Skip to content

Security and compliance

Consoltec does whatever it takes to deserve your trust, now and in the future.

For us, security is not a secondary consideration; it is a priority. We are fully aware of the sensitivity of the information and data our customers entrust to us, and of the importance of sound data management.

Security

Consoltec places data protection and security at the heart of its concerns. Our commitment to information security is ongoing, reflected in the continuous improvement of our security program and the ongoing integration of best practices into our organization and platform.

Consoltec adheres to the principles of Secure by Design, using modern technologies that guarantee agility, performance, reliability and availability. We also maintain a high level of information security and privacy, meeting the most stringent requirements of all our customers.

People

Our employees play a crucial role in ensuring the security and privacy of the FlowFit application and your data. Here are some of the steps we take:

1. Background Checks
All candidates are required to successfully complete standard background and credit checks as part of the hiring process. They are also required to sign an NDA as part of their employment contract.

2. Roles & Responsibilities
R&D, IT & DevOps, Customer Support, and Sales & Marketing teams are made aware of their responsibilities in maintaining the security, confidentiality, integrity and availability of customer data.

3. Training
Consoltec provides information security and privacy training for new hires, and on an ongoing basis to all employees. In addition to this general information security and privacy training, more targeted training is also provided.

Application Security

Software Development Life Cycle

At Consoltec, we leverage the DevOps and Continuous Delivery models. The highly automated nature of our software and infrastructure delivery, combined with frequent releases, requires security to be embedded into the SDLC is essential. Here’s an overview of some of our security, privacy and quality assurance practices: requirements identification, requirements review, design reviews, development controls (i.e. static analysis, code reviews), automated and manual testing, automated vulnerability scans, change management and deployment controls.

Data Protection

  • Your data is encrypted in transit using Transport Layer Security (TLS) 1.2.
  • Your data is encrypted at rest using 256-bit AES.
  • We protect your data from unauthorized access using multiple access management controls.
  • Your data is backed-up incrementally every hour, and completely every day.

Data Isolation

To ensure data and process isolation, each customer gets dedicated instances of the FlowFit application, segregated database and data stores. You only have access to your own data, and the same applies to all other clients.

Identity & Authentication

You can choose from two identity models with FlowFit:

1. SAML-based Single Sign-On (SSO)

  • You can integrate FlowFit with your corporate credential directories using Security Assertion Markup Language (SAML v2.0) to retain full control of the authentication process.

2. FlowFit Cloud Accounts

  • You can also manage user accounts directly in FlowFit.
  • Configurable Password Policy
  • Credentials are never stored in human readable format. We use a secure one-way hash algorithm with a salt.

User Permission Assignment

Access to your FlowFit instance is governed by roles and access rights configured by your designated FlowFit Administrators.

 

FlowFit Tenant Access

Logical firewall

You may choose to restrict access to a specific IP range so that your FlowFit instance is only accessible in designated physical locations and through your organization’s VPN.

We also support a per user access policy that enables users to connect outside your designated physical locations. You can also restrict from which countries they are allowed to access your FlowFit instance using our IP Geo-location access control feature.

Vulnerabilities

Consoltec’s Security Team uses a combination of automated and manual vulnerability scanning and exploitation software in order to detect or confirm the presence of vulnerabilities in our SaaS infrastructure and application. Our security team is responsible for assessing, prioritizing and the remediation of confirmed vulnerabilities.

Penetration Testing

Consoltec also mandates a third-party security firm to perform authenticated and non-authenticated penetration testing against Consoltec’s SaaS infrastructure and application. The third party penetration testing is performed at least annually. An attestation of completion is available upon request.

Operations Security

Data Backups

Customer data is backed up every hour and replicated in near-real time at the designated secondary Azure Region. Backups are performed without impacting the availability of our customer instances of FlowFit. Customer data is always transmitted over a secure communication channel and encrypted at rest.

FlowFit Availability

FlowFit is architected, designed, and coded following the cloud-native principles by our team and takes full advantage of Azure infrastructure services to provide high availability transparently across multiple data centers (Azure Availability Zones).

Security Incidents

A potential security incident may include, among other things, loss of availability, unauthorized access, disclosure or alteration of data. Consoltec has an incident management procedure which covers the entire lifecycle of a potential incident including: Plan and Prepare, Detect and Report, Access, Respond and Post-mortem.

Consoltec will promptly notify the customer without undue delay in the event of any reasonably suspected or confirmed security incident affecting a customer.

Data Ownership & Control

Data Ownership

You maintain full ownership and control of your data uploaded or created in FlowFit.

Consoltec Employee Access to your Data

In the context of providing the service, it requires that some authorized Consoltec personnel have access to the systems which process or store your data. However, they are prohibited from accessing your data unless it is necessary to do so. For example, in order to reproduce or diagnose a problem you are having with FlowFit, we may need to access your data. Consoltec has a Customer Data Handling policy that has been developed and communicated to all personnel that governs how customers’ data may be accessed and how. We however never copy your data outside of your segregated production or staging environments.

Cancelling your Flow Subscription

Consoltec makes your data accessible for retrieval at any time during the term of your subscription and for 60 days after the termination of your subscription. After 60 days, Consoltec will disable the account and will securely delete your data.

Contact us to find out more about our cancellation procedure.

Secure Data Deletion

We have a procedure for the secure deletion of customer data at the termination of the subscription. A Consoltec system administrator will be assigned the task and will delete all customer data: database, file storage, backups, and encryption keys along with your instance of FlowFit. We will also provide you with a data destruction report signed by the CISO who will ensure that the procedure was followed and that the data was deleted per the Service Termination Procedure.

Hosting Infrastructure

We host FlowFit in Azure data centers in the United States, Canada or Europe according to your choice. Azure maintains multiple certifications and attestations for its hosting operations. For more information about their certification and compliance program, please visit the Microsoft Trust Center and the Microsoft Compliance.

Privacy

Consoltec is committed to protecting your data including the personal information of your employees. As a result we help your organization remain and demonstrate compliance with Privacy Laws and Regulations such as Canada’s PIPEDA Act, Québec’s Act 25 and EU’s GDPR. Learn more about Consoltec’s position on these regulations in the Compliance section that follows.

Compliance

AICPA SOC Logo

Privacy SOC 2 Type II

Consoltec is compliant with the Service Organization Controls (SOC) 2 Type 2 from AICPA, one of the most sought-after security attestations for SaaS providers.

The SOC 2 Type 2 report assures that Consoltec’s information security program and control environment are compliant with the security Trust Services Criteria developed and maintained by the AICPA. The report covers the controls Consoltec has implemented both from an organizational and technical perspective and includes access management, encryption, code changes and deployment, monitoring, vulnerability management, incident management, risk management, human resources management, vendor management, and more.

The report helps companies, looking to use a cloud service like FlowFit, to properly assess and address the associated risks.

Consoltec’s SOC 2 Type 2 report is available under NDA to all our existing and potential customers.
Please contact Consoltec’s Data Protection Officer to request a copy: dpo@consoltec.ca.

Cloud Security Alliance: Security, Trust, and Assurance Registry (CSA STAR)

The Cloud Security Alliance (CSA) is a nonprofit organization led by a broad coalition of industry practitioners, corporations, and other important stakeholders. It is dedicated to defining best practices to help ensure a more secure cloud computing environment, and to helping potential cloud customers make informed decisions when selecting a cloud vendor.

The Security, Trust, and Assurance Registry (CSA STAR) and the CSA Consensus Assessments Initiative Questionnaire (CAIQ) v4.0.3 provides a comprehensive set of questions that customers can use to evaluate the depth and breadth of cloud vendors’ security, privacy, and compliance processes.

Consoltec’s security team has compiled responses to all 261 questions in the questionnaire. This document is a valuable resource for understanding how Consoltec meets and exceeds the requirements set forth by CSA.

Contact us to request a questionnaire.

Québec: Act Respecting the Protection of Personal Information in the Private Sector

This Act applies to private-sector employers and governs the protection of personal information that an employer collects, holds, uses or discloses to third parties in the course of its activities. The law is currently being amended. Employers should consult their legal counsel regarding applicable laws and regulations.

Consult the Act respecting the protection of personal information in the private sector and contact us to find out about our Policy on the management and protection of personal information.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that replaced Directive 95/46/EC. Its purpose is to revise existing rules on the processing of EU citizens’ personal data by organizations. In addition, the RGPD aims to harmonize data protection laws across Europe. A key feature of the RGPD is the introduction of new rights for data subjects, giving European citizens more power and control over their privacy.

Consoltec's position on the GDPR

At Consoltec, we are deeply committed to the RGPD, as this regulation strengthens the protection of individuals’ security and privacy. That’s why Consoltec has made a firm commitment to implement additional controls and processes to ensure full RGPD compliance.

Consoltec follows the seven data processing principles in GDPR:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability

Consoltec's position on the GDPR Personal Information Collected & Processed

By using our services, Consoltec may collect and process two categories of data: Customer Data and Other Information.

Customer Data

This category covers any personal or non-personal Information or data that the Customer may have submitted when interacting with our services (FlowFit). This category includes some types of information or data indirectly created by the Customer’s usage of our services (FlowFit) such as, but not limited to, application logs, support conversations, etc.

It is the responsibility of the Customer to verify the legal basis for collecting and processing Personal Information through Consoltec’s services (FlowFit) and managing any data subject requests.

Other Information

In its legitimate interests, Consoltec needs to collect and process some Personal Information to operate as a business. Consoltec may collect and process Personal Information about its users to achieve its billing, accounting and auditing activities, and may send surveys to users of the Customer and collect feedback to improve its services and offerings. This information is only used for internal activities.

However, we may be compelled to disclose or share your personal data in order to comply with any legal, commercial or other obligation, including but not limited to exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.

Data Controller and Data Processor

As mentioned earlier, Consoltec collects and processes two categories of data: Customer Data and Other Information. For Customer Data, the Customer is the data controller, and Consoltec is the data processor. For Other Information, Consoltec is the data controller.

Personal Information Retention

  • Customer Data : Consoltec will retain all Customer Data in accordance with the instructions of the Customer. Usually, Consoltec will retain all Customer Data until the termination of the data processing services between the Customer and Consoltec. Customers may be able to modify or delete any information directly inside the FlowFit service, and may ask Consoltec for assistance where necessary.
  • Other Information: Consoltec will retain any Other Information as long as necessary to pursue its legitimate business interests as described above in the Personal Information Collected & Processed section.

GDPR Assistance

Consoltec will gladly collaborate and assist each customer seeking compliance with the obligations pursuant to Articles 32 to 36 of GDPR.

Data Subject Requests (DSR)

With the new dispositions of GDPR, European citizens’ rights towards their personal information has been drastically enhanced and European citizens may now request the following:

  • Discovery: The process of determining what data is needed to complete a DSR.
  • Access: Retrieval and potential transmission to the data subject of discovered information.
  • Rectify: Implement changes or other requested personal data changes.
  • Restrict: Changing the access or processing of personal data by restricting access, or removing data from the FlowFit service.
  • Export: Providing a “structured, commonly used, machine-readable format” of personal data to the data subject, as provided by the GDPR’s “right of data portability.”
  • Delete: Permanent removal of personal data from the FlowFit service.

The process is similar to the one implemented for Act 25 in Quebec.
Consoltec manages data subject requests differently depending on the type of information:

  • Customer Data: In the case where Consoltec receives data subject requests from an individual involving Customer Data, Consoltec will forward the request to the Customer, which acts as the data controller. Consoltec will never act without the orders of the Customer. It is the responsibility of the Customer to manage those requests. Where reasonably feasible, Consoltec may assist the Customer if it cannot fulfill the individual’s request independently.
  • Other Information: Consoltec will manage data subject requests involving Other Information.

Data Processing Addendum (DPA)

Consoltec makes available a Data Processing Addendum (DPA) for our Customers.

Want to know more?