Data Security

(English only)

Last Updated: 20th Dec 2024

This Data Security page provides detailed information on the technical and operational measures we implement to safeguard your personal and health information. It complements our Privacy Policy, which outlines the broader principles, practices, and obligations governing how we collect, use, and protect your data. Together, these documents give you a clear understanding of our approach to maintaining the privacy and security of your information throughout your engagement with our services.

1. What Data We Collect

We adhere to the principle of collecting only the information strictly necessary to provide our services effectively and responsibly. Depending on the nature of our counselling services, this data may include:

• Personal Identifiers: Name, email address, and telephone number, used to communicate with you, arrange appointments, and respond to enquiries.
• Therapeutic Records: Information relevant to your treatment, such as mental health history, session notes, goals, and service usage details. We only record this data to support the delivery and improvement of your care.
• Billing Information: Payment details and associated administrative records, used solely for the secure and accurate processing of fees and compliance with applicable financial regulations.

2. How We Use the Data

Your data is used exclusively to support the services and client care we provide. Specifically:

• Service Customization: We tailor our services to your individual needs, ensuring that practitioners have the information required to develop effective treatment plans.
• Operational Support: Contact and billing information enables us to confirm appointments, issue service reminders, manage accounts, and maintain accurate records.
• Quality Improvement: We periodically review and analyse non-identifiable aggregate data to improve our methods, enhance our service offerings, and ensure professional standards are consistently met.

3. What We Never Do with Your Data

Your data will never be used for purposes that fall outside the scope of providing and improving our services and fulfilling our legal and professional obligations. Specifically, we will not use your data for:

• Marketing or Advertising: We do not sell, rent, or otherwise share your personal information for third-party marketing campaigns, promotions, or advertising purposes.
• Profiling or Automated Decision-Making: We do not engage in automated profiling or decision-making that could affect your eligibility for services, pricing, or treatment without professional oversight and your explicit informed consent.
• Unnecessary Data Mining: We will not mine or analyse your personal or health information beyond what is necessary for service provision, quality assurance, or compliance with regulatory requirements.

If we consider using the session information for internal research purposes, such as developing a more effective modality, we will first obtain your explicit, informed consent. Before proceeding, we will ensure that all personally identifiable information is removed or properly de-identified. This process involves stripping out any data that could directly or indirectly link the information back to you, thereby safeguarding your privacy while allowing for lawful and ethical use of the data.

4. Where the Data Is Stored

We store your encrypted Personal Health Information in Microsoft Azure’s secure data centres located in Toronto, which adhere to rigorous industry standards. This ensures comprehensive protection of your personal and therapeutic information. Our data storage practices include:

• Secure Data Centres: Your data is stored in industry-leading data centres that implement strict physical security controls, including surveillance systems, controlled access, and environmental safeguards.
• Geographical Considerations: We select data centres in regions with robust data protection laws and stable infrastructure, helping to safeguard your information against political or infrastructural risks.
• Redundancy and Backups: Regular data backups are performed using encrypted methods. These backups are stored in multiple secure locations, ensuring data resilience and enabling restoration in the event of system failures.

5. Technical Protections

We employ a combination of advanced technical controls to protect your data from unauthorised access, disclosure, or loss:

• Encryption In Transit and At Rest: Whenever your information travels between your device and our servers, it’s protected by a secure connection (TLS). Once stored, it’s protected with a leading encryption standard (AES-256-GCM), turning it into unreadable code without the proper key. These keys are safeguarded under strict industry rules, ensuring that even if someone got the data, they couldn’t make sense of it.
• Separation of Data Storage: We keep identifying details and health records in separate databases. This separation prevents anyone from connecting the dots and piecing together a complete picture of who you are, even if they managed to see one part of the puzzle.
• Access Controls and Authentication: Only authorized team members who need the information to do their job can access it, and they must use secure passwords and prove their identity. This strict control means there’s no casual browsing of your data.
• Multifactor Authentication (MFA): As an extra layer of protection, our system can send a secure SMS code to your phone whenever you log in. This means even if someone steals your password, they still can’t access your account without the code. While turning on MFA is optional for participants, we strongly recommend it to add another barrier between your information and potential attackers.
• Network Security: We use firewalls and advanced monitoring tools to watch for any suspicious activity, blocking threats before they cause harm. We regularly update our security measures to stay ahead of new risks.
• Vulnerability Management: We don’t wait for problems to find us. We actively test our systems, looking for weak spots to fix before anyone can exploit them, and apply updates and security patches as soon as they’re available.

6. System Monitoring and Logging

To maintain the integrity and availability of our services, we implement comprehensive monitoring and logging practices:

• Audit Trails: All access and modifications to sensitive data are logged and reviewed to detect unauthorised activities or patterns of misuse.
• Proactive Monitoring: We continuously monitor system performance, network traffic, and user interactions to anticipate issues before they impact your services.
• Incident Response Readiness: Real-time alerts and escalation procedures enable swift action in response to suspicious activities, minimising potential harm.

7. Data Retention and Disposal

While certain retention periods are established by professional and legal standards, we never hold data longer than required:

• Retention Periods: Your information is retained only as long as necessary to provide services, maintain continuity of care, and fulfil professional obligations.
• Secure Disposal: Once data no longer needs to be retained, it is securely erased or rendered irretrievable through certified destruction methods. This ensures that no residual, recoverable copies of sensitive information remain.

8. Compliance and Continuous Improvement

Our data security strategies are not static. We continuously refine our policies and systems to align with evolving industry best practices, regulatory requirements, and technological advancements:

• Regulatory Alignment: We regularly review applicable guidelines, frameworks, and legislation to ensure compliance with current data protection standards.
• Staff Training: Our personnel receive ongoing training in data security measures, recognising and responding to potential threats, and adhering to the latest security protocols.
• Independent Reviews: We may engage third-party experts to conduct security assessments, ensuring that our protections remain robust and effective over time.

9. Incident Response and Notification

In the unlikely event of a data breach that poses a risk to your personal information, we have established protocols to:

• Immediate Containment: Identify, contain, and mitigate the impact of the incident as quickly as possible.
• Thorough Investigation: Determine the root cause, scope, and nature of the breach, implementing corrective measures to prevent recurrence.
• Prompt Notification: In compliance with applicable laws, you will be notified if your personal information is at risk, with guidance on steps you may take to protect yourself.

10. User Responsibilities

While we implement robust measures to safeguard your data, we also encourage you to take appropriate precautions:

• Account Security: Use strong, unique passwords for your accounts, and refrain from sharing login credentials.
• Secure Devices: Ensure your personal devices have up-to-date security software and avoid accessing sensitive information over unsecured networks.
• Reporting Concerns: If you suspect suspicious activity or identify potential vulnerabilities, please alert us immediately.

If you have questions, concerns, or require more details about our data security measures, please contact our Privacy Officer:

Privacy Officer

Virtrapy Inc.

info@virtrapy.com

We remain dedicated to safeguarding your personal and health information. Our layered technical controls, adherence to industry standards, and proactive approach to continuous improvement ensure that your data is protected from evolving threats, allowing you to engage with our services in confidence.