Company logo
Back to HomeLegal & Compliance

Security & Compliance

Last Updated: January 15, 2025 | Security Review: Annual | Next Audit: Q4 2025

1. Compliance Frameworks

Crestview Analytics adheres to multiple regulatory and industry standards:

πŸ‡¨πŸ‡¦ Canadian Privacy Laws

  • β€’ BC Personal Information Protection Act (PIPA)
  • β€’ Personal Information Protection and Electronic Documents Act (PIPEDA)
  • β€’ Canada's Anti-Spam Legislation (CASL)

🏒 Industry Standards

  • β€’ Real Estate Services Act (RESA)
  • β€’ Professional regulatory body requirements
  • β€’ Financial services compliance standards

2. Data Security Measures

Technical Safeguards

  • Encryption:
    • AES-256 encryption for data at rest
    • TLS 1.3 for data in transit
    • End-to-end encryption for sensitive communications
  • Access Controls:
    • Multi-factor authentication (MFA) required
    • Role-based access control (RBAC)
    • Principle of least privilege
    • Regular access reviews and deprovisioning
  • Network Security:
    • Next-generation firewalls
    • Intrusion detection and prevention systems
    • Network segmentation and isolation
    • VPN access for remote connections

Physical Safeguards

  • Secure data centers with 24/7 monitoring
  • Biometric access controls
  • Environmental controls and redundancy
  • Secure disposal of physical media

Administrative Safeguards

  • Comprehensive security policies and procedures
  • Regular security awareness training
  • Background checks for all personnel
  • Incident response and business continuity plans

3. Data Protection Standards

Data Classification

ClassificationData TypeProtection Level
Highly SensitiveIncome/Billing DataMaximum encryption, restricted access
SensitivePersonal InformationStrong encryption, controlled access
ConfidentialProperty RecordsStandard encryption, logged access

Data Retention & Disposal

  • Retention Schedule: Data retained per legal requirements and business needs
  • Secure Disposal: NIST-compliant data destruction procedures
  • Audit Trail: Complete logs of data lifecycle events
  • Customer Data: Deleted within 30 days of contract termination

4. Incident Response & Breach Notification

24-Hour Response Protocol

  1. Detection & Assessment (0-2 hours)
    • Automated monitoring and alerting
    • Initial incident classification
    • Security team activation
  2. Containment & Investigation (2-8 hours)
    • Isolate affected systems
    • Preserve evidence
    • Determine scope and impact
  3. Notification & Communication (8-24 hours)
    • Notify affected customers
    • Report to regulatory authorities if required
    • Coordinate with law enforcement if necessary

Breach Notification Requirements

  • Customer Notification: Within 24 hours of confirmation
  • Privacy Commissioner: Within 72 hours if required by law
  • Affected Individuals: Without unreasonable delay if high risk
  • Documentation: Complete incident reports and remediation plans

5. Third-Party Security

Vendor Management

  • Comprehensive security assessments
  • Contractual security requirements
  • Regular security reviews and audits
  • Data processing agreements (DPAs)

Cloud Security

  • SOC 2 Type II certified cloud providers
  • Data residency in Canada where possible
  • Shared responsibility model implementation
  • Regular penetration testing

6. Employee Security

Personnel Security

  • Background Checks: Comprehensive screening for all staff
  • Confidentiality Agreements: Signed by all employees and contractors
  • Security Training: Regular awareness and skills training
  • Access Management: Regular reviews and prompt deprovisioning

Training & Awareness

  • Annual security awareness training
  • Phishing simulation exercises
  • Privacy and compliance training
  • Incident response drills

7. Audit & Monitoring

Continuous Monitoring

  • 24/7 security operations center (SOC)
  • Real-time threat detection and response
  • Comprehensive logging and audit trails
  • Regular vulnerability assessments

Regular Audits

  • Internal Audits: Quarterly security reviews
  • External Audits: Annual third-party assessments
  • Penetration Testing: Semi-annual security testing
  • Compliance Reviews: Regular regulatory compliance checks

8. Customer Security Responsibilities

Customers must:

  • Implement appropriate security measures for received data
  • Use strong authentication and access controls
  • Encrypt data in transit and at rest
  • Report suspected security incidents immediately
  • Comply with data retention and disposal requirements
  • Train staff on data handling procedures

9. Security Incident Reporting

🚨 Report Security Incidents

If you discover a security vulnerability or suspect unauthorized access, report it immediately:

10. Contact Information

For security and compliance questions:

Security Questions?

Our security team is available to discuss our security measures and compliance standards.

Contact Security Team