GoCo Business
Customer Privacy Policy
Introduction
This GoCo Business Customer Privacy Policy (“Privacy Policy”) outlines how GoCo protects the Personal Information entrusted to GoCo by our Business Customers.
GoCo Technology Limited Partnership (“GoCo”)1 is in the business of providing a wide range of communications products and services. We are a service provider to our business Customers. We recognize that an important part of our business Customers’ operations is to ensure that their End-user’s privacy is protected. Core to our commitment to “putting customers first” is ensuring that the Personal Information our Customers entrust to GoCo is safeguarded and that the privacy of our Customers’ End-users is respected.
GoCo’s privacy management practices are developed in accordance with applicable Canadian privacy legislation, (including, but not limited to the Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar Canadian provincial privacy legislation), as well as with our contractual commitments. GoCo’s privacy practices are also designed to assist our Customers with their own privacy compliance requirements, including with the European Union’s General Data Protection Regulation (GDPR). While GoCo relies on our Customers to ensure that they have obtained all necessary consents or otherwise have all necessary authority for the processing of Customer and End-user Personal Information, our commitment to GoCo Customers is that we will work with them to protect privacy in all relevant service offerings.
This Privacy Policy should be read alongside any contract that a Customer enters into with GoCo. In the event of a conflict between this Privacy Policy and any contract, the contract will control.
Definitions
For the purpose of this Privacy Policy:
Personal Information means information about an identifiable individual in any format but excludes Business Contact Information (except where such information is regulated by applicable privacy legislation). For greater certainty, personal information does not include anonymized, de-identified or aggregated information that cannot reasonably be associated with a specific individual.
Business Contact Information means the name, title, business address (including business email address), business telephone or fax numbers of an employee of an organization that is collected, used or disclosed for the purpose of communicating with the individual in relation to their employment, business or profession.
Customer means a customer of GoCo who is a business, enterprise, or other organization but is not an individual consumer.
Customer Personal Information means Personal Information provided to GoCo by, or collected by GoCo on behalf of, the Customer in order to provide services to the Customer and may include Personal Information of Customer’s End-users.
End-user means a customer, client, contractor or employee of a Customer where the use of GoCo services is not being provided under an individual consumer agreement with GoCo.
Scope & Application
This Privacy Policy applies to any Customer of GoCo that is a public body, business, enterprise, or other organization but is not an individual consumer contracting directly with GoCo.
This Privacy Policy applies to Customer Personal Information in GoCo’s possession or custody for the purposes of providing services on behalf of any Customer. It includes Customer Personal Information that is in the possession of service providers who have been contracted to provide services on GoCo’s behalf.
All GoCo employees, contractors and agents with access to Customer Personal Information are required to treat Customer Personal Information in accordance with this Privacy Policy.
Accountability
Our Accountability Commitment
As a service provider, GoCo is responsible for Customer Personal Information in GoCo’s possession or custody, including information that has been transferred for processing by GoCo to our service providers or a third party in the course of providing services to our Customers.
Executive Responsibility
Protecting privacy is an integral part of our services. All members of GoCo’s Executive team have a responsibility to enable and oversee operational compliance with GoCo’s privacy policies and procedures within their own areas of responsibility, ensuring all business units are properly aware of, and are resourced to meet our privacy obligations.
Employee Accountability
As a core commitment of GoCo, all members of the GoCo team undergo mandatory annual privacy training to ensure their continued awareness of and compliance with applicable laws and our policies, including this Privacy Policy. We recognize that all employees play a role in earning and maintaining Customer trust and we undertake ongoing privacy awareness activities to create a culture of privacy at GoCo.
Our Privacy Office
GoCo has appointed a Privacy Officer to oversee the Privacy Office. The Office is responsible for maintaining an accountable privacy management program specifically designed to protect the privacy of our Customers’ End-users, and for setting policies and procedures to earn and maintain our Customers’ trust in our data handling practices.
We have embraced the seven foundational principles of Privacy by Design, striving to embed these privacy enhancing principles into our product and service development processes.
Consent
As GoCo does not have a direct relationship with the End-users of our Customers, GoCo relies on and requires Customers to ensure that they have obtained all necessary consents from such End-users, provided all necessary notices to End-Users, and otherwise have all necessary authority to permit the collection, use or disclosure of Customer Personal Information by and between the Customer and GoCo.
Collection and Use
We are transparent with our Customers about the purposes for which we collect and use Customer Personal Information. GoCo receives Customer Personal Information from our Customers and collects Customer Personal Information from other entities or individuals on behalf of those Customers. We limit the collection of Customer Personal Information to that which is necessary to fulfil the purposes identified herein or in the contract with the Customer. GoCo requires Customers to restrict their sharing of Customer Personal Information with GoCo to solely information that is lawfully obtained and necessary and sufficient for the purposes identified in this Privacy Policy and any contract entered into between GoCo and the Customer.
Subject to this Privacy Policy and the terms and conditions of the contract with the Customer, GoCo collects and uses Customer Personal Information for the following purposes:
- To establish and maintain a responsible commercial relationship with Customers and to provide ongoing service;
- To understand Customer and End-user needs and preferences;
- To develop, enhance, promote or provide products and services to our Customers;
- To manage and develop our business and operations, including the diagnosis of technical problems or for improved functionality, and to maintain and enhance safety and security for our Customers;
- To meet contractual, legal, and regulatory requirements;
- To investigate and resolve incidents, and End-user and Customer complaints or disputes; and
- For the provision of products and services on behalf of Customers (in compliance with contractual obligations), including for billing purposes.
GoCo does not use Customer Personal Information for purposes other than as set out in this Privacy Policy and in the terms and conditions of the contract with the Customer, except as may otherwise be required or permitted by applicable law.
Disclosures and Transfers for Processing
GoCo discloses Customer Personal Information only as required or permitted pursuant to the terms and conditions of the contract with the Customer or as otherwise required or permitted by applicable law. GoCo may transfer Customer Personal Information for processing to a service provider who has been contracted to provide services on GoCo’s behalf.
Unless otherwise set out in the Customer contract, Customer Personal Information may be stored, transferred, viewed, accessed, processed, handled or otherwise used from outside Canada by GoCo or our service providers. Such information is protected with appropriate security safeguards, but may be available to foreign government agencies under applicable law. In particular, Customer Personal Information may be stored in the cloud, which may include transfers of data outside of Canada.
Retention
GoCo has a policy respecting records retention and an associated retention schedule and will keep Customer Personal Information only as long as it remains necessary or relevant for the identified purposes and in order for GoCo to perform the services or in accordance with the terms and conditions of the contract with the Customer, unless otherwise required to meet legal or regulatory requirements. After such time, GoCo will return or destroy Customer Personal Information in accordance with the terms and conditions of the contract with the Customer.
Accuracy
GoCo relies on our Customers to ensure the initial and ongoing accuracy and completeness of the Customer Personal Information that has been supplied to GoCo for the identified purposes and in order for GoCo to perform the services.
Safeguards
GoCo maintains an information security governance program to protect Customer Personal Information.
GoCo, in compliance with our security policy and data centre security standard, employs security measures appropriate to the sensitivity of the information in an effort to protect Customer Personal Information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction.
To the extent practical and applicable in the context of the services, GoCo implements, maintains, updates and monitors the following technical, administrative and organizational measures to help protect the security, integrity, availability and confidentiality of Personal Information:
Technical Safeguards:
- Implementing a Secure by Design methodology in our work processes, where applicable.
- Restricting and securing access to GoCo’s applications, operating systems and network platforms through the use of access controls, unique username and passwords and two factor authentication, thereby ensuring access only to authorized GoCo representatives.
- Protecting data through networking and web application firewalls, as well as intrusion detection and intrusion prevention systems.
- Employing technologies such as tokenization, de-identification, industry-standard encryption for data at rest and in transit and other mechanisms to protect Personal Information, as applicable.
- Utilizing endpoint security software that scans sensitive application files and file systems for malware and taking appropriate action in response.
- Monitoring networks and applications for security incidents and regularly testing incident response plans.
- Maintaining a business continuity and contingency plan applicable to our operations, reviewed and updated annually to address any material deficiencies.
- Regularly testing our safeguards and our overall security program.
Administrative Safeguards:
- Developing a governance structure that promotes and values privacy and that enables GoCo team members to make the right decisions about how to respect privacy when handling Personal Information.
- Requiring secure disposal of any media containing Customer Personal Information.
- Prohibiting the use of Customer Personal Information in non-production or demonstration environments except with the express consent of the Customer or as otherwise required or permitted by law.
- Limiting access to Customer Personal Information to a need-to-know basis and applying the principles of least privilege and role-based access control.
- Identifying and assessing reasonably foreseeable risks to the integrity, confidentiality or availability of Customer Personal Information that we hold and taking reasonable steps to mitigate those risks through the implementation of safeguards.
- Collecting, using and disclosing Customer Personal Information to fulfill the Services purchased by the Customer and as requested or instructed by the Customer.
- Requiring all GoCo employees and subcontractors to:
- put privacy first when handling Customer Personal Information;
- receive mandatory training that outlines their obligations to protect Customer privacy;
- learn about GoCo’s Privacy Management Program, which documents GoCo’s key commitments to protecting the privacy of GoCo customers, and sets out some of the ways that GoCo has operationalized those commitments and the organizational structure GoCo has implemented in order to do so;
- comply with GoCo’s corporate security policies that address authorization, access control, privileges, monitoring, terminating and revoking access to GoCo’s applications and associated IT infrastructure and network platforms; and
- sign employment agreements that include contractual provisions for the safeguarding and proper usage of confidential information (including Customer Personal Information) accessible to our employees in the course of their employment, and taking appropriate disciplinary measures where necessary.
Physical Safeguards:
- GoCo’s facilities are secured and meet industry standards and certifications.
- Access to high-security areas is restricted and GoCo representatives wear badges and must either scan the badge or enter access codes for entry.
- Visitors must register prior to entry and/or be escorted at all times when at GoCo production data centres and facilities.
- These data centres are housed in non-descript facilities with access strictly controlled both at the perimeter and at building ingress points by professional security staff using video surveillance, intrusion detection systems, and other electronic means.
- GoCo data centres employ automatic fire detection and suppression equipment that utilizes smoke detection sensors in all data centre environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms.
- The data centre electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week.
- Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centres use generators to provide back-up power for the entire facility.
- Data centres are conditioned to maintain atmospheric conditions at optimal levels. GoCo representatives and systems monitor and control temperature and humidity at appropriate levels.
Individual Access
Unless we specifically contract to do so as part of the provision of services to a Customer, GoCo will not generally respond directly to access or correction requests or inquiries of our Customers’ End-users. We will instead make reasonable efforts to direct inquiries and requests made by End-users to the appropriate Customer.
Incident Management
GoCo has established practices and procedures for incident readiness and response designed to identify the cause, extent and nature of an incident involving Customer Personal Information and to allow timely reporting to the Customer in accordance with our contractual terms. GoCo will provide reasonable and timely assistance to our Customers to investigate and assist Customers with respect to their obligations, if any, to notify affected individuals and/or report the incident to regulatory authorities or other parties.
Contacting us
Inquiries or complaints about the manner in which GoCo or our service providers treat Customer Personal Information can be forwarded on a confidential basis to our Privacy Officer at [email protected].
GoCo maintains procedures for addressing and responding to all inquiries or complaints about GoCo’s handling of Personal Information.
GoCo will investigate all complaints concerning compliance with this Privacy Policy. If a complaint is found to be justified, GoCo will take appropriate measures to resolve the complaint including, if necessary, amending our policies and procedures.
1 In this B2B Privacy Policy, the words “we”, “our” or “GoCo” refer to GoCo Technology Limited Partnership (“GoCo”)and its subsidiary companies, as they may exist from time to time.
This Privacy Policy is effective as of July 1st, 2022