Security & Privacy

Data Security & Privacy Policy

How we protect the data entrusted to us and comply with applicable privacy and data protection laws.

Version 1.0 · Effective February 2026 · Telos One Limited

1. Introduction

Telos One Limited ("we," "us," "our," or "Telos One") is a Canadian corporation registered in the Province of Ontario. We provide professional services including payment processing consulting, cybersecurity assessments, web development, and hosting solutions.

This Data Security & Privacy Policy describes how we protect the data entrusted to us by our clients and how we comply with applicable privacy and data protection laws. This policy is effective as of February 2026 and is incorporated by reference into all Client Master Service Agreements.

The purpose of this Policy is to:

  • Demonstrate our commitment to protecting client data and respecting privacy rights
  • Outline the administrative, technical, and physical safeguards we employ
  • Describe how we handle incident response and breach notification
  • Explain the rights available to data subjects under applicable law
  • Support our readiness for SOC 2 Type II, PCI-DSS, PIPEDA, UK GDPR, and GDPR compliance

2. Information We Process

2.1 Types of Data We Process

Client Business Data

Website content, databases, application configurations, and business records necessary to deliver our services.

Personal Information (PII)

Names, email addresses, physical addresses, phone numbers, and other identifiers that can reasonably identify an individual.

Sensitive Personal Information

Government-issued identification numbers, financial records, and banking details provided by clients for payment purposes. Encrypted and access-restricted.

Website Visitor Data

Analytics data (anonymized where possible), IP addresses, browser information, and pages visited. We use industry-standard analytics tools with privacy-conscious configuration.

2.2 Data We Do NOT Store or Process

Telos One explicitly does NOT store, process, or transmit cardholder data (PAN, CVV, PIN) electronically. If clients provide card data verbally for payment processing, we enter it directly into third-party processor systems and never record it in any internal system or document.

2.3 Data Classification

PublicWebsite content, public documentation
InternalInternal policies, non-sensitive communications
ConfidentialClient business data, website databases, employee info
RestrictedGovernment IDs, financial records, admin credentials

3. How We Protect Your Data

We implement a comprehensive information security program aligned with NIST Cybersecurity Framework, ISO 27001, and PIPEDA requirements.

3.1 Administrative Safeguards

  • Security Governance: Documented information security policy framework, reviewed and updated at least annually
  • Training: All team members and contractors receive security awareness training upon onboarding and annually thereafter
  • Background Checks: Conducted for all personnel with access to client data or sensitive systems
  • Acceptable Use Policy: Prohibits unauthorized access, credential sharing, and bypass of security controls
  • Vendor Risk Management: Risk assessments conducted on all third-party subprocessors before engagement
  • Access Reviews: Quarterly for privileged accounts, semi-annual for standard accounts

3.2 Technical Safeguards

  • Multi-Factor Authentication: Enforced across all systems and platforms. Hardware security keys required for administrative access. Weak methods (SMS, email OTP) are disabled.
  • Encryption in Transit: All external-facing systems use TLS encryption
  • Encryption at Rest: All stored data encrypted using industry-standard protocols
  • Endpoint Security: Full disk encryption, auto-lock, current OS with patches, and active endpoint protection required on all devices
  • Firewall & Network Security: Web application firewall, DDoS protection, rate limiting, and DNSSEC
  • Secrets Management: Centralized, encrypted credential storage with role-based access, MFA, and audit logging
  • Automated Backups: Encrypted, replicated offsite, and tested regularly for integrity

3.3 Physical Safeguards

Telos One operates as a fully remote, distributed workforce with no on-premises servers or physical file storage containing client data. Infrastructure is hosted with SOC 2 Type II certified cloud providers with physical access controls, 24/7 monitoring, fire suppression, and redundant power.

4. Access Control

We restrict access according to the principles of least privilege and need-to-know.

  • Role-Based Access Control: Access granted based on job function, from standard users to privileged administrators
  • Privileged Access Management: Hardware security keys required, all actions logged and reviewed, no single administrator has unfettered access
  • Immediate Revocation: Upon role change, suspension, or termination, access is revoked immediately
  • Formal Onboarding/Offboarding: Documented procedures ensure all access is properly granted or revoked

5. Subprocessors & Third Parties

We engage third-party service providers to deliver services and operate infrastructure. Our commitments:

  • We maintain an updated list of all subprocessors that access or process client personal data
  • We provide 30 days' advance notice before adding or replacing any subprocessor
  • Clients may object to new subprocessor arrangements
  • We prioritize subprocessors with SOC 2 Type II, ISO 27001, or equivalent certifications

A current list of subprocessors is available upon request by contacting [email protected].

6. Incident Detection & Response

We maintain a formal incident response plan with defined severity levels:

P1 — Critical

Executive notification within 30 minutes; immediate containment; law enforcement/regulator notification as required

P2/P3 — Significant

Investigation team assembled; containment of affected systems; client notification within 72 hours if required

P4 — Low

Documented investigation; no immediate client notification unless required by law

Post-incident reviews are conducted within 5 business days of any P1-P3 incident, documenting root cause, impact, and preventive measures.

7. Breach Notification

We notify affected clients of a confirmed breach within 72 calendar hours from confirmation. Notifications include:

  • Description of the nature and confirmed facts of the incident
  • Categories of personal data affected
  • Approximate number of individuals affected
  • Measures taken to contain the breach
  • Recommended measures for affected individuals

We also comply with regulatory breach notification requirements under PIPEDA, UK GDPR, and GDPR as applicable.

8. Data Retention & Deletion

  • Active Engagement: Data retained as necessary to provide contracted services
  • After Termination: Data retained for up to 30 days for client export, then deleted within 60 days
  • Expedited Deletion: Data purged within 48 hours upon client request
  • Data Export: Available at any time, at no charge, in standard formats (SQL, ZIP, CSV)
  • Certification: Written certification of deletion provided within 10 business days upon request

9. Your Rights

Access

Obtain a copy of all personal data we hold about you, within 10 business days

Portability

Receive your data in standard, machine-readable format (CSV, JSON)

Correction

Request correction of inaccurate or incomplete personal data

Deletion

Request deletion of your personal data, completed within 60 days

Object

Object to subprocessor changes or specific third-party data processing

Withdraw Consent

Withdraw consent at any time; withdrawal doesn't affect prior processing

Terminate Services

Terminate if we materially reduce data protections

Lodge a Complaint

File complaints with the Office of the Privacy Commissioner of Canada, UK ICO, or your local EU authority

To exercise any right: [email protected] — we respond within 10 business days.

10. Privacy Law Compliance

PIPEDA (Canada)

We fully comply with all PIPEDA principles: accountability, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, and individual access.

UK GDPR & GDPR

Where we process personal data of UK or EU residents, we comply with applicable regulations including lawful basis for processing, data subject rights, and international data transfer safeguards (Standard Contractual Clauses).

PCI-DSS

Telos One does NOT store, process, or transmit cardholder data electronically. Our scope is SAQ-A — we outsource payment processing and never retain card data in any system.

11. Endpoint & Device Security

All devices accessing company systems or client data must comply with our security requirements:

  • Full disk encryption (BitLocker, FileVault, or equivalent)
  • Screen lock with 5-minute auto-lock maximum
  • Current operating system with security patches applied within 30 days
  • Active antivirus and endpoint protection
  • No jailbroken or rooted devices permitted
  • Annual compliance attestation required from all personnel

12. Policy Governance

  • Reviewed at minimum annually
  • Material changes communicated to clients with 60 days' advance notice
  • Clients may terminate services if changes are unacceptable

Contact

Questions, concerns, or requests regarding this Policy:

Email: [email protected]

We aim to respond to all inquiries within 10 business days.