Emergency Response
Data Processing Addendum
1. Validity
As a responsible company, Virtual Guardian demonstrates the highest level of attention to the protection of sensitive data, particularly the personal data of its clients and partners.
This Data Processing Addendum is hereby incorporated into the Master Service Agreement of the SOC Virtual Guardian contract signed by the client.
Unless the Client has entered into a specific written replacement agreement, Virtual Guardian may modify this Addendum as its activities evolve. Any revisions will take effect on the date the modifications are published by Virtual Guardian. The Client will be notified of any such update by e-mail.
The Client may consult the most recent version of the Data Processing Addendum at any time by visiting this page. If the Client continues to use the services after the effective date of any modification, such use will constitute acceptance of the revised Data Processing Addendum.
Last update: 22/08/2024
2. Definitions
“Data Protection Laws”: refers to all data protection laws and regulations applicable to the processing of Personal Data under this DPA, including, but not limited to, the laws on the protection of personal information in the private and public sectors in Quebec (known as Law 25).
“Personal Data” or “Personal Information”: means any information relating to an identified or identifiable natural person, directly or indirectly, processed by Virtual Guardian or its subcontractors under the SOC contract.
“Processing”: refers to any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Subcontractor”: means any third party appointed by or on behalf of Virtual Guardian to process Personal Data on behalf of the client.
3. Personal Data Processing
3.1 Parties Roles
The parties acknowledge and agree that, with respect to the processing of Personal Data, the client is the Processor and Virtual Guardian is the Subcontractor.
3.2 Client’s Processing of Personal Data
When using SOC services, the client must handle Personal Data in compliance with data protection legislation. The Client’s instructions for processing Personal Data must also adhere to such legislation. Virtual Guardian will only process Personal Data for the purposes described in the contract and in accordance with the client’s documented legal instructions.
4 Data Collection and Management
4.1 Business Context – Collection Objectives
As part of its managed cybersecurity monitoring service (Security Operation Center), Virtual Guardian is granted controlled access to its clients’ information systems, allowing it to collect and analyze technical data, monitor events, and detect potential security incidents.
To this end, and in order to deliver the services outlined in the agreement, Virtual Guardian collects technical data and personal information solely for the purpose of providing the contracted services in an appropriate, personalized and secure manner.
In all cases, the disclosure of personal and confidential information is governed by confidentiality obligations and compliance with applicable laws.
4.2 Data Collected
4.2.1 Personal Information
The purpose for which personal information is collected, along with the rules governing its protection, are described in the Privacy Policy of ESI Technologies, the parent company of Virtual Guardian.
The categories of personal information potentially collected by Virtual Guardian are listed below (non-exhaustive list):
- Professional identification information: last name, first name, postal address, cell phone number, email address, etc.
- Commercial information: transaction history, requests for information, quotes, etc.
- Computer and digital activity information: IP address, MAC address, logs, device type, etc.
- Account information: roles and permissions, settings and preferences, login details, etc.
- Cookies: cookies are small files that may be downloaded to a visitor’s device when visiting and using the Virtual Guardian website. They enable the recognition of devices and store information about users’ preferences or previous actions. We use browser cookies to record user preferences, optimize the design of the Virtual Guardian website, and for commercial and promotional purposes.
Virtual Guardian uses technological means to collect personal information, including but not limited to scanning tools for servers, systems, and workstations belonging to Virtual Guardian or to the client under the SOC contract, geolocation tools, etc.
4.2.2 Technical Information
Virtual Guardian’s Security Operational Center (SOC) collects a variety of technical data to ensure the security and integrity of its clients’ information systems and to provide the services specified in the agreement.
Client information collected and processed by the SOC includes data gathered at the time of contract signature, as well as data information from event data, network flow data and vulnerability assessments.
Specifically, the SOC collects the following types of information (non-exhaustive list):
- Client data collected during contract and service set-up: contact person’s name (first and last), telephone number, email address, IP address, operating system, service, VLAN, public IP address, switch, router, cloud environment, cloud application, websites, security equipment, security incident history, application inventories (application name, manufacturer, version) and critical business processes.
- Events (Event Data): dates and times of recorded events, usernames, IP addresses and associated geolocation data, system names, processes performed, source and destination ports, and error messages.
- Network Flows (Flow Data): source and destination IP addresses/ports, data volumes, and session duration.
- Vulnerability Assessment: vulnerable assets, identified security vulnerabilities, severity scores, patch status, compliance assessment results, and system configuration data.
4.3 Management by Virtual Guardian Subcontractors
4.3.1 Subcontracting
Authorized subcontractors: The client agrees that Virtual Guardian may engage subcontractors to process personal or technical data on its behalf.
Virtual Guardian maintains an up-to-date list of its subcontractors (see below).
4.3.2 Third-Party Risk Management Program
Virtual Guardian relies on certain subcontractors to process collected data and provide SOC services for the benefit of the client. Virtual Guardian ensures that its partners take all necessary measures to protect its client data. To achieve this, Virtual Guardian relies on partners who hold a valid SOC2 report, attesting to the strength of their security controls. These SOC2 reports are requested annually from the SOC’s critical subcontractors.
Critical subcontractors are included in Virtual Guardian’s Third-Party Risk Management Program (TPRM[1] ), which involves the following measures:
- An internal directive on third-party management defines the rules for managing subcontractors at the company level.
- Under the supervision of its security committee, Virtual Guardian monitors the security levels of its critical service providers in real time.
- Subcontractors who do not have a SOC2 report are subject to a specific security assessment by Virtual Guardian.
- Corrective measures: If any security issues are detected in the service provider’s security system, Virtual Guardian may issue requests for corrective actions.
4.3.3 Transfer of Responsibility to Third Parties
Based on the controls outlined in the previous section, Virtual Guardian transfers certain cybersecurity and data management risks to its subcontractors.This transfer includes controls of security incident management, business continuity, and disaster recovery measures.
5 Audit Rights
Virtual Guardian will provide the client with all information necessary to demonstrate compliance with this addendum. Virtual Guardian will also permit and facilitate audits, including inspections, conducted by the client or auditor assigned by the client.
Appendix A – General Description of Data Protection Measures
As an ISO 27001-certified organization, Virtual Guardian complies with current regulations and data protection standards in terms of confidentiality, availability and integrity.
In general, Virtual Guardian applies human, technical, organizational and incident-response security measures to ensure the protection of client data.
Data lifecycle management measures, including collection, processing, destruction, etc., are implemented in compliance with the ISO27001:2022 cybersecurity standard.
| Ability to Ensure Confidentiality, Integrity, Availability, and Ongoing Resilience of Processing Systems and Services | |
| Employee Training and Awareness | The training and awareness of Virtual Guardian staff are key elements in protecting our clients’ data. All staff are required to undergo mandatory awareness training on the risks associated with information systems and the protection of sensitive data. Employees also receive specialized training aligned with the responsibilities of their roles, including managers, IS security officers, IT technicians, and others. |
| Privacy | Virtual Guardian has implemented measures to ensure that no unauthorized individuals gain access to client data. These measures include but are not limited to: -Access to client data is managed through role-based access control permissions model, based on the need for access and the principle of least privilege. -A secure authentication process is in place. -All Virtual Guardian employees undergo criminal background checks to ensure no history of employment-related offenses. -Virtual Guardian’s internal database is located in a Microsoft Azure data center owned by Microsoft Inc. -Physical security controls are implemented at Virtual Guardian’s office including a security guard at the building entrance, alarm system, and visitor registration. -All employees and critical subcontractors of Virtual Guardian are subject to non-disclosure agreements. Encryption: Data is encrypted in transit using HTTP over TLS with 2048-bit Certificates and private keys are stored in a special secret safe. Weak encryption is disabled. Data at rest is also encrypted by Virtual Guardian and its subcontractors. Encryption keys are managed by a limited number of employees and secured in a safe with regular rotations. Anonymization: Virtual Guardian’s policy is to anonymize client Personal Information whenever possible. |
| Integrity | Virtual Guardian has implemented measures to ensure that data integrity is maintained. These measures include, but are not limited to: -The right to modify or delete client data (including personal information) is restricted to a limited group of individuals based on an as-needed basis and according to the principle of segregation of duties. -Employees of the SOC team and the technical support team members are granted rights to modify and delete client data in the Virtual Guardian database. Any such actions are catalogued in an audit log. Virtual Guardian conducts regular access reviews. |
| Availability | Virtual Guardian has put in place measures to ensure that client data is available and used properly in the intended process. These measures include, but not limited to: -Virtual Guardian and its subcontractors have an incident response, business continuity, and disaster recovery plan. Virtual Guardian performs tabletop tests at least once a year. -Virtual Guardian ensures that its database is backed up in accordance with its retention policy. Backups are verified and tested annually to meet its RPO and RTO. -Virtual Guardian’s infrastructure and database schema are built using archived scripts, enabling rapid deployment of the entire infrastructure dynamically in a matter of hours, in line with its disaster recovery plan. -Virtual Guardian is monitored by its SOC to prevent malware in the hosting environment and a centralized anti-malware solution to prevent malware in the office with periodic comprehensive scans and firewall integration. |
| Incident management | Virtual Guardian has an incident response plan designed to organize the management of security incidents by dedicated teams (CSIRT).(CSIRT). Note – Confidentiality incidents are events concerning the security of personal information – where applicable, confidentiality incidents are dealt with in accordance with the specific applicable regulations. |
| Resilience | Virtual Guardian has implemented measures to ensure SOC resilience. These measures include: -Virtual Guardian infrastructure can evolve as the load increases. -Virtual Guardian infrastructure is redundant. -Virtual Guardian database server is redundant in the cloud. |
| Ability to Restore Availability and Access to Client Information in a Timely Manner in the Event of a Physical or Technical Incident | |
| If the causes of failure falls within Virtual Guardian’s control, the recovery time objective (RTO) is approximately 4 hours or less. See “Availability” section for more details. | |
| Process of Testing, Evaluating and Regularly Assessing the Effectiveness of Technical and Organizational Measures Designed to Guarantee the Security of Processing | |
| -Access control: Virtual Guardian reviews access rights regularly. -Vulnerability assessments: tests are carried out on an ongoing basis. -Security assessment: Virtual Guardian uses several dashboards to assess its security and undergoes an annual ISO27001 audit by an accredited external firm. -Log centralization: Virtual Guardian uses a SIEM to aggregate its logs. Logs are hosted in an MS Azure cloud environment in Canada. | |
| The Process of Ensuring that Government or Law Enforcement Access is Legally Valid and Appropriate | |
| Virtual Guardian ensures that clients’ personal information cannot be accessed by government organizations or law enforcement agencies without due process. Virtual Guardian and its subcontractors will not disclose any data to government or law enforcement agencies, except upon instruction from the client or when required by law. Virtual Guardian and its subcontractors review all requests to ensure that they are legally valid and appropriate. Upon receipt of such a request, Virtual Guardian will inform the client, unless prohibited by law. By default, we will ask the government organization or law enforcement agency to retrieve the data directly from the client. Where Virtual Guardian or its subcontractors are legally required to disclose information, only the information specifically requested may be disclosed. | |
[1] Third Party Risk Management
1-800-401-TECH (8324)