Privacy Policy

We are responsible for all personal information in our possession, including information transferred to a third-party service provider.

Privacy and confidentiality with respect to our client’s information is vital to maintaining our client’s trust and our reputation. The two terms are used so frequently when discussing client information that it is easy to confuse the two.

Confidentiality is an ethical issue. It is the duty to safeguard the personal information shared between a client and Equivesto or an employee or agent of Equivesto.  Privacy and the ten Privacy Principles of PIPEDA, form a significant portion of Canadian privacy law and are at the heart of Canada’s federal privacy law for the private sector.

Clients’ affairs must be held in the strictest confidence. At no time does an employee of Equivesto personally benefit from privileged knowledge or disclose confidential information to allow another party to benefit from such knowledge. Equivesto employees engage in activities that may give them advance knowledge of corporate information or securities and market information. Using such knowledge or information to one’s own advantage or disclosing it to others, be it a spouse, friend, or select client, before such knowledge is generally available to the public, contravenes securities laws on insider trading and tipping, and is strictly prohibited.

Equivesto deals primarily with privately held companies. Even though these entities do not trade on stock markets, we must still hold their information in strict confidence. This includes not sharing confidential information with anyone who is not directly involved in the transactions or projects that we are working on. No industry gossiping.

Any information about a client that has been obtained during doing business at Equivesto, must be held in the strictest confidence.  Such information includes:

  • Financial performance or interests of the client.

  • Information relating to client strategic objectives.

  • Personal information relating to the client, which has been collected in the marketing or client relationship process.

  • Material non-public information on issuer clients who are public issuers.

Principles of Privacy Law

Equivesto considers the Personal Information Protection and Electronic Documents Act (PIPEDA) - the federal privacy law for private-sector organizations - the standard by which personal information should be protected. PIPEDA sets out the rules for how business must handle personal information during commercial activities. The following topics represent the principles of PIPEDA.

  1. Accountability: All officers, directors and employees of Equivesto are responsible for the client and otherwise confidential information under their control. The Chief Compliance Officer (CCO) is responsible for maintaining compliance with this policy. All inquiries or concerns regarding the use of client information, including information that has been transferred to a third party must be directed to the CCO.

  2. Identifying Purposes: The purposes for which personal client or other information is collected must be identified and documented at or before the time the information is collected. Equivesto is permitted only to collect the information necessary to fulfill the purpose of collection. The purposes for collection must be disclosed to the client before the information is gathered.  Our only purpose for gathering client’s information is to fulfill our obligations under securities laws.

  3. Consent: The knowledge and consent of the client are required for the collection of personal information and the subsequent use or disclosure of the information. Equivesto’s Portal along with  the Issuer and Investor Agreements and the Issuer Information Package address this issue and ensure that a client’s consent is obtained early in the relationship. In obtaining consent, the reasonable expectations of the client must always be considered and respected.  A client may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Equivesto’s employees must inform the individual of the implications of such withdrawal.

  4. Limiting Collection: The collection of personal information must be limited to that which is necessary for the clients purposes, without exception. Personal information cannot be collected indiscriminately.

  5. Limiting Use, Disclosure, and Retention: It is prohibited to disclose client information for purposes other than those for which it was collected, except with the consent of the client or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes. Client information will be retained for a period of seven years following the end of the client relationship.

  6. Accuracy: Client information must be accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used and as appropriate considering the interests of the client. If during a transaction the client information changes Equivesto will update its information.

  7. Safeguards: Client information must be protected by security safeguards appropriate to the sensitivity of the information. These security safeguards protect client information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Equivesto requires that all confidential information be maintained in their designated secured areas or electronic databases. Some examples of protection include the following:
    Physical measures:

    • Doors to office or cabinets should remain closed always.

    • Employees should safeguard client information either on their desk or computer when a third-party is in the office.

    • All electronic devices and programs containing client information should be password protected.

    • Sensitive and confidential personal information should not visible to the public.

    Organizational measures:

    • Security clearances and limiting access on a “need-to-know” basis.

    Technological measures:

    • Use of passwords

    • Encryption

    • Store client information only in secure, redundant software applications, never on a local drive.

  8. Openness: All clients have a right to access specific information about Company policies and procedures relating to the management of client information. The type of information available includes the following:

    • The name or title, and the address, of the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded.

    • The means of gaining access to personal information held by the organization.

    • A description of the type of personal information held by the organization, including a general account of its use.

    • Information that explains Equivesto policies, standards, or codes.

  9. Individual Access: Upon request, a client shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. A client can challenge the accuracy and completeness of the information collected and have it amended as appropriate. In providing an account about an issuer, Equivesto is obligated to be as specific as possible about third parties to which client information has been disclosed. When it is not possible to provide a specific list of the applicable organizations, Equivesto must provide a list of likely organizations to which it may have disclosed information about the client within a reasonable time and at minimal or no cost.

  10. Challenging Compliance: A client may address any concerns with respect to compliance with the above principles to the CCO. The existence of Equivesto procedures regarding client complaints must be disclosed to clients when concerns are raised.

Breach of Privacy & Confidentiality

In the event of a breach of client’s private or confidential information, the CCO must be notified immediately. The CCO will:

  1. Open a file which will include:

    • Any evidence of the breach and how it occurred

    • What information was exposed or potentially exposed

    • How many clients are affected

    • What steps have been taken to rectify the breach

    • When the breach was resolved.

  2. Contact in writing all affected clients including everyone within a client’s organization that may have had their personal and confidential information exposed. The communication should include:

    • The date the breach occurred

    • What information was exposed or potentially exposed

    • What steps are being taken to protect the client

    • When the breach was resolved

    • Any details of assistance to clients to help them monitor or safeguard their information

    • Any details of compensation

Cyber Security Protocols and Standards

Equivesto is a fully digital service and relies on third party, cloud-based servers to store and manage client data. This however, does not release Equivesto from understanding and taking active steps to reduce the risks associated with data protection and cybersecurity.  Failure to understand the legal and regulatory framework governing these issues can have serious legal and financial consequences for Equivesto. Therefore, it is crucial for Equivesto to understand this rapidly evolving area of law and governance by ensuring all its partners that provide it e-services to be compliant with the following standards:

  1. Have Privacy and Confidentiality Policies regarding end user data.

  2. Ensure the systems and applications use at least one of the following cyber security protocols:

    • Transport Layer Security (TLS) or Secure Socket Layer (SSL) protocols to communicate across the network to prevent eavesdropping or tampering.

    • Regular Code reviews

    • Advanced Encryption Systems (AES) which meet at minimum data block transfer standards of 128, 192 or 256-bit size. According to the National Institute of Standards and Technology (NIST), 128-bit block transfer encryption meets NSA “Secret” requirements whereas “Top Secret” files must be encrypted at the 256-bit level.

    • General Data Protection Rules (GDPR) compliant.

    • Payment Card Industry Data Security Standard (PCI DSS) if applicable.

    • EU-US Privacy Shield or Swiss-US Privacy Shield compliant

    • ISO/IEC 27001 and/or 27018 compliant

    • SOC 1, 2 or 3 compliant

    These protocols provide a combination of, but not limited to, the following features:

    1. Redundant back-up and restore points:
      a) Back-ups must be kept in a secure location away from the main server.
      b) Back-ups should be automatic, frequent enough to catch changing and new content and redundant. The frequency of back-ups must be fixed and communicated to SCP.
      c) Restoration of data should be based on the most recent back-up, with an option to use earlier back-up files.

    2. Internal monitoring of network for intrusions and unusual activity.

    3. Firewalls and Distributed Denial of Service (DDoS) attack prevention.

    4. Malware and antivirus scanning and removal

    5. High availability and disaster recovery. A host server should have an uptime of 99.999% with:
      a) A complete copy of a clean, functioning server operating system for a speedy recovery from system failures.
      b) Redundant hardware to guard against downtime caused by hardware failures.
      c) Firewalls configured to run in pairs, with each one ready to take over the full load in case the other one fails.
      d) Servers running in pairs with each one ready to take over the full load in case the other one fails. 

    6. Load balancing

    7. Management support

    8. Access and user permissions

    9. File management protocols

 For any questions or concerns about Privacy on Equivesto please contact us.