Compliance Tool
PRIVACY POLICY
Last Updated: March 9, 2025
1. INTRODUCTION
1.1 About This Policy
This Privacy Policy (“Policy”) explains how Cloud Officer, a corporation incorporated under the laws of Quebec, Canada (“Company,” “we,” “us,” or “our”), collects, uses, discloses, and protects information in connection with the Compliance Tool platform (the “Platform”) and related services (collectively, the “Services”).
1.2 Our Commitment
We are committed to protecting your privacy and handling your information responsibly and in compliance with applicable privacy laws, including:
- The Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada)
- Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (Law 25)
- The General Data Protection Regulation (GDPR) (European Union)
- The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) (California, USA)
1.3 Acceptance
By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Policy, please do not use the Services.
1.4 Relationship to Terms of Use
This Privacy Policy is incorporated into and forms part of our Terms of Use. Capitalized terms not defined herein have the meanings set forth in the Terms of Use.
2. INFORMATION WE COLLECT
2.1 Account Information We Collect
When you create an account and use our Services, we collect the following limited personal information directly from you:
| Information Type | Purpose | Legal Basis |
|---|---|---|
| Email address | Account creation, authentication, communications | Contract performance, legitimate interests |
| First name | Account identification, personalization | Contract performance |
| Last name | Account identification, personalization | Contract performance |
| Password (encrypted) | Account security and authentication | Contract performance |
| Two-factor authentication (2FA) data | Account security | Contract performance |
| Company/organization name (if provided) | Account identification, billing | Contract performance |
| Billing information (for invoiced customers) | Payment processing, invoicing | Contract performance |
2.2 Payment Information
-
Stripe Customers: If you pay via Stripe, your payment card information is collected and processed directly by Stripe. We do not receive or store your full credit card number. We receive only limited information from Stripe (such as the last four digits of your card and expiration date) for identification purposes. Stripe’s privacy policy governs their handling of your payment information.
-
Invoiced Customers: For customers who pay by invoice, we collect billing contact information and company details necessary for invoicing.
2.3 User-Generated Content in Text Fields
The Platform includes text fields and input areas where you may enter information related to your compliance documentation (“User-Generated Content”). This includes, but is not limited to, document editors, description fields, notes, comments, and any other areas where you may compose or enter text. Content you create in the Platform’s document editor is stored on our servers.
IMPORTANT - YOUR RESPONSIBILITY:
(a) We do not require or request that you enter any personal information, sensitive data, or confidential information in these text fields;
(b) You are solely responsible for the content you choose to enter in these fields;
(c) You should NOT enter any of the following in text fields:
- Personal information of third parties (employees, customers, etc.)
- Social Insurance Numbers, Social Security Numbers, or government IDs
- Health or medical information
- Financial account numbers or payment card data
- Passwords, credentials, or security codes
- Any sensitive personal information as defined by applicable privacy laws
(d) If you choose to enter personal or sensitive information in text fields despite this prohibition, you do so at your own risk and you are solely responsible for compliance with all applicable privacy laws regarding such information;
(e) We disclaim all responsibility for any personal or sensitive information you voluntarily enter in text fields, and we are not acting as a “processor” or “service provider” with respect to such information under GDPR, CCPA, or similar laws.
2.4 External Links (Not Files)
When you attach or link documents to the Platform:
(a) We store only hyperlinks/URLs pointing to files hosted on your own external cloud storage services (Google Drive, OneDrive, Dropbox, SharePoint, etc.);
(b) We do NOT access, download, copy, or store the actual content of your linked files;
(c) Your external cloud storage provider’s privacy policy governs the handling of files stored on their services;
(d) You are solely responsible for the security, access controls, and privacy compliance of your external cloud storage.
2.5 Integration Data
The Platform allows you to connect third-party services using API keys or credentials that you provide (such as AWS, GitHub, Google Workspace, Kandji, Microsoft Intune, 1Password, or Atlassian). When you configure these integrations, the Platform may retrieve and store information from those services, including but not limited to:
| Data Type | Examples |
|---|---|
| Employee/user information | Names, email addresses, 2FA status, last login times, group memberships |
| Device information | Device names, serial numbers, models, operating system versions, compliance status |
| Security and compliance data | Configuration rules, security findings, policy compliance status |
YOUR RESPONSIBILITIES:
(a) You control which integrations are enabled and what data is synced to the Platform;
(b) This data belongs to your organization. We store it solely to provide the Services to you;
(c) You are responsible for ensuring you have appropriate authorization to sync this data, including any required employee notices or consents under applicable privacy laws;
(d) You are responsible for the scope of permissions granted by the API keys you provide (see Terms of Use §5.3);
(e) We do not use Integration Data for any purpose other than providing the Services to you.
2.6 Automatically Collected Information
When you use the Services, we automatically collect certain technical information:
| Information Type | Purpose |
|---|---|
| IP address | Security, fraud prevention |
| Browser type and version | Troubleshooting |
| Operating system | Troubleshooting |
| Device information | Security |
| Access times and dates | Security, troubleshooting |
2.7 Cookies and Similar Technologies
We use cookies and similar technologies for:
- Essential cookies: Required for the Platform to function (authentication, security)
- Preference cookies: To remember your settings and preferences
Disabling essential cookies may prevent you from using the Services.
2.8 Information We Do NOT Collect
We do NOT intentionally collect:
- Personal information of your employees, customers, or third parties
- Health or medical information (ePHI or PHI)
- Biometric data
- Genetic data
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Sexual orientation or sex life data
- Criminal history
- Children’s personal information (the Services are not intended for anyone under 16)
2.9 Technologies We Do NOT Use
We do NOT use:
- Tracking pixels or web beacons
- Third-party advertising or marketing SDKs
- Behavioral tracking or profiling
- Cross-site tracking
- Analytics platforms that track individual users
- Social media tracking widgets
3. HOW WE USE YOUR INFORMATION
3.1 Primary Purposes
We use your personal information for the following purposes:
| Purpose | Description | Legal Basis |
|---|---|---|
| Provide Services | To create and manage your account, provide access to the Platform, and deliver the Services | Contract performance |
| Authentication | To verify your identity and secure your account | Contract performance, legitimate interests |
| Communications | To send service-related communications, updates, and support responses | Contract performance, legitimate interests |
| Billing | To process payments and send invoices | Contract performance |
| Support | To respond to your inquiries and provide customer support | Contract performance, legitimate interests |
| Security | To detect, prevent, and address fraud, abuse, and security issues | Legitimate interests, legal obligations |
| Improvements | To analyze usage patterns and improve the Services | Legitimate interests |
| Legal Compliance | To comply with applicable laws, regulations, and legal processes | Legal obligations |
3.2 What We Do NOT Do
We do NOT:
- Sell your personal information to third parties
- Share your personal information for third-party marketing purposes
- Use your personal information for automated decision-making or profiling that produces legal effects
- Access or analyze the content of files linked through External Links
- Use User-Generated Content for any purpose other than providing the Services to you
4. HOW WE SHARE YOUR INFORMATION
4.1 Limited Sharing
We share your personal information only in the following limited circumstances:
| Recipient | Purpose | Safeguards |
|---|---|---|
| Payment Processors (Stripe) | To process payments | PCI DSS compliant; governed by their privacy policy |
| Cloud Infrastructure Providers (Heroku) | To host and operate the Platform | Data processing agreements; industry-standard security |
| Email Service Providers | To send transactional emails | Data processing agreements |
| Professional Advisors | Legal or other professional services as needed | Professional confidentiality obligations |
4.2 Legal Requirements
We may disclose your information if required to do so by law or in response to:
- Valid legal process (subpoenas, court orders, legal requests)
- Government or regulatory requests
- To protect our rights, privacy, safety, or property
- To enforce our Terms of Use
- In connection with an investigation of suspected or actual illegal activity
We will attempt to notify you of such requests where legally permitted and appropriate.
4.3 Business Transfers
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such transfer and any choices you may have regarding your information.
4.4 No Sale of Personal Information
We do not sell your personal information. For purposes of the CCPA/CPRA, we have not sold personal information in the preceding 12 months and do not intend to sell personal information.
5. DATA RETENTION
5.1 Retention Periods
We retain your personal information for as long as necessary to fulfill the purposes described in this Policy:
| Data Type | Retention Period |
|---|---|
| Account information | Duration of your subscription plus 3 years |
| Billing and payment records | 7 years (for legal and tax compliance) |
| User-Generated Content | Duration of your subscription plus 30 days |
| External Links | Duration of your subscription plus 30 days |
| Usage logs | 12 months |
| Support communications | 3 years after resolution |
5.2 After Termination
When your subscription ends:
(a) We will retain your Account information for a limited period to allow for reactivation and to comply with legal obligations;
(b) User-Generated Content and External Links will be deleted within 30 days of subscription termination, unless you request earlier deletion.
5.3 Deletion Requests
You may request deletion of your personal information as described in Section 7. Deletion requests are subject to our legal retention obligations.
6. DATA SECURITY
6.1 Security Measures
We implement appropriate technical and organizational measures to protect your personal information, including:
- Encryption of data in transit (TLS/SSL)
- Encryption of sensitive data at rest
- Secure password hashing
- Access controls and authentication requirements
- Regular security assessments
- Employee training on data protection
- Incident response procedures
6.2 No Guarantee
While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your information.
6.3 Your Security Responsibilities
You are responsible for:
- Maintaining the confidentiality of your login credentials
- Using strong, unique passwords
- Notifying us immediately of any unauthorized access
- The security of your external cloud storage services
6.4 Breach Notification
In the event of a data breach affecting your personal information, we will notify you and applicable regulatory authorities as required by law, including within the timeframes required by Quebec Law 25, GDPR, and other applicable laws.
7. YOUR PRIVACY RIGHTS
7.1 Rights for All Users
Regardless of your location, you have the right to:
- Access your personal information by logging into your account
- Correct your account information through your account settings
- Delete your account by contacting us at info@cloudofficer.ca
- Withdraw consent to the collection, use, or disclosure of your personal information (subject to legal or contractual restrictions)
- Opt out of non-essential marketing communications
- Non-discrimination for exercising your privacy rights
- File a complaint with the applicable regulatory authority (see Section 13)
7.2 Additional Rights - Canada (Quebec Law 25, PIPEDA)
In addition to the rights in Section 7.1, Canadian residents may file complaints with the Office of the Privacy Commissioner of Canada or the Commission d’accès à l’information du Québec.
7.3 Additional Rights - European Union (GDPR)
In addition to the rights in Section 7.1, residents of the EEA, United Kingdom, or Switzerland have the right to:
- Data portability – receive your data in a structured, machine-readable format
- Restriction of processing of your personal data
- Object to processing based on legitimate interests
Legal Bases for Processing: Contract performance, legitimate interests (security, fraud prevention), legal obligations, and consent where obtained.
7.4 Additional Rights - California (CCPA/CPRA)
In addition to the rights in Section 7.1, California residents have the right to know what personal information we collect. See Section 2 for the categories of personal information collected.
We do not sell or share personal information for targeted advertising.
7.5 Exercising Your Rights
To exercise any of your privacy rights, contact us as described in Section 13. We will respond within 30 days.
7.6 Verification
We may need to verify your identity before fulfilling your request. We will ask you to confirm information we have on file or provide additional verification as necessary.
8. CHILDREN’S PRIVACY
8.1 Age Restriction
The Services are not intended for individuals under the age of 16 (or the age of majority in your jurisdiction, if higher). We do not knowingly collect personal information from children under 16.
8.2 Parental Notification
If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information promptly. If you believe we have collected information from a child under 16, please contact us at info@cloudofficer.ca.
9. THIRD-PARTY LINKS AND SERVICES
9.1 External Links
The Platform may contain links to third-party websites or services, including your external cloud storage providers. This Privacy Policy does not apply to such third-party services.
9.2 Your External Cloud Storage
When you link files from your external cloud storage (Google Drive, OneDrive, Dropbox, SharePoint, etc.):
- Those services have their own privacy policies
- We do not access, read, or store the content of your linked files
- You are responsible for your privacy settings and compliance on those services
9.3 Third-Party Responsibility
We are not responsible for the privacy practices of any third-party services. We encourage you to review the privacy policies of any third-party services you use.
10. INTERNATIONAL DATA TRANSFERS
10.1 Location of Processing
Your personal information is primarily processed and stored in the United States on infrastructure provided by Heroku (Salesforce).
10.2 Safeguards for International Transfers
For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States:
- We rely on the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework where applicable
- We use Standard Contractual Clauses (SCCs) approved by the European Commission
- Our sub-processors maintain appropriate data protection certifications and agreements
11. DATA PROCESSING AND SUB-PROCESSORS
11.1 Our Role
- For Account Data (email, name, IP address): We act as the data controller
- For User-Generated Content in text fields: You are the data controller; we have disclaimed processor responsibility as you have been instructed not to enter personal data
11.2 Sub-Processors
We use the following sub-processors to provide the Services:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Heroku (Salesforce) | Cloud hosting and platform infrastructure | United States |
| Heroku Postgres | Database storage | United States |
| Bucketeer (Heroku add-on) | File storage | United States |
| Papertrail (Heroku add-on) | Application logging | United States |
| Twilio SendGrid (Heroku add-on) | Transactional emails | United States |
| Stripe | Payment processing | United States |
| TinyMCE (Tiny Technologies) | Collaborative rich text editing | United States |
| OpenAI | AI-assisted features | United States |
11.3 Sub-Processor Obligations
All sub-processors are bound by data processing agreements that require them to:
- Process personal data only on our documented instructions
- Ensure confidentiality of personal data
- Implement appropriate security measures
- Assist with data subject rights requests
- Delete or return data upon termination
11.4 Changes to Sub-Processors
We may update our sub-processors from time to time. Material changes will be reflected in updates to this Privacy Policy.
12. CHANGES TO THIS PRIVACY POLICY
12.1 Updates
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
12.2 Notification
- Material changes: We will notify you via email and/or prominent notice on the Platform at least 30 days before material changes take effect
- Non-material changes: Will be effective upon posting to the Platform
12.3 Continued Use
Your continued use of the Services after any changes indicates your acceptance of the updated Privacy Policy.
12.4 Review
We encourage you to review this Privacy Policy periodically.
13. PRIVACY CONTACT
13.1 Data Protection Officer
For questions, concerns, or requests related to this Privacy Policy or your privacy rights, please contact:
Yves Desgagne
Data Protection Officer / Person Responsible for Privacy Cloud Officer
Email: info@cloudofficer.ca
Website: https://compliance.cloudofficer.ca/
This contact serves as the Data Protection Officer (GDPR), Person Responsible for the Protection of Personal Information (Quebec Law 25), and privacy contact for CCPA/PIPEDA purposes.
13.2 Regulatory Authorities
You may also contact the applicable privacy regulatory authority:
Canada (Federal):
Office of the Privacy Commissioner of Canada 30 Victoria Street Gatineau, Quebec K1A 1H3
https://www.priv.gc.ca
Quebec:
Commission d’accès à l’information du Québec 525, boul. René-Lévesque Est, bureau 2.36 Québec (Québec) G1R 5S9
https://www.cai.gouv.qc.ca
European Union:
Contact your local Data Protection Authority
California:
California Attorney General Office of the Attorney General 1300 I Street, Sacramento, CA 95814
https://www.oag.ca.gov
14. ADDITIONAL DISCLOSURES
14.1 User-Generated Content Disclaimer
WE EXPRESSLY DISCLAIM ANY RESPONSIBILITY FOR PERSONAL OR SENSITIVE INFORMATION THAT YOU VOLUNTARILY ENTER INTO TEXT FIELDS ON THE PLATFORM.
You acknowledge and agree that:
(a) The text fields are provided for you to document YOUR OWN compliance procedures and organizational information;
(b) You are solely responsible for ensuring that any information you enter complies with applicable privacy laws;
(c) If you enter personal information of third parties (employees, customers, etc.) into text fields, YOU are the data controller/business responsible for such information, not us;
(d) We are not acting as a data processor or service provider with respect to any personal information you voluntarily enter;
(e) You must obtain any necessary consents and provide any required notices before entering personal information of third parties;
(f) We strongly advise you NOT to enter any personal or sensitive information in text fields.
14.2 Compliance Framework Documentation
The Platform is designed to help you organize compliance documentation using templates. Any information you enter regarding your compliance programs, procedures, or controls is your proprietary information. We access such information only as necessary to provide the Services and do not use it for any other purpose.
15. LANGUAGE
Les parties ont expressément demandé et convenu que la présente politique de confidentialité et tous les documents connexes soient rédigés en anglais seulement.
The parties have expressly requested and agreed that this Privacy Policy and all related documents be drawn up in English only.