Overview of security and compliance at Citation Canada

Trusting your data with Citation Canada, formerly HRdownloads, is an important decision, and we take that responsibility very seriously.

Introduction

Citation Canada understands that today’s organizations require an exceptionally high standard of security, privacy, and business continuity management. This is because the confidentiality, integrity, and availability of our clients’ data is vital to their business operations and to our own success.

Citation Canada takes a holistic approach to security, privacy, and business continuity. We achieve this by continually monitoring and improving our platforms, systems, processes, and people to meet the growing demands and challenges of the evolving threat landscape.

This document addresses the common questions we get from our clients when they’re considering using Citation Canada’s services and platform. It aims to provide an overview of the security controls employed by Citation Canada, including:

  • Information Security management system
  • Human resources security
  • Security training and awareness
  • Physical security controls
  • Technical security controls
  • Logical access controls
  • Incident response and breach notification
  • Business continuity and disaster recovery
  • Web platform security
  • Information security management system

Company details

Citation Canada Inc.

727 Exeter Rd
London, ON
Canada

N6E 1L3

 

https://www.citationcanada.com/

Privacy Policy

Information Security Management System

Citation Canada maintains an information security framework that includes technical and administrative controls. This framework allows us to take a systemic approach to protecting commercial information, including our client’s data and other critical assets, from both internal and external threats.

Our management system follows fundamental information security best practices, including:

  • Information security, data protection, and business continuity awareness training and education.
  • Dedicated teams and individuals responsible for information security, data protection, and business continuity.
  • Confidentiality, integrity, and availability incorporated as an essential element of development, networks, and systems.
  • Ensuring a risk-based approach to information security management.
  • Maintaining the principles of least privilege and need to know via role-based access controls.
  • Compliance with relevant laws, rules, and regulations, notwithstanding the contractual terms agreed between Citation Canada and its stakeholders, including clients, vendors, partners, employees, and other applicable third parties.
  • Continual monitoring of information security controls and adjusting and improving where necessary.

Human resources security

Citation Canada conducts reasonable and appropriate background and verification checks on all employees prior to employment. This includes but is not limited to identity, right to work and employment background checks.

All employees are required to conduct themselves in a manner consistent with the company policies. This includes responsibilities before, during, and after employment with Citation Canada.

Citation Canada employees, partners, and contractors upon joining the company and during their employment period, as well as certain service providers, are required to sign non-disclosure and confidentiality agreements demonstrating their commitment to the company and its information security.

Security training and awareness

Citation Canada has an awareness and education program that includes several initiatives:

  • Citation Canada employees undergo security, privacy, and business continuity training as part of the onboarding process.
  • Refresher training is provided monthly to reinforce the security, privacy, and business continuity principles, as well as industry best practices and common pitfalls.
  • Role-based training ensures the right education is provided to those roles that may represent a greater risk to Citation Canada based on their responsibilities, access levels, and functions.
  • Ongoing training includes monthly cyber awareness and simulated phishing campaigns in addition to regular companywide security communications.

Physical security controls

Citation Canada service is cloud-hosted in Amazon Web Services Canada (Central) Region, which has a defined and protected physical perimeter, as well as strong physical controls, including but not limited to access control mechanisms and tightly controlled outer and inner perimeters with increased security at each level. For further details, please refer to the AWS documentation – AWS Data Center Security.

Citation Canada ensures that access to company facilities is tightly controlled through physical access control systems (e.g., key card entry systems). All visitors to company premises must register at reception and are accompanied in secure areas by authorized personnel. Further measures include CCTV and clearly defined policies for physical access.

Technical security controls

Citation Canada has a dedicated, in-house operational security team responsible for managing, maintaining, and monitoring the following technical security controls:

  • Enterprise-grade anti-malware, endpoint detection, and response agents deployed to all Citation Canada endpoints and servers, with centralized management and monitoring.
  • Enterprise-grade, centrally managed firewalls in place to protect internal networks and external cloud applications and services.
  • Multi-factor authentication enforced for all Citation Canada employees accessing cloud-based workplace services.
  • Security event logs on all Citation Canada devices, continuously monitored by our managed detection and response service.
  • Operating systems automatically patched when updates become available.
  • Third-party software versions monitored and patched automatically or by centralized software package management.
  • E-mail security policies in place for all Citation Canada staff to protect against spam, phishing, and malware.
  • Web content filtering in place on all endpoints to restrict access to suspicious or malicious websites.
  • Full disk encryption enforced on all Citation Canada workstations.
  • Regular vulnerability scanning and analysis across the organization.

Logical access controls

Citation Canada maintains a formal access control policy and employs a centralized access management system. This is configured to control access by Citation Canada employees to client data and to support the secure creation, amendment, and deletion of user accounts.

Citation Canada regularly reviews assigned access rights to ensure that all user accounts and user account privileges are allocated on a need-to-know basis. Upon a change in scope of employment or termination of employment, access rights are removed or modified as appropriate.

Least privilege, role-based access controls (RBAC) are in place across our platforms. Access to highly sensitive systems and cloud infrastructure is controlled by secure log-in processes, including multi-factor authentication.

Privileged or administrative access is tightly controlled and is only ever assigned to authorized individuals following an approval process. All privileged user accounts are named to identify the assigned individual and are separate from any standard user activities. Privileged activities are logged and are auditable.

Incident response and breach notification

Citation Canada has a rigorous incident management policy and procedure for events and incidents that may affect the confidentiality, integrity, or availability of our systems and data, or that may be a breach of our internal policies, procedures, and standards.

Incidents are classed based on their severity and impact. The incident management policy covers the full incident lifecycle: detection, monitoring, containment, investigation, remediation, notification, and root cause analysis. Each phase has its well-defined goals, guidelines, and responsibilities.

Citation Canada has had no material security incidents or reportable data breaches within the last 24 months.

Business continuity and disaster recovery

Citation Canada has a formal, documented disaster recovery and business continuity procedure (BCP), which include backup solutions and site resilience and contingency plans that are maintained and reviewed periodically.

The primary goal of the BCP is to ensure organization stability, as well as coordinate recovery of critical business functions and systems in the event of disruption or disaster. Citation Canada stores client data redundantly in its hosting provider’s data centres to ensure greater resilience and availability.

The BCP provides for the restoration of access to client data and the continuity of operations and Citation Canada services during a range of short-term and long-term disaster events. The plan covers re-establishment of information technology environments following an unplanned event affecting a data centre, infrastructure, data, or systems.

The BCP, disaster recovery plans, and related procedures are tested at least annually.

Web platform security

The web-based platform provided by Citation Canada employs the following security measures:

  • Optional e-mail based multi-factor authentication for Citation Canada clients.
  • Strong password requirements.
  • Secure system development lifecycle and release management best practices.
  • Fully documented and annually tested backup and restore procedures, incident response plans, and disaster recovery plans.
  • Real-time monitoring of our web and database servers that provides alerts of any suspicious activity for immediate review.
  • Routine user access review of production access requests and release pipeline.
  • Annual penetration testing by third-party accredited specialists.
  • Monthly vulnerability scanning.
  • Monitoring and blocking of malicious traffic to the application by AWS Web Application Firewall (WAF).
  • Comprehensive security logging and monitoring.

Citation Canada’s sub-processors

 

Effective Date Septermber 26, 2024

Sub-processors are third-party businesses engaged by a processor to perform data processing on behalf of a controller. Data protection obligations of sub-processors are to be established by way of contract or other legal acts under Canadian law. Citation Canada imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws.

Citation Canada engages the third-party entities in the table below to perform limited activities in connection with Citation Canada’s platform and associated services as described in our Terms of Service or any similar service agreements customers may have signed with us.

Governance

Citation Canada partners with organizations that, like us, adhere to global standards and regulations. Citation Canada ensures examination of data protection measures, compliance with Citation Canada security requirements, and satisfactory completion of security audits and questionnaires before close of contract. Agreements include provision of breach notification in the event of unwarranted data incidents, and necessary security measures for data protection.

Agreements

Citation Canada provides all clients with Terms of Service that cover their obligations for processing of personal data. Citation Canada commits to keep this list updated regularly to enable controllers to stay informed of the scope of sub-processors associated with Citation Canada’s services.

List of Sub-processors

Citation Canada uses the following sub-processors to assist in providing our services. Depending upon the services ordered as set out in a client agreement, the sub-processors include:

 

NAME PURPOSE DATA STORED DATA STORAGE LOCATION SECURITY POLICY
AWS Cloud service provider Business User data and End Customer data security Canada https://aws.amazon.com/security/
Microsoft Office 365 Client service using client-provided email addresses Personal data included in email, documents and other data transferred in an electronic form in the context of using Microsoft services. United States https://www.microsoft.com/en-us/trust-center
Salesforce Customer relationship management platform Business User data including name, email, address, and telephone United States https://security.salesforce.com/
LeanData Revenue orchestration platform for marketing Business User data in Salesforce  United States  https://leandatahelp.zendesk.com/hc/en-us/articles/360016462253-LeanData-Enterprise-Security-Architecture-Overview
Hubspot Marketing automation and analytics, monitoring website activity and as a communications tool Personal information including first name, last name, email address, phone number for users who are the primary account or opportunity contact(s) and associated personalized and relevant contact communication. United States https://trust.hubspot.com/
DealHub Configure, price, quote platform to generate and manage contracts with clients and prospects First name, last name, title, business email.  A client’s billing information such as contact phone number and billing address is also collected and stored. United States https://dealhub.io/platform/security/
Stripe Payment processor Payment details of customer representative (including credit card number, full name on the credit card, expiry date and CVV), email of customer representative, address of place of employment, telephone number of customer representative. United States https://stripe.com/docs/security
Snowflake  Data warehouse  Business User data and End Customer data  United States  https://www.snowflake.com/en/resources/learn/snowflake-security-hub/