Newsletter image

Subscribe to our Newsletter

Join 10k+ people to get notified about new posts, news and updates.

Do not worry we don't spam!

Select theme:
  • Home
  • Data Governance

Data Governance

Effective as of November 5, 2025 — Transparent data management practices in compliance with Law 25 and PIPEDA.

1. Introduction to Data Governance

Data governance at Orfolio encompasses the policies, processes, and technical measures we employ to ensure the responsible collection, storage, processing, and protection of user data. As a Canadian company operating under Quebec's Law 25 and PIPEDA, we are committed to transparency, security, and user rights.

This document outlines how we manage data throughout its lifecycle, from collection to deletion, and how we ensure compliance with applicable privacy and security regulations.

2. Data Architecture and Infrastructure

Orfolio operates on a multi-tenant architecture designed to ensure data isolation, security, and scalability.

2.1 Hosting and Data Residency

  • Primary Hosting: Microsoft Azure Canada (Toronto Region) — ensures data sovereignty and compliance with Canadian law.
  • Secondary Infrastructure: Vultr (Toronto) — used for specific workloads and redundancy purposes.
  • Data Residency: All personal and sensitive data is stored exclusively within Canadian borders to comply with Law 25 requirements.

2.2 Multi-Tenant Architecture

Each user account operates in a logically isolated environment, ensuring:

  • Strict separation of data between tenants (users, organizations).
  • Role-based access control (RBAC) to prevent unauthorized cross-tenant access.
  • Encrypted data storage with tenant-specific encryption keys where applicable.

3. Access Control and the Principle of Least Privilege

Access to Orfolio's infrastructure and user data is governed by the principle of least privilege, meaning employees and systems are granted only the minimum access necessary to perform their functions.

3.1 Internal Roles and Permissions

  • Platform Administrators: Limited access to system configuration and monitoring; no direct access to user-generated content.
  • Support Team: Access restricted to troubleshooting and resolving user-reported issues with explicit permission logging.
  • Developers: Access to staging and development environments only; production access requires multi-factor authentication (MFA) and audit logging.
  • Data Protection Officer (DPO): Oversight of data governance policies, incident response, and compliance monitoring.

3.2 Authentication and Authorization

  • User authentication is secured using bcrypt password hashing and JWT (JSON Web Tokens).
  • Two-factor authentication (2FA) is available for all users and mandatory for administrative accounts.
  • Session tokens are short-lived, encrypted, and transmitted exclusively over HTTPS.

4. Security Audits and Monitoring

Orfolio maintains continuous security monitoring and conducts regular audits to detect and respond to potential threats.

4.1 Audit Logs and Activity Tracking

  • All administrative actions, data access requests, and system changes are logged with timestamps and user identifiers.
  • Logs are retained for a minimum of 12 months and are reviewed regularly for anomalies.
  • Unauthorized access attempts trigger automated alerts and are investigated by the security team.

4.2 Intrusion Detection and Prevention

  • Azure Security Center and network firewalls monitor for suspicious activity.
  • Real-time threat detection using machine learning and behavioral analysis.
  • DDoS protection and rate limiting to prevent service disruptions.

4.3 Penetration Testing and Vulnerability Management

  • Annual third-party security audits and penetration testing.
  • Automated vulnerability scanning and dependency updates.
  • Incident response procedures documented and tested quarterly.

5. Backup, Recovery, and Business Continuity

Orfolio implements comprehensive backup and disaster recovery strategies to ensure data availability and resilience.

5.1 Backup Frequency and Retention

  • Database Backups: Automated daily backups with incremental snapshots every 6 hours.
  • User Content Backups: Weekly full backups of hosted websites and media assets.
  • Backup Retention: Backups are retained for 30 days and stored in geographically redundant locations within Canada.

5.2 Disaster Recovery and Restoration

  • Recovery Time Objective (RTO): 4 hours for critical services.
  • Recovery Point Objective (RPO): Maximum 6 hours of data loss in catastrophic scenarios.
  • Users can request manual restoration of deleted content within 30 days of deletion by contacting support.

5.3 Business Continuity Planning

  • Redundant infrastructure across multiple Azure availability zones.
  • Automated failover mechanisms for critical services.
  • Documented incident response and communication protocols.

6. Security Incident Notification

In the event of a data breach or security incident that may compromise personal information, Orfolio will:

  • Notify affected users within 72 hours of discovering the breach, as required by Law 25.
  • Report the incident to the Commission d'accès à l'information du Québec (CAI) and other relevant authorities.
  • Provide clear information about the nature of the breach, the data affected, and steps taken to mitigate harm.
  • Offer guidance on protective measures users can take (e.g., password resets, account monitoring).

Incident notifications will be sent via email to the primary contact address on file. Additional updates will be posted on our status page and official communication channels.

7. Data Retention and Deletion Policy

Orfolio retains personal data only as long as necessary to fulfill the purposes for which it was collected or as required by law.

7.1 Retention Periods

  • Active Subscribers: Data is retained for the duration of the subscription plus 30 days after cancellation.
  • Inactive Users: Accounts with no activity for 6 months and no active subscription are flagged for deletion.
  • Billing Records: Retained for 7 years to comply with Canadian tax and accounting regulations.
  • Audit Logs: Retained for 12 months for security and compliance purposes.

7.2 Automated Deletion and Anonymization

  • Personal data is automatically deleted or anonymized once retention periods expire.
  • Users can request immediate deletion at any time by contacting rdpd@orfolio.com.
  • Deleted data is permanently removed from production systems and backups within 30 days.

8. Third-Party Data Sharing and Compliance

Orfolio only shares data with third-party service providers when necessary to deliver our services. All third parties are contractually bound to comply with Law 25 and PIPEDA.

8.1 Approved Third-Party Providers

  • Microsoft Azure: Cloud hosting and infrastructure (Canadian data centers only).
  • Stripe: Payment processing and billing (PCI-DSS compliant).
  • OpenAI, Claude AI, DeepSeek: AI model providers for content generation (user-selected, with consent).

8.2 Data Processing Agreements

  • All third parties sign Data Processing Agreements (DPAs) ensuring Law 25 compliance.
  • Transfers outside Canada require explicit user consent and contractual safeguards.
  • No data is sold, rented, or shared with advertisers or data brokers.

9. Data Portability and User Rights

In accordance with Law 25 and PIPEDA, Orfolio guarantees the following user rights:

  • Right to Access: Request a copy of all personal data we hold about you.
  • Right to Rectification: Correct inaccurate or incomplete information.
  • Right to Erasure: Request permanent deletion of your account and associated data.
  • Right to Portability: Export your data in a structured, machine-readable format (JSON, CSV).
  • Right to Withdraw Consent: Opt out of non-essential data processing at any time.

Data portability requests are processed within 30 days. Users can submit requests via email to rdpd@orfolio.com or through the account settings dashboard.

10. Continuity and Disaster Recovery Plan

Orfolio maintains a comprehensive business continuity and disaster recovery (BCDR) plan to ensure service availability and data integrity in the event of unforeseen incidents.

  • Redundant Infrastructure: Multi-region replication within Canada for critical data.
  • Automated Failover: Load balancers and traffic routing to minimize downtime.
  • Communication Plan: Timely updates to users via email, status page, and social media during incidents.
  • Annual Testing: BCDR plan tested and refined annually to ensure effectiveness.

11. Governance Oversight and Accountability

Data governance at Orfolio is overseen by our Data Protection Officer (DPO), who ensures:

  • Compliance with Law 25, PIPEDA, and other applicable regulations.
  • Regular reviews and updates to data governance policies.
  • Training for employees on privacy, security, and data handling best practices.
  • Coordination with legal counsel and regulatory authorities as needed.

For questions or concerns about data governance, please contact:

Data Protection Officer – Studio Orfolio
Montréal, QC, Canada
Email: rdpd@orfolio.com

Last updated: November 5, 2025