Information Security Policy
This policy was adopted in accordance with Law 25, which requires companies to adopt and implement an information security policy, keep it up to date, and ensure its application.
1. Objective
The firm, hereinafter referred to as "BIA," is committed to ensuring the protection of confidential information entrusted to it.
BIA commits to restricting access to confidential and sensitive data to prevent it from being lost or compromised, so as not to harm our clients, our employees, to avoid non-compliance sanctions and to not damage our reputation. Simultaneously, we must ensure that users can access the data they need to work effectively.
This Policy is not expected to eliminate all data theft. Its main objective is rather to raise user awareness and prevent scenarios of accidental loss, which is why it describes the requirements for data leak prevention.
2. Scope
2.1 Within the scope
This Data Security Policy applies to all customer information, personal data, or other BIA data that relates to a physical person and allows their identification. It therefore applies to all servers, databases, and computer systems that process these data, including any device regularly used for email, web access, or other professional tasks. Any user who interacts with BIA's IT services is also subject to this Policy.
We collect personal information in several ways, including through our website (cookies), our online forms, when you communicate with us by phone and email, or post content on our social media accounts, as well as following the mandates entrusted to us. This information includes your name, first name, mailing address email address, phone number, and any other information necessary for the performance of the entrusted mandates.
Our site collects the necessary cookies for the use of Google Analytics, these include public statistics, IP address, the date and time of connection, the time and duration of the visit, as well as the pages viewed. We use these cookies to compile statistical data on the use of our website to improve the experience.
Financial data is managed by our external providers, namely our financial institution and the secure payment service Square. If we must temporarily collect your credit card data by phone at your request to help you complete a transaction, this data will be entered into our provider Square's system and the temporary support will be destroyed.
2.2 Outside the scope
Information classified as public is not subject to this Policy.
The BIA site offers hyperlinks to other sites. Information exchanged on these sites is not subject to this Privacy Policy, but to that of the external site, if one exists.
3. Policy
3.1 Principles
Personal information held by BIA is essential to its current activities. As such, the firm recognizes that they must be subject to constant evaluation, appropriate use, and adequate protection. The level of protection that personal information must be subject to is established based on their importance, confidentiality, and the risks of accident, error, and malice to which they are exposed.
BIA will provide all its employees and subcontractors access to the information they need to do their job as efficiently as possible.
3.2 Generalities
3.3 Access Control Authorization
Access to BIA's IT resources and services will be granted through a unique user account and a complex password.
3.4 Access to BIA Data in the Cloud
3.5 User Responsibilities
3.6 Access to Applications and Information
3.7 Access to Confidential and Restricted Information
Access to data classified as "confidential" or "restricted" is limited to authorized persons whose professional responsibilities require it, as determined by the Data Security Policy or management.
3.8 Data Retention
The firm retains personal information as long as necessary for the purposes described in this Policy. These personal data will be retained, to comply with legal obligations of the profession, for a minimum of 7 years after the completion of a mandate.
4. Technical Guidelines
Access control applies to all networks, servers, workstations, laptops, mobile devices, web applications, websites, cloud storage, and services.
5. Reporting Requirements
6. Responsibilities
7. Enforcement
Any user who violates this policy is subject to disciplinary sanctions, up to and including dismissal. Any third-party partner or subcontractor caught in violation may have their network connection suspended.
8. Revision History
Version | Revision Date | Author | Description of Changes |
---|---|---|---|
1.0 | 2023-09-12 | R. Brunel, Personal Information Protection Officer | Initial Version |