Trust · Privacy · Security Governance
Privacy and Compliance Fundamentals
Proteance works with sensitive operational data and designs its platforms around privacy, security, governance, and controlled data exchange.
Strong privacy and security practices are not only technical features. They also include policies, controls, evidence, accountability, and repeatable operating procedures.
Privacy and security are core parts of how governed data exchange works. For Proteance, this means designing systems that limit unnecessary data collection, protect sensitive information, control access, maintain auditability, and support accountable data-sharing between approved participants.
This page provides a plain-language overview of three commonly discussed privacy and security frameworks: PIPEDA, ISO 27001, and SOC 2.
PIPEDA: Canadian Privacy Law
PIPEDA stands for the Personal Information Protection and Electronic Documents Act. It is Canadian federal privacy law for private-sector organizations engaged in commercial activity.
PIPEDA is not a certification or accreditation. It sets legal obligations for how organizations collect, use, disclose, retain, safeguard, and dispose of personal information.
It matters whenever a platform handles personal information such as names, email addresses, user accounts, contact details, audit-log actor identities, or claim-related personal data.
›PIPEDA fair information principles
›1. Accountability
Accountability means personal information should have clear ownership, oversight, and responsibility. For Proteance, that means privacy handling is supported by defined roles, documented practices, and accountable operating controls.
›2. Identifying purposes
Identifying purposes means the reason for collecting personal information should be clear before or at the time of collection. Proteance designs data flows so collection and use are tied to defined operational purposes rather than vague or unnecessary capture.
›3. Consent
Consent means collection, use, or disclosure should be handled in line with applicable privacy obligations, including meaningful consent where it applies. For Proteance, this means personal information handling is tied to a defined purpose and governed through appropriate process and authorization controls.
›4. Limiting collection
Limiting collection means only personal information necessary for the stated purpose should be collected. Proteance applies data minimization thinking so unnecessary personal information is not pulled into workflows or exchanges without a justified need.
›5. Limiting use, disclosure, and retention
Limiting use, disclosure, and retention means personal information should only be used, shared, and kept for purposes that are identified and necessary. Proteance approaches this through controlled data-sharing, defined participant access, and retention practices aligned with business and regulatory needs.
›6. Accuracy
Accuracy means personal information should be as accurate, complete, and up to date as needed for the purpose it supports. Proteance designs data handling and governance processes to support appropriate accuracy, controlled updates, and accountable use.
›7. Safeguards
Safeguards means personal information should be protected with security measures appropriate to its sensitivity. For Proteance, that includes applying access control, auditability, and security safeguards in line with the sensitivity of the information being handled.
›8. Openness
Openness means privacy policies and handling practices should be understandable and reasonably accessible. Proteance supports this through clear public trust, privacy, and governance explanations rather than opaque or inflated claims.
›9. Individual access
Individual access means people should be able to request access to personal information held about them and seek correction where appropriate. Proteance supports accountable handling of such requests through defined contact and governance paths.
›10. Challenging compliance
Challenging compliance means people should have a way to question or challenge how privacy obligations are being handled. Proteance treats this as part of accountable governance, with review, escalation, and response mechanisms that support privacy and security concerns.
What this means for Proteance
- We minimize personal information wherever possible.
- We design data flows so that unnecessary personal information is not collected.
- We apply access controls, audit logs, and safeguards to personal information we do process.
- We document purposes for collection and use.
- We support accountable handling of privacy requests and security incidents.
- For governed data exchange, participant authorization and data minimization are central design principles.
ISO 27001: Information Security Management
ISO/IEC 27001 is an international standard for an Information Security Management System (ISMS). It focuses on how an organization manages information security risk.
It covers leadership responsibility, risk assessment, risk treatment, policies, controls, evidence, internal audit, management review, and continual improvement. It is broader than technical security settings.
Formal certification is subject to an external audit by an accredited certification body.
Certification applies to the organization's defined ISMS scope, rather than to a standalone software product.
Proteance aligns its security approach with recognized information security management principles, including risk-based controls, access management, incident response, supplier oversight, secure development, and continuous improvement.
›Examples of ISO 27001-style controls
›1. Information security policies
Sets out how security expectations, responsibilities, and required practices are defined across the organization. In plain terms, these policies explain how security is expected to be managed and followed.
›2. Risk register and risk treatment plan
Captures security risks and records how those risks are accepted, reduced, transferred, or monitored. This helps show that risks are identified, reviewed, and handled in a structured way rather than informally.
›3. Asset inventory
Tracks important systems, data stores, services, and supporting technology so security responsibilities are clear. In practice, this means knowing what needs to be protected and who is responsible for it.
›4. Access control and least privilege
Grants access according to role and need, with permissions limited to what is necessary for the task or responsibility. Least privilege means people get the access they need for their role, and no more.
›5. MFA for privileged access
Adds protection for administrative and other high-risk access paths. MFA stands for multi-factor authentication, which means using an extra verification step beyond just a password.
›6. Supplier and third-party review
Reviews external providers for security, privacy, and operational risk where they affect services, systems, or data handling. This helps ensure outside vendors do not introduce unmanaged trust or delivery risk.
›7. Incident response process
Supports detection, escalation, containment, communication, and follow-up actions when issues occur. In practical terms, it defines how the organization responds when a security or operational incident needs attention.
›8. Backup and recovery process
Protects availability, continuity, and restoration capability after disruption or failure. This means important systems and data can be recovered if something goes wrong.
›9. Secure development and change control
Applies security through development, testing, release, and change approval so updates are introduced in a controlled way. Change control means important updates are reviewed, approved, and tracked before they are introduced.
›10. Logging and monitoring
Supports traceability, anomaly detection, troubleshooting, and review of security-relevant activity. Logging records what happened, and monitoring helps identify unusual activity or issues that may need investigation.
›11. Internal review and improvement actions
Reviews controls over time and tracks findings or weaknesses through corrective and improvement actions. This supports continual improvement rather than treating security as a one-time exercise.
What this means for Proteance
- Security is managed as an operating discipline, not only as technology.
- Controls are documented and evidenced.
- Alignment with ISO 27001 principles helps prepare Proteance for formal certification while improving confidence and predictability in security governance.
SOC 2: Independent Trust Controls Attestation
SOC stands for System and Organization Controls. SOC 2 is an independent audit report used mainly by technology and cloud-service providers and is commonly requested in North American vendor due diligence.
It is an assurance report, not a legal framework.
It evaluates controls against the Trust Services Criteria.
›Trust Services Criteria
›1. Security
Focuses on protecting systems and data against unauthorized access, misuse, disruption, or damage.
›2. Availability
Focuses on whether systems and services are available for operation and use as committed or expected.
›3. Processing Integrity
Focuses on whether system processing is complete, valid, accurate, timely, and authorized.
›4. Confidentiality
Focuses on protecting information that is designated as confidential from unauthorized access or disclosure.
›5. Privacy
Focuses on how personal information is collected, used, retained, disclosed, and disposed of in line with stated commitments and applicable criteria.
SOC 2 reports are commonly discussed as Type I and Type II.
Type I
Assesses whether controls are suitably designed at a specific point in time.
Type II
Assesses whether controls operated effectively over a defined review period.
What this means for Proteance
- Readiness requires documented controls and operating evidence.
- Evidence may include access reviews, change records, incident logs, backup tests, monitoring alerts, vendor reviews, and security training records.
- This work complements ISO 27001 alignment and PIPEDA compliance activity.
How These Fit Together
| Framework | What it is | Main purpose | Certification or attestation? | Relevance to Proteance |
|---|---|---|---|---|
| PIPEDA | Canadian privacy law | Protects personal information | No certification | Required where personal information is collected, used, or disclosed |
| ISO 27001 | International security management standard | Manages information security risk through an ISMS | Organization-level certification through external audit (defined scope) | Useful for structured security governance and due diligence |
| SOC 2 | Independent audit report | Demonstrates trust controls for service organizations | Auditor attestation report | Useful for customers, insurers, and partners assessing cloud-service risk |
PIPEDA, ISO 27001, and SOC 2 are complementary. PIPEDA defines legal privacy obligations. ISO 27001 provides a structured model for managing information security. SOC 2 provides independent assurance that selected controls are designed and operating effectively.
Our Privacy and Security Operating Principles
1. Data minimization
Collect only what is needed for the defined purpose.
2. Participant control
Data-sharing should be governed by clear authorization and role-based permissions.
3. Canadian privacy awareness
Personal information must be handled in line with applicable Canadian privacy obligations.
4. Security by design
Access control, encryption, auditability, monitoring, and secure deployment practices should be built into the platform.
5. Evidence-based governance
Policies and controls should be supported by records, logs, reviews, and documented decisions.
6. Preparedness for due diligence
Proteance designs its operating model to support security reviews, customer assessments, and future certification or attestation requirements where commercially required.
Further reading
Have questions about Proteance privacy or security practices?
Proteance works with partners to support governed, accountable, and secure data exchange. Contact us if you need more information about our privacy, security, or compliance approach.