Security Policy

Last updated: January 15, 2024

Overview

Tracument understands how important security and privacy are to professionals. Our business relies on exercising the utmost care in protecting the security of your Tracument account and the documents and payment information contained therein. We use industry leading security measures to make sure your information is stored and transferred securely.

Network/Internet

Secure Socket Layer - We use up to 2048-bit RSA keys that are rotated every 90 days to encrypt all communications over the Internet.

Data Storage

Our servers are hosted in Canada and subject to Canadian security and privacy laws. All data is stored using 256-bit Advanced Encryption Standard (AES-256). These locations are certified to ISO27001, ISO27017, and ISO27108 standards, among others, and are audited continuously to attest to their compliance.

Firewalls

Our datacentre uses redundant firewalls to detect and prevent unauthorized traffic to our servers.

Intrusion Detection

All of our servers run intrusion detection agents that send data to an intrusion detection server. The host-based intrusion detection we employ has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response.

Account Verification

In order to ensure that the holder of a given account is actually the organization represented in our system, each new account is authenticated by a Tracument representative. This is done by confirming through personal contact or publicly available information that the organization is who they represent themselves to be.

One-time Login/Secure Email Link

Documents sent by secure email link by Tracument account holders to non-Tracument users are accessible by a one-time unique link and protected by a one-time password set by the sending party.

Fax Transmissions

Fax transmissions are sent to our fax servers using SSL encryption. Only requests where the user selects fax as the delivery method will be transmitted in this way. No provided documents or Secure Send documents are ever transmitted by fax.

Mail

Mail requests are printed, handled, and mailed by Tracument staff or contractors. These workers are subject to confidentiality agreements. No documents sent by Paywall or by Secure Send are ever transmitted by mail.

Payment Security

When a providing firm uploads a document or set of documents, those documents cannot be viewed by the intended recipient until they have paid the accompanying invoice. Tracument collects these funds and disperses them at regular intervals to the providing party. Any payments received are secured in a CDIC insured account until they are dispersed.

Credit Card Security

All credit card transactions are tokenized and sent to Stripe for execution. Stripe is PCI Level 1 compliant, which is the most stringent credit card security certificate. We are PCI DSS compliant by virtue of this outsourcing. See https://stripe.com/help/security for more information. Tracument does not hold or save credit card information on their servers or in their database.

EFT/Bank Security

All bank transfers are executed by CIBC through their secure online portal. Access to this portal is limited to directors of Tracument, and access codes are changed every sixty seconds by CIBC’s security services.

Information Storage Location

All documents uploaded to Tracument’s servers are stored in Canada. The documents are subject to Canadian information security and privacy protection laws.

Physical Security

Our servers are physically hosted at geo-redundant secure locations in Canada. These locations are certified to ISO27001, ISO27017, and ISO27108 standards, among others, and use a variety of security controls to limit physical access to our information.

Built-in Application Security Features

Password Rotation

We offer password rotation for user accounts, which reduces the risk of password theft or mismanagement.

Password Encryption

All passwords are encrypted on our servers, preventing unauthorized access to passwords.

Brute Force Password Guessing Mitigation

Repeated login attempts result in blocking the offending IP address for 24 hours.

Multi-Factor Authentication

Tracument offers Multi-Factor Authentication as an option for firms that wish to authenticate via multiple factors.

Role-based access

We have three levels of users--owners, administrators, and regular users. This provides the owners of accounts to only grant access and controls to appropriate users.

Limited Viewing Ability

Only the owner of the account and the uploading user are able to view the documents provided. This protects the privacy of provided information as other users from the providing company cannot view potentially sensitive information.

Limited Access to Documents

The Tracument system does not allow Tracument staff to access provided documents or documents sent through Secure Send. Tracument does have access to requesting documents and authorizations. All staff and contractors have signed confidentiality agreements in place.

Document Expiry

All documents sent through Paywall, Secure Send, and Chart Transfer along with files received through Portal expire after 120 days.

Questions

If you have any questions about this document, or would like more information about how Tracument works to protect the privacy of its users, please feel free to email us at support@tracument.com.