Customer Data Protection Privacy

Definitions

Customer” means the organization that Provance has licensed software to or entered into a contract with to provide Work.
Customer Data” means all Customer Data, including: (1) all text, sound, or image files that are provided to Provance or its
subcontractors by, or on behalf of, Customers; (2) all reports, logs, files, or other data provided to Provance that relate to the
Work; (3) Personally Identifiable Information (PII) included within the data provided by the Customer; and (4) Healthcare
Data included within the data provided by the Customer. Publicly available data is not considered Customer Data.
Work” means the agreement between Provance and its Customers, Partners or Microsoft where Provance is to provide
services including support under Statements of Work, work orders or Support Agreements.
Security Incident” means any unlawful or unauthorized access to Customer Data, or any unlawful or unauthorized access to
equipment or facilities used in processing data, that results in confirmed or highly suspected loss, disclosure, or alteration of
Customer Data.
Personally Identifiable Information” (PII) means any information relating to an identified or identifiable individual. Such
information may include name, country, street address, email address, credit card number, social security number,
government ID number, IP address, or any unique identifier that is associated with PII in another system.

Introduction to Customer Data Protection

Core to the Provance mandate as an enterprise is our goal to ensure that our Customers’ data is protected at least as well as
our corporate secrets. It is important to recognize the trust that Customers place in Provance when sharing access to their
systems or data that belongs to the company.

Customer Data protection is a shared responsibility for all Provance employees and contractors. Provance is privy to data in
many forms either from explicit access to Customer systems or through work done as part of professional services such as
data imports through to Customer support and any dumps or traces or logs that are provided by the Customer to troubleshoot.

Definition of Customer Data

Within this document, “Customer Data” specifically means non-public Customer information provided by the Customer or
gathered by tools and queries that the Customer is asked to run or that are part of our application.
Two levels are used as follows:
• Customer Sensitive
• Customer Confidential

SENSITIVE CUSTOMER DATA

This level of data protection indicates that access is restricted to roles that have a need to access and that the data protection
must be at the highest available levels. This designation is applied to billing data and selected application and configuration
(technical) data. Sensitive technical Customer Data includes financial data, usernames, computer names, IP addresses or
other identity-specific data items and where disclosure might create a security risk or breach of privacy for the Customer and
includes;

  • PII data provided by Customer
  • Disclosure of data while accessing a Customer site
  • Screen scraping data while connected
  • Exporting data from restricted sites
CONFIDENTIAL CUSTOMER DATA

This level of data protection indicates that the information is generic and does not require the same restrictions or protection
technology as sensitive data. This type of data typically identifies the Customer name and contact information as typically
required through the course of business including product support, invoicing or email communication. Provance has an
obligation not to disclose or release this data externally but can freely share the information between multiple internal
organizations.

Administrative, Technical and Physical Controls

Provance does not, as a course of normal business copy or store on Provance servers or computer systems Customer Sensitive
information. If shared with Provance, Customer Sensitive or Confidential information are stored and available in Microsoft
online services and data centers (Office 365, Dynamics 365, Teams, SharePoint). This ensures that the highest industry Data
and Security standards are protecting our Customers Data as outlined under the Microsoft Trust Center. If Customer Data
has to be stored on local Provance computers to perform Customer work, those devices are encrypted with Microsoft Bitlocker and password protected.
Data protection begins with administrative controls such as employee clearance, education and need-to-access roles.
Technical controls identify the technology used to protect and electronically control access to the data. Physical access
controls identify the methods used to limit physical access to the locations where the data is stored.

Employee Clearance and Education

New Hire

Provance completes pre-hire background checks on all employees and subcontractors performing work on behalf of Provance
that will require access to Customer owned or leased facilities, or that require network access (“Individual” or “Individuals”)
or that will access Customer Data. This policy is a result of proactive planning and is similar to other pre-placement policies
throughout the industry. Additionally, this policy is intended to help reduce corporate losses from theft and reduce potential
corporate liability by contributing toward a safer and more secure work environment for everyone.

Education

The educational requirements are straightforward. Upon starting, a new employee is briefed about our security policies and
procedures. For those roles, deemed to require access to Customer Data as outlined below, individuals are trained initially as
part of the new hire orientation. As part of our annual company meeting, all employees are refreshed on the guidelines and
procedures.

Access to Customer Data

Provance always limits access to Customer Data as part of its best practice implementation on a need to know basis.

ROLES

Roles which may have access to billing data but not technical data:

  •  Sales and Marketing
  • Administration, Finance and Governance

Roles which may have access to technical Customer Data but not technical data:

  • Consulting Services
  • Managed Services
  • Customer Support
  • Quality Assurance
  • Development
OVERSIGHT

A designated security owner is responsible for oversight of the policy as documented. The Customer Data Protection Policy
is reviewed as required and at minimum annually to ensure it contains current best practices.

Access

Headquarters is located at 885 Carriere Boulevard Suite 100, Gatineau, Quebec, Canada. The building and main office is
secured by key locks. HireRight has conducted a physical validation of our office and security controls in 2020 as part of their
onboarding service.

Outsourced Services

Provance’s data center resides within the Smith data center, a third-party IT Service company located at 490 Saint Joseph
Boulevard, Suite 300, Gatineau, Quebec, J8Y 3Y7. Employee access to the data center is strictly limited and requires access
card permissions. The data center meets Canadian Federal security requirements. Only Provance internal information is
stored at Smith.

Microsoft online services and data centers (Office 365, Dynamics 365, Teams, SharePoint) and Intuit Quickbooks Online are
the only solutions used by Provance that contain Customer Data. Multi-factor authentication is mandatory for all employees.
This ensures the highest industry Data and Security standards are protecting our Customers Data. For more information
consult the Microsoft Trust Center.

Remote Office

While Provance does have employees who work outside of HQ, any Provance or Provance Customer Data must be stored on
Provance owned or approved devices. Customer Data is required to be protected using the approved technology at all
locations. Employees are encouraged to follow recommendations as outlined by US Cyber Security and Infrastructure
Security Agency.

Access to Customer-owned Networks

Access to Customer-owned networks include causal or part-time access for support and consulting services as well as any
fulltime managed services engagements. Those employees, which have access to Customer networks and applications, follow
both Provance’s code of conduct as well as the Customer’s access rules. Customer Data should not be copied or exported to
Provance devices without the express knowledge and consent of the Customer. If such data is resident outside the Customer’s
network, it is covered by the Data Storage policies below.

SECURE ACCESS DEVICES

If Secure Access Devices are provided by the Customer, they are not to be shared with anyone except the designated Provance
Employee.

CUSTOMER ACCESS CREDENTIALS

Limited and are not to be shared unless Customer instructed Provance to share the credentials in writing.

Data Storage Policies

All Customer Data is protected both by network access (domain username and password) as well as by approved technology
such as drive or data encryption.

Cloud Based Data Storage

If Customer Data is to be stored externally on cloud-based storage, the Customer can designate the region that the data must
reside in.

Local Data Storage

Approved devices that have Customer Data must have secure data encryption in place to ensure that access to the data is
not compromised by removal of the media and attachment to another device. Provance leverages Microsoft’s Bit-locker
software to protect data on portable devices like laptops and tablets.

Document and Data Retention Periods, Storage and Disposal Guidelines

Customer, HR and Finance documents are stored in secure folders and hardcopy documents as applicable are in secured
file cabinets or rooms.

• HR related documents are maintained for the life of the file plus one year, except for Employee contracts that are
maintained permanently.
• Financial records are maintained for 7 years.
• Project and contract specific information is maintained for the Life of Project.
• Customer Data, resulting from Client Delivery projects, is encrypted and retained for the life of the engagement
or destroyed sooner if it is no longer applicable.
• Documents of external origin are retained as required in SharePoint.
• Expired/ outdated or obsolete documentation is deleted or discarded in recycling bins to be shredded. Any
confidential records or documents marked Customer or Provance Confidential are also shredded.

Password Protection

All devices must be password protected with industry standard “strong” passwords that are 12 or more characters in length;
a mix of letters (upper and lower case), numbers, and symbols, no ties to personal information, and no dictionary words.
Passwords must be secured and are not to be written down. The same password should not be used across multiple
applications, email and other websites holding sensitive personal data so that if a breach occurs the password has not now
exposed the other services to the risk of being breached as well.

Security Incident

An actual or suspected Security Incident must be reported immediately to the designated security owner so that Provance
can take immediate action to notify the Customer of a potential data breach and to co-ordinate the response and remediation
with all stakeholders.

If you have questions about this Customer Data Protection Policy, please email us at info@provance.com