Data Protection
Stannp processes personal data as a Service Provider on behalf of business clients in compliance with PIPEDA and Canadian privacy laws, including Quebec's Law 25. We implement appropriate technical and organizational measures including encryption, regular audits, penetration testing, and strict access controls to protect personal data. All personal data is stored exclusively within Canada (Canada Central and Canada East regions), and customers retain full control with the ability to delete data at any time while we support all PIPEDA data subject rights and Quebec Law 25 rights including data portability.
Acceptable Use
Stannp maintains strict acceptable use policies requiring unique user credentials for all system access, with all customer data classified as confidential. Employees are prohibited from storing customer data on unauthorized equipment, and all company devices have mandatory automated antivirus software that cannot be disabled. System logging and monitoring occur in accordance with PIPEDA and Canadian privacy laws, with all breaches investigated and subject to disciplinary action.
Record Retention
We retain records only for legitimate business reasons in compliance with PIPEDA, with a standard retention period of three years (customizable based on client requirements). All data is stored on cloud-based servers in Canada with 256-bit AES encryption at rest and TLS 1.2/1.3 in transit. Periodic reviews verify data necessity, with secure disposal through professional shredding for paper records and complete data removal preventing reconstruction for electronic records, all fully documented.
Business Continuity and Disaster Recovery
Our comprehensive plans ensure rapid recovery with RTOs of 30 minutes for critical platform services and databases, supported by frequent backups including transaction logs every 5 minutes. All backups are encrypted, with testing conducted every 6 months and full annual recovery validation. We maintain a 99%+ uptime SLA through redundant systems, with documented procedures and regular training ensuring preparedness.
Multi-Factor Authentication
Multi-factor authentication (MFA) is mandatory on all systems without exception, using time-based one-time passwords (TOTP) or authentication applications combined with strong password requirements. Session timeouts of 1 hour for applications and 3 hours for administrative access integrate with MFA, requiring full re-authentication. This universal implementation supports compliance with PIPEDA and Canadian privacy laws, ISO 27001, PCI-DSS, and industry best practices for authentication security.