Security Policy

Advisor411 Inc.
Effective Date: January 1, 2025

1. Overview

At Advisor411 Inc. (“Advisor411”, “we”, “our”), protecting the confidentiality, integrity, and availability of our data—and our clients’ trust—is a core priority. This Security Policy outlines the technical, organizational, and procedural controls we implement to protect information handled through our Platform.
Our Platform is used by asset managers and financial institutions, and our security practices are designed to meet B2B expectations for data protection and regulatory compliance in Canada, including under PIPEDA, Quebec Law 25, and applicable industry standards.

2. Scope

This policy applies to:

  • All data stored, processed, or transmitted via Advisor411 systems;
  • All employees, contractors, and service providers with access to such systems;
  • The infrastructure supporting our web application and analytics tools.

3. Data Classification and Protection

  • Confidential data (e.g., user information, client inquiries, platform usage patterns) is stored with restricted access.
  • Public data (e.g., advisor profiles sourced from public or licensed datasets) is still handled with integrity and system safeguards.
  • All data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).

4. Access Control

  • Access to systems is granted on a least privilege and need-to-know basis.
  • Role-based access controls (RBAC) and strong authentication mechanisms are enforced.
  • Administrator and privileged access is logged and regularly reviewed.

5. Infrastructure and Hosting

  • We use reputable cloud infrastructure providers with industry certifications (e.g., ISO 27001, SOC 2).
  • Our hosting environment includes firewalls, intrusion detection, and automated threat monitoring.
  • Systems are regularly patched and updated to mitigate vulnerabilities.

6. Authentication and Authorization

  • Strong, unique passwords and/or OAuth 2.0 mechanisms are enforced for all accounts.
  • Multi-factor authentication (MFA) is implemented for administrative access.
  • User sessions are timed out after periods of inactivity.

7. Monitoring and Logging

  • Platform activity, system access, and anomalies are logged centrally.
  • Logs are retained in accordance with security and privacy requirements.
  • Suspicious or unauthorized activity triggers alerting protocols.

8. Data Retention and Disposal

  • Data is retained only as long as necessary for operational or legal reasons.
  • When no longer needed, data is securely deleted or anonymized.
  • Backups are encrypted and follow a defined retention lifecycle.

9. Vendor and Third-Party Management

  • We vet third-party vendors for security and privacy compliance.
  • All vendors are contractually required to adhere to security standards consistent with our own.
  • Data shared with third parties is minimized and protected by appropriate technical and contractual controls.

10. Incident Response and Breach Notification

  • Advisor411 maintains an incident response plan covering detection, containment, investigation, and remediation.
  • Clients and regulators are notified of breaches in accordance with PIPEDA, Quebec Law 25, and applicable laws.
  • Post-incident reviews are conducted to improve processes and reduce future risk.

11. Employee Security Practices

  • All team members receive security and privacy training upon onboarding and annually thereafter.
  • Confidentiality agreements are signed by all employees and contractors.
  • Access to production systems is restricted to authorized personnel only.

12. Business Continuity and Disaster Recovery

  • We maintain backup and recovery procedures to ensure business continuity.
  • Backups are performed regularly and tested for integrity.
  • Disaster recovery procedures prioritize minimal downtime and data loss.

13. Compliance

Our practices align with the following standards and regulations:

  • PIPEDA (Canada’s Personal Information Protection and Electronic Documents Act)
  • Law 25 (Quebec privacy reform)
  • Principles of SOC 2 and ISO 27001 (where applicable)
  • Industry expectations for B2B vendor security

14. Policy Review

This policy is reviewed annually and updated as necessary to reflect changes in our practices, legal requirements, or threat landscape.

15. Contact

If you have questions about this Security Policy or require documentation for vendor assessments or audits, contact:
Advisor411 Inc.
638 Westluke Ave, Cote Saint Luc, H4X1P7, Quebec, Canada
Email: security@advisor411.com