Here at DigitalStaff ("us," "we," or "our"), we believe in the importance of keeping your information confidential and private. We actively design our automation solutions to reduce risk against data breaches and follow certain procedures to ensure data protection.
When you visit www.digitalstaff.ca, or any time you interact or do business with us, you agree to the terms of this Policy as updated from time to time. We encourage you to periodically review our Policy.
How privacy fits in our organization
DigitalStaff’s Privacy Officer establishes, manages, and reviews policies and procedures on an ongoing basis. Information security and privacy training is also provided to employees and end users with access to sensitive data.
What kind of information do we collect and how do we use it?
We only collect, use, and disclose information that is necessary for carrying out our services. We will obtain your consent verbally or in writing to ensure that you knowingly give us access to your private information. We also log all of our data with detail (e.g. date and time logged) and manually verify information to ensure accuracy. When you use our website, we track your activity and note your computer IP address which may be used for targeted advertising purposes. If you interact with us through our website or email, we collect your name, phone number, email, and other information so that we can communicate directly with you. We may also use this information to send you marketing emails.
If we are developing an automation process for you, we will collect details about your business and the relevant internal processes you have. This can include your financial information when necessary. We may also collect your customers’ information, including personally identifiable information and any other information which may be necessary for the automation process. Please note that your financial information and your customers' personal information will only be used for carrying out the automation services that you have requested. We will not use this information for sales or marketing purposes.
In certain circumstances, we may set up a remote connection to your computer or network to directly and freely access your information. During this process, we may store your passwords solely for the purpose of carrying out the services and solutions which you have requested.
We may use non-personally identifiable information to measure our performance, build reports regarding our efficacy, and ensure that our products and services are working as intended. We may use the information we collect in existing services to improve our own internal processes, our automation software, and to help us develop new products or services.
Except where authorized or required by law, we will not collect, use, or disclose personal information for other purposes without obtaining your further consent.
We endeavor to maintain the strict confidentiality of your personal and contact information. We acknowledge and adhere to the terms and regulation of the Personal Information Protection and Electronic Documents Act ("PIPEDA") when collecting any personal information. We also do our best to comply with the specific privacy and data protection requirements of the province or territory in which your business operates. If health information is provided and shared with us under a data sharing agreement, we will act in compliance with the Personal Health Information Protection Act (“PHIPA”) and/or the health information act of the province or territory in which your business operates.
Automated Decision Making
In some instances, your data may be collected, processed and retained in an automated way, and automated decisions may be based on this information. We strive to accurately automate these processes to prevent errors in the collection of your data and will manually verify some items if need be.
We are in the business of building custom automated intelligence solutions. However, we also utilize pre-existing automated decision-making bots and systems from time to time to produce intel and solutions. This means that algorithms are only sometimes our development, and we may build systems using parts of other individuals' solutions.
We are on the lookout for mistakes in the automated decision-making process; if we see an error, we will rectify it reasonably. If you see a mistake, please let us know.
What information do we not collect?
DigitalStaff does not collect any protected classifications, including age, race, gender, religion, sexual orientation, gender identity, gender expression, or physical and mental abilities or disabilities. You may provide these data voluntarily, such as if you include a pronoun preference in your email signature when writing into our support team.
We also don’t collect any biometric data. You are given the option to add a photo to your user profile, which could be a real photo of you or a different photo that represents you best. We do not extract any information from profile pictures. They are for your use alone.
We do not collect or process the personal data of a child under 16 years of age. Where a child is under 16 years of age, and we are to collect their personal data, we will only do so if there is explicit, written consent authorized from the holder of parental responsibility over the child.
We don’t actively collect either category of the above data unless it is provided and shared with us under a data sharing agreement for the purpose of completing work for you.
How do we keep your information secure?
Information will be protected at a level commensurate with its sensitivity and risks. Any information that you provide us with is kept on encrypted and secured devices. Any private or confidential data that we store is always encrypted whether at rest or in transit, and we always use unique and complex passwords. We also use firewalls and anti-virus software. We may use protective file systems to maintain the integrity of your data. Our physical equipment is also stored in secure locations.
To provide you with the highest level of service, we keep your information stored so that you don’t have to provide us with it again in the future. If we use a Structured Query Language (SQL) database to store your data, we will log and audit our processes to ensure all changes to the database are tracked and all versions of your data are recorded.
We may also keep backups of your data, all of which are also encrypted. Backups and disaster recovery procedures are tested and reviewed on a recurring basis. We dispose of your data securely through manually identifying and removing your information from our databases and backups. We will do our best to dispose of your data in accordance with the legislative requirements of the province or territory in which your business operates.
We also use multi-factor authentication (MFA) protocols to ensure that only those with approved access can view and access your data. Access controls are determined when assigning project specific roles and onboarding and offboarding employees. We may also use intrusion detection systems to monitor our networks for potential privacy issues and to ensure compliance with our policies. Access controls will be reviewed in the event of a privacy incident.
We periodically review our existing and planned project processes to ensure they remain reliable, secure, and effective. We always consider privacy risks and notify relevant parties before making changes to our processes to ensure the confidentiality, integrity, and availability of your data.
Data Protection Officer (DPO)
DigitalStaff has appointed Oscar ONeill as its Data Protection Officer (DPO) to allow for greater risk protection and active data management. As DPO, Oscar will ensure that the processing of personal data by DigitalStaff complies with applicable data protection rules.
Data Protection Impact Assessment (DPIA)
Where the nature, scope, context and purposes of the data collection are likely to result in a high risk of the rights and freedoms of the data subjects, the DPO shall assess the impact of the anticipated processing operations on the protection of personal data.
To learn more of what a DPIA entitles, visit https://gdpr.eu/data-protection-impact-assessment-template/.
We will take appropriate measures to provide you with information relating to processing in concise, transparent, intelligible and easily accessible forms. However, where requests from a data subject are excessive or unfounded, we may either:
Charge a reasonable fee taking into account the administrative costs of providing the information or taking action requested; or
Refuse to act on the request
DigitalStaff shall bear the burden of demonstrating the unfounded or excessive character of the request.
Your Data Protection Rights
1. Right to Withdraw Consent
We take consent seriously. If you wish to withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice, you may do so via email, physical mail, or phone. Written withdrawal of consent is preferred. We will confirm the withdrawal of consent via email.
2. Right to Rectification
You have the right to request that DigitalStaff rectify any inaccurate personal information or data without undue delay. You also have the right to complete incomplete personal data, including by providing a supplementary statement. If your information changes, it is your responsibility to tell us so that DigitalStaff can update it in a responsible manner.
3. Right to Erasure ("Right to Be Forgotten")
So long as there are no legal grounds for the processing of your information, you have the right to request that DigitalStaff erase your data without undue delay in the following instances:
The personal data is no longer needed for the purposes DigitalStaff collected them;
You withdraw your consent on which the processing is based, and there is no other legal ground for the processing;
You object to the processing, and there are no overriding legitimate grounds for the processing;
The personal data has been unlawfully processed; and
The personal data has been collected in relation to the offer of information society services
In cases where the personal data provided has been made public, we will take reasonable steps to inform external controllers who are processing the personal data that the data subject has requested to erase it.
4. Right to Restriction of Processing
If you would like to restrict the processing of your information in certain circumstances, a meeting between the data subject, DigitalStaff and DigitalStaff's customer must occur. The data subject must contact us by phone, email or mail to request the restriction of the processing.
In the event that we experience a data breach, within 24 hours of the initial breach, we will contact the client affected by the breach and inform them in clear and plain language of the nature of the personal data breach. All members of our incident response team will be notified. In the event of particularly serious breaches, we will also take steps to report the breach to the Ontario Privacy Commissioner and/or the Office of the Information and Privacy Commissioner of your province or territory within 72 hours of the initial breach.
We will not communicate the data breach to the subject if:
We have implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the breach;
We have taken subsequent measures which ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialize;
It involves a disproportionate effort. For example, there will be a public communication or similar measure whereby the data subjects are informed equally effectively.
We monitor and audit our incident response procedures for effectiveness on a quarterly basis, as well as periodically throughout the year. We will conduct an audit of our procedures in the event of a data breach.
Your billing information
We store your credit card information in an online credit card repository called Stripe. Stripe is encrypted and highly secured to ensure your information is protected and safe. We only use your credit card information to process billings on a monthly, automatic, or as-needed basis for the work that we have completed for you. We may keep your bank account details locked up and encrypted for possible future direct billings so that you don’t have to provide us with them again in the future.
We may use Plooto or e-Interac to process your billing information. We may also use Xero to store your billing details and information.
Sharing your information
Within the company, we limit access to private data on a need-to-know basis. Employees will not have access to your information unless it is necessary for the completion of their job. DigitalStaff will also get your consent before disclosing information to a third party. Under certain circumstances, we may use a trusted third-party data controller and processor or cloud service provider, such as Google, Microsoft, UiPath, or Amazon (Amazon Web Services) to provide our automation solutions. These third-party providers each have their own privacy policies. We review and choose third-parties who will ensure your data is protected and secure; however, we do not control the manner in which third parties utilize your personal information. Under the Policy, DigitalStaff is not responsible in any manner for direct, indirect, special, or consequential damages, however caused, arising out of sharing your personal information with a trusted third-party for the automation solution.
We are a Canadian company and all data infrastructure is located in Canada except where we require additional service providers in order to serve you best. In such cases, those providers are usually in Canada, although we may occasionally procure services from providers in the United States.
Where can you get more information?
If you are interested in knowing what information we have relating to you in our database, please contact us and we can prepare a detailed list for you within 30 days in exchange for a fee. You may also contact us if you would like to request a correction to the information we have relating to you in our database. For administrative purposes, DigitalStaff will keep a record of all requests made. You will be notified by mail, email, or phone if your access or correction request has been approved. Sensitive information will be shared through a secure link.
For security and confidentiality purposes, please note that we reserve the right to request government-issued identification before disclosing data to you.
You, the customer, represent and warrant that:
You are legally entitled to provide DigitalStaff with the data given;
You are the sole, rightful and legal owner of all title, interest and rights (including but not limited to intellectual property rights) to the data given; and
If you are not the owner of the data, you have obtained all requisite approvals, authorizations and consents from the owner of the data to disclose and provide the data to DigitalStaff, thereby not infringing on any third party’s rights, interests or licenses.
You expressly agree to indemnify and forever hold harmless DigitalStaff, and its directors, officers, employees, shareholders, contractors, consultants, agents and representatives, for any breach of the representations or warranties contained herein and for any infringements of third party rights, interests or licenses as a result of you providing any information, data or documents to DigitalStaff from time to time.
"Data subject" or "You" – an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier or any other personal identity information.
"Data Controller" - the natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of processing personal data.
"Data Processor" - means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
"Personal data" - means any information relating to a data subject.
"Personal data breach" - means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
"Processing" - any operation or set of operations which are performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Consent" – consent of the data subject means any freely given, specific, informed, unambiguous indication of the data subject's wishes by which they, by a statement, explicit action, signify agreement to the processing of personal data relating to them.
"Erasure" - the removal of writing, recorded material, data or any other material that DigitalStaff sees fit.