Trust Center
Our Commitment to You
WhistleBlower Security is committed to the privacy and security of our IntegrityCounts platform. We go above and beyond to protect your data and have multiple levels of security in place to ensure the highest protection. Below, you will find information on WhistleBlower Security's practices, policies, and procedures on privacy, security, transparency, and compliance.
Risk Management Program
WhistleBlower Security has strict procedure and information security policies to guide it's operations by maintaining an Information Security Management system in compliance with ISO 27001, Global Standard for Information Security. WhistleBlower Security is also in compliance with the General Data Protection Regulation (GDPR), as governed by the Canadian Privacy Act, and retains counsel to ensure that our platform and service remains in full compliance with changing legislation.
IntegrityCounts Terms of Service
Data Safety & Security
WhistleBlower Security is committed to protecting customers from data privacy breaches and support regulatory compliance to the greatest extent feasible.
Login Security / Authentication
Each user is given access to the system based on roles and permissions. Once the permissions are established the authentication application to verify the user and their access and provide a unique token to access IntegrityCounts after the user has logged in. For a more streamlined sign in experience, WhistleBlower Security can also integrate with the client's Single Sign On.
Monitoring
WhistleBlower Security uses Microsoft Azure PaaS and monitors 24/7.
Personnel Security
Data is stored in Azure datacentres – both primary and backup – and a number of physical security controls are in place to ensure data is protected.
Incident Security Response
Incidents are managed according to the ISO 27001:2013 protocol. This protocol is outlined in the WhistleBlower Security Incident Response Policy above. If an incident become a disaster the above Disaster Recovery Policy takes affect. Incidents are then managed through corrective action plans to correct the issue and ensure it does not occur again.
Annual Security Reviews & Third Party Audits
WhistleBlower Security is currently on the ISO certification schedule. Internal audits are performed every year, a full external audit completed every three years and a lighter external audit performed on the off years. Penetration and Vulnerability testing is also performed every year.
Regular Vulnerability Scanning
WhistleBlower Security employs a variety of tests both internal and external, along with a regular scanning to ensure the safety of your data. Some of these efforts include but are not limited to TinHat security vulnerability scanning, rigorous intrusion detection and prevention systems, SAST testing against source code on every release, Firewall services, regular anti-virus & anti-malware updates, Microsoft Advanced Threat Detection, Microsoft Patching & Hardening processes, and yearly vulnerability & penetration testing. Check out Microsoft Azure’s data protection controls learn more about Microsoft Azure’s additional measures to keep your data safe.
International Security Standards
WhistleBlower Security's primary data centres, located in Canada, maintain the requirements for policies, procedures and processes in compliance with ISO27001, SOC1, SOC2, FedRAMP, SAA16, and CSAE 3416.
Data Privacy FAQs
Is WhistleBlower Security GDPR compliant?
WhistleBlower Security is GDPR compliant by adequacy status. The EU has made a formal decisions to recognize that Canada has an equivalent level of personal data protection as the EU. By following the data protection laws in Canada, we are by default GDPR compliant.
Is my data encrypted?
Encryption is used to secure data both in transit and while at rest. All incident report details are encrypted. WhistleBlower Security maintains strict controls over who has access to systems that store confidential data. All data / information transmission is done using encrypted methods.
Data is stored in a central database and is only accessed via web portal using Transport Layer Security (TLS 1.2) encryption. Other documents would be transferred using a secured file sharing service that also utilizes SSL encryption. Data / information would not be transferred directly using electronic messaging or physical shipment.
Data is also segregated on a client by client basis to ensure the integrity and security of the data. The information is encrypted using TLS between the client and the server. Once on the server, the structured data is encrypted into an MS SQL Azure RDBMS using Transparent Data Encryption (RSA-2048) with certificate Signature Algorithm : PKCS #1 SHA-256. Any uploaded attachments are encrypted into Azure blob storage using Azure Storage Encryption. The certificates are managed at the platform level, allowing decryption only by the calling application and from specified hardware locations.
How does WhistleBlower Security test their data security?
See information on “Regular Vulnerability Scanning" in the Data Safety & Security section. WhistleBlower Security also maintains ISO27001 certification with regular annual audits to ensure that policy and procedure offers the highest data protection.
Where is my data stored?
IntegrityCounts data is stored in Canada on Microsoft Azure SaaS and PaaS for the highest level of data control and security with limitless scalability. Check out Microsoft Azure’s rigorous data protection controls to learn more. The service retains certifications with the highest global ratings for data security (SOC 1, SOC 2, ISO2700, FedRAMP, SAA16, and CSAE 3416).
Is my data backed up?
To help protect against data loss, IntegrityCounts database maintains an uptime of 99.5%. Microsoft Azure stores and backs up IntegrityCounts data at 2 data centres across Canada; multi-replication and instant switch approach (ISA) guarantees the speed of data recovery. Database recovery points are every 10 minutes (RPO), and data can be restored within a total of 120 minutes (RTO) so that you can access your data at any given time.