Security Policy
Last updated: January 15, 2024
Overview
Tracument understands how important security and privacy are to professionals. Our business relies on exercising the utmost care in protecting the security of your Tracument account and the documents and payment information contained therein. We use industry leading security measures to make sure your information is stored and transferred securely.
Network/Internet
Secure Socket Layer: We use up to 2048-bit RSA keys that are rotated every 90 days to encrypt all communications over the Internet.
Data Storage
Our servers are hosted in Canada and subject to Canadian security and privacy laws. All data is stored using 256-bit Advanced Encryption Standard (AES-256). These locations are certified to ISO27001, ISO27017, and ISO27108 standards, among others, and are audited continuously to attest to their compliance.
Firewalls
Our datacentre uses redundant firewalls to detect and prevent unauthorised traffic to our servers.
Intrusion Detection
All of our servers run intrusion detection agents that send data to an intrusion detection server. The host-based intrusion detection we employ has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralised policy enforcement, rootkit detection, real-time alerting and active response.
Account Verification
In order to ensure that the holder of a given account is actually the organisation represented in our system, each new account is authenticated by a Tracument representative. This is done by confirming through personal contact or publicly available information that the organisation is who they represent themselves to be.
One-time Login/Secure Email Link
Documents sent by secure email link by Tracument account holders to non-Tracument users are accessible by a one-time unique link and protected by a one-time password set by the sending party.
Fax Transmissions
Fax transmissions are sent to our fax servers using SSL encryption. Only requests where the user selects fax as the delivery method will be transmitted in this way. No provided documents or Secure Send documents are ever transmitted by fax.
Mail requests are printed, handled, and mailed by Tracument staff or contractors. These workers are subject to confidentiality agreements. No documents sent by Paywall or by Secure Send are ever transmitted by mail.
Payment Security
When a providing firm uploads a document or set of documents, those documents cannot be viewed by the intended recipient until they have paid the accompanying invoice. Tracument collects these funds and disperses them at regular intervals to the providing party. Any payments received are secured in a CDIC insured account until they are dispersed.
Credit Card Security
All credit card transactions are tokenised and sent to Stripe for execution. Stripe is PCI Level 1 compliant, which is the most stringent credit card security certificate. We are PCI DSS compliant by virtue of this outsourcing. See https://stripe.com/help/security for more information. Tracument does not hold or save credit card information on their servers or in their database.
EFT/Bank Security
All bank transfers are executed by CIBC through their secure online portal. Access to this portal is limited to directors of Tracument, and access codes are changed every sixty seconds by CIBC's security services.
Information Storage Location
All documents uploaded to Tracument's servers are stored in Canada. The documents are subject to Canadian information security and privacy protection laws.
Physical Security
Our servers are physically hosted at geo-redundant secure locations in Canada. These locations are certified to ISO27001, ISO27017, and ISO27108 standards, among others, and use a variety of security controls to limit physical access to our information.
Built-in Application Security Features
Password Rotation
We offer password rotation for user accounts, which reduces the risk of password theft or mismanagement.
Password Encryption
All passwords are encrypted on our servers, preventing unauthorised access to passwords.
Brute Force Password Guessing Mitigation
Repeated login attempts result in blocking the offending IP address for 24 hours.
Multi-Factor Authentication
Tracument offers Multi-Factor Authentication as an option for firms that wish to authenticate via multiple factors.
Role-based access
We have three levels of users--owners, administrators, and regular users. This provides the owners of accounts to only grant access and controls to appropriate users.
Limited Viewing Ability
Only the owner of the account and the uploading user are able to view the documents provided. This protects the privacy of provided information as other users from the providing company cannot view potentially sensitive information.
Limited Access to Documents
The Tracument system does not allow Tracument staff to access provided documents or documents sent through Secure Send. Tracument does have access to requesting documents and authorisations. All staff and contractors have signed confidentiality agreements in place.
Document Expiry
All documents sent through Paywall, Secure Send, and Chart Transfer along with files received through Portal expire after 120 days.
Questions
If you have any questions about this document, or would like more information about how Tracument works to protect the privacy of its users, please feel free to email us at support@tracument.com.