/en/resources/learn/snowflake-security-hub/ |