Revision Dated: January 24, 2019
Data security, privacy, and confidentiality is absolutely fundamental to what we do. It is critically important to us that you trust how we handle your most private, sensitive and confidential information and data. Dispatch follows these principals in order to protect your privacy:
- We are transparent regarding what data we might handle and what we do to protect that data.
- We do not collect any more Information than is necessary to provide the Services.
- We do not keep your Personal Information if it is no longer needed; and
What Information do we collect or have access to, and how do we use it?
There are four different ways we may collect or have access to Private, Confidential, Protected and Personal Data.
- Through our website.
- Through the provision of our Professional Services.
- Through our operation of client systems on their behalf.
- Through provision and/or operation of our own systems for our clients.
We treat all Visitor and Client data with the utmost care. Some data we may have access to through provision of our Services is considered “protected” and falls under legislative requirements in various jurisdictions. In this document, we refer to this data as Personally Identifiable Information (PII) and Private Health Information (PHI). With this type of data, we apply technological standards and corporate policies appropriate for each legislative environment where the data originates, and where our Clients reside.
Visitors to our Website
When you visit www.dispatchintegration.com, there are four ways data may be collected:
- Contact Us form
- In various places on our website, we may provide a form that you can use if you’d like to get in touch with us. This form includes information such as your name, telephone number, email address and a message. When you use this form, it creates a notification in our website service that a message has been received and alerts us that a message has come in via email. We use this information to get in touch with you. We periodically purge the notifications from the website and do not store these notifications or any of the details from the form.
- Blog subscription
- We may provide Visitors a way to subscribe to blog posts that we may publish from time to time. To subscribe, you provide an email address. When we publish a new post, the subscribers will receive an email from us that there is something new on the blog and a link to return to our website to read the post. Subscribers can also elect to unsubscribe from the blog when they receive these emails. The email addresses provided are not used in any other way and are kept private at all times. If you unsubscribe from the blog, your email is automatically deleted.
- Job Applications
- Cookies that our site may use to track aggregate statistics
Our website offers publicly accessible blogs where you may have the ability to comment and engage in dialog with other Visitors. You should be aware that any information you provide in these areas may be read, collected, and used by others who access them. To request removal of your Personal Information from our blog, please contact us using the contact information below.
We display case studies of the work we’ve completed, and we may display testimonials and endorsements from clients. Unless agreed upon by our clients, we anonymize these case studies and testimonies and adhere to contractual provisions regarding how our clients’ names and logos may be used in marketing materials.
Dispatch will not share your Personal Information, or
Dispatch will share your information if compelled by law, in order to respond to investigations, court orders, legal process, or to investigate, prevent or take action regarding illegal activities, suspected fraud, or situations involving potential threats to the physical safety of any person. If Dispatch is required by law or an order of a court of competent jurisdiction to disclose your information, Dispatch will promptly notify you of this requirement so that you may seek a protective order or other appropriate relief.
When we provide Professional Services for our Clients:
Dispatch works on projects for and on behalf of our clients that involves designing, building and implementing systems and data integrations between different applications and services our clients use. We typically work on these projects by accessing client systems directly through computers provided to us by them, or by using our own IT infrastructure. We always adhere to client-specific privacy and security policies in all of our project work whether we use their systems and tools or whether we use our own. All of our employees and contractors must provide background checks before they can access our systems or our clients’ systems. We require all employees and contractors to be trained in and adhere to our Security Compliance Policy and Acceptable Use Policy.
Sometimes the nature of the data integrations we build for our clients may involve data that is sensitive, confidential and private (such as integrations with Human Resources systems, Financial systems or Health Information systems). When developing data integrations between systems, we need to test these integrations with representative data to make sure everything works okay. Whenever possible, we ask our clients to provide anonymized, de-identified or “dummy” data to conduct these tests. If our clients provide us with data that may contain private information, we take the following steps:
- We limit access to that data to only the people who have an absolute need to use it to perform their tasks on behalf of our clients.
- We will anonymize data whenever possible.
- Whenever possible we leave all the test data on our clients’ systems and do not make copies of the data.
- If we require the data on our own systems to conduct testing, the data is kept in an encrypted form until used for the testing and is destroyed immediately after testing is completed.
- If we require data on our own systems to conduct testing, Dispatch’s Security Compliance Policy requires us to provide notification to our clients within 24 hours if we suspect any potential breach of our systems that may impact client data that contains Personally Identifiable Information or Protected Health Information.
- We use the data only for the specific purposes of running tests necessary to successfully complete the project.
- We do not provide access to or share that data with any third party or unauthorized individual.
- If any employees or contractors leave us, we immediately revoke all access to systems that may contain client data.
When we operate integration systems on our Clients’ behalf using client-provisioned applications
Dispatch may operate systems integrations on behalf of our clients or may be involved in supporting integrations that are “in production” and processing
Some of the live integrations that we may operate and maintain involve data that is sensitive, confidential and private (such as integrations with Human Resources systems, Financial systems or Health Information systems). In some cases, we may need to access data in these integrations, or the applications associated with the integrations in order to operate them, make upgrades, troubleshoot and conduct maintenance tasks and perform other activities on behalf of the client.
- We limit data access to only the people who have an absolute need to access it to perform their tasks on behalf of our clients.
- We limit data access to only the minimum necessary data required to perform necessary tasks on behalf of our clients.
- We leave all
dataon our clients’ systems and do not make copies of the data.
- We use the data only for the specific purposes of operating, upgrading, troubleshooting and maintaining the integrations.
- We do not provide access to or share any data with any third party, and we do not permit access to data by employees or contractors not authorized by our Clients.
When our own applications are used to operate and manage integration systems on our clients’ behalf
Dispatch has developed a number of applications that are used by our clients to operate data integrations, manage these integrations, and help perform tasks necessary to test these integrations. These applications are typically hosted by us or by third-party hosting services, and our clients get access to them through a subscription or license. The specific usage of these systems for each client is governed by contracts between us and our clients.
We use industry best practices for data security and access controls in the design and deployment of our systems and conduct penetration testing on our systems on a regular basis. We have executed Business Associate Agreements and Data Processing Agreements with our third-party hosting providers, and they are obligated to inform us immediately of any potential data breaches. We limit access to our own systems to only those required to conduct maintenance and upgrades.
Sometimes our clients engage us to also operate and manage their integrations that may be run on our own applications. The nature of the data integrations we may operate on our own systems for our clients may involve data that is sensitive, confidential and private (such as integrations with Human Resources systems, Financial systems or Health Information systems). In some cases, we may need to access data in these integrations, or the applications associated with the integrations in order to test them, operate them, make upgrades, troubleshoot and conduct maintenance tasks and perform other activities on behalf of the client.
We adhere to the following principals regarding the operation and management of integration systems on our clients’ behalf:
- Client data is never “co-mingled” with data from other clients.
- We respect our clients’ data sovereignty requirements. We explicitly define with our clients where the physical servers are located that contain our applications and through which their data will be processed, and
provisionour Services to meet their data sovereignty requirements. This is established through contractual agreements with each client.
- We limit access to client data to only the people who have an absolute need to access it to perform their tasks on behalf of the clients.
- We endeavor to conduct our systems support and maintenance activities without requiring access to client data whenever possible.
- Data in all our applications is by default encrypted “in flight” and encrypted “at rest”, with specific encryption details determined by the contracts with our clients.
- Our applications will decrypt data in order to conduct certain operations such as data transformations. This data is re-encrypted once these operations are complete.
- Integrations are, by their nature, data-transient. This means that the only client data within our systems are in-transit to another system. For this reason, we do not store client data longer than is needed to receive, transform and transmit the data from an upstream system to a downstream system. We may maintain “message queues” of data for short amounts of time sufficient to ensure records are transmitted to the downstream application. Upon request by our clients, we may turn off these message queues so that no data is written to disk and only remains in volatile memory while being processed by our applications.
- Our applications may generate and log metadata on the integrations as a necessary component to provide certain functionality. This metadata does not contain Personally Identifiable Information, Private Health Information or any other confidential information.
- On occasion, we may need to access specific data records for the purposes of operating, upgrading, troubleshooting and maintaining the application. Our contracts with our clients govern how we access this data, which typically involves us logging the date, time, location and purpose for accessing the data, which specific records were accessed, who accessed the data, and confirmation that no data was retained.
- We do not provide access to our systems nor provide access to any data to any third party.
Our Trusted Subprocessors
The following are the third-party service processors that we use to help us provide our services and who may have access to personal, confidential and private information. All these parties have agreed through contractual arrangements to observe and protect the data we process.
Amazon AWS: Secure Hosting services and network infrastructure
Google: email, calendar, shared cloud drive, website analytics, google cloud platform for secure application hosting services
Freshdesk: customer support ticketing and messaging platform
collage.co: Job posting and Applicant tracking system
Change of Ownership
If Dispatch is involved in a merger, acquisition, or sale of all or a portion of its assets, your Personal Information may be transferred to the acquiring person or entity and you will be notified via email and/or a prominent notice on our website of any change in ownership or uses of your Personal Information, as well as any choices you may have regarding your Personal Information.
A Message to our Clients
1155 North Service Road West
Canada L6M 3E3