Keystroke has always tried to be forward-leaning when it comes to privacy issues & the security of our customer data. When the Canadian Anti-Spam Legislation (CASL) was first introduced in 2014, we came out with the Opt-in Manager, which allowed customers to easily and efficiently harvest opt-in information for marketing purposes. We also securely host all our data on Microsoft Azure servers in Canada that require multi-factor authentication for all our internal employees to log in.
Based in large part on Europe’s “General Data Protection Regulation” (GDPR), this new provincial law is intended to give more rights to individuals who share their personal information and, at the same time, it institutes a general principle of transparency.
Compliance Requirements
To be in compliance, consent must be expressed in a clear and free manner, obtained by means of simple and clear language. Act 25 also provides that consent must be obtained directly and not masked within an abundance of information. In addition to the above, in order for consent to be valid, an organization must inform the individual who is sharing personal information of the following:
- The purposes for which the information is being collected
- billing & communication purposes only
- The means used to collect the information
- provided by customer
- One’s rights of access, correction and withdrawal of consent to use the information collected
- Keystroke provides access to this information via the Keystroke Account Manager, where customers can view the information we store for their account, and request edits or removal of any information not required for the billing of their account.
- The categories of third parties to whom it is necessary to release the information for the defined purposes
- Act! LLC is the only 3rd party this information is shared with as it's required for the initial account setup process
- The possibility that the information will be disclosed outside of Québec
- (see above)
What data is collected?
For clarity, Keystroke does not collect private customer data beyond billing information. These details include company name, billing address, contact person, and business phone number and email. As stated above, the only 3rd party these details are shared with is Act! LLC when their Act! Premium account is being created. No payment information is stored in any of our systems, as customers must pay securely online at www.Keystroke.ca/payments each time a bill is due, or mail us a payment.
Keystroke Privacy Policy is published HERE, and provides more details on the data we collect and our purposes for doing so.
In the event of a breach
In the event that a data breach occurs with Keystroke systems, our security protocols require that we notify the client and report the incident to the CAI. To date, no such security breach has ever occurred to our knowledge. Neither Keystroke nor Act! LLC has access to customer-hosted data, so we have no relevant obligations under Act 25 pertaining to its privacy, beyond reporting security breaches of our Canadian hosting facilities to the affected customers and the Commission d'accès à l'information du Québec (CAI).
Our hosting facilities are managed by Amazon Web Services (AWS) which is a SOC11-compliant hosting service provider, with English and French servers domiciled in Canada.
Summary
We’ve seen firsthand with GDPR that organizations that take a strategic, customer-first approach versus a compliance-only approach to privacy are able to improve the customer experience and build the trust needed to drive innovation and economic development. At Keystroke, we aim to invest in the key areas of data security, governance, transparency, and compliance to continue to be worthy of our customers' trust.
