We are Pivotal Research, Inc. (“Pivotal Research”, “we”, or “our”). We view privacy as an integral part of our mission to deliver high quality and actionable insights.
Accreditation
The collection of information through our surveys is authorized under the Alberta Personal Information Protection Act (PIPA). Pivotal Research adheres strictly to all relevant privacy and data security legislation to ensure the highest standards of data protection and confidentiality. Data is stored on a secure internal server while the study is live, and Pivotal Research will not use your personal contact information for any other purpose than to select participants and handle incentives. Pivotal Research will ensure its secure disposal upon close of the survey and incentive distribution. Sharing of any personally identifiable information is entirely optional for our respondents; if you ever feel uncomfortable sharing your information, you may opt out at any time.
Pivotal Research is an Accredited Agency Member of the Canadian Research Insights Council (CRIC). We are proud to declare our compliance with ISO-20252. Any of our studies’ authenticity can be referenced on the CRIC website by searching the study’s unique verification code provided upon entry to the survey.
In 2019, Pivotal Research submitted a Contractor Privacy/Security Self-Assessment to Alberta Labour and Immigration to ensure our understanding and compliance with FOIP legislation.
Pivotal Research stands ready and willing to immediately engage in privacy and security assessment activities and warrants if any project needs deemed deficient will be immediately brought to acceptable standard.
Online Data Collection Security Features
Security: The online survey components will be programmed, monitored and maintained by our resident programmers. We have strong security systems in place, and we are vigilant about updating security patches and monitoring event logs for suspicious activity. Pivotal Research uses SQL Server to house data and therefore we are able to use Microsoft SQL Servers securities (i.e., database permissions). Applications are run with the fewest privileges possible. A database user with limited access and privilege is allowed to perform the necessary database queries and nothing more.
Network internet security is provided, and our Internet Information Server is configured to use process throttling to prevent malicious attackers from bringing down the application. Using a firewall also enhances our level of security.
Our servers are located in a secure facility in Canada. Our file, email, and web servers are secured, and our physical firewall is locked down. Web applications are hosted on our web server, but data gathered through the portal will be stored on our SQL server. This separation provides a further layer of security for the data. Sensitive information such as usernames, passwords, or PINs are never stored in areas that may be accessible to the user’s browser. All our servers are protected by strong passwords, and complete backups are performed daily. Pivotal Research’s web server is secure, and we use our Secure Socket Layer certificate to ensure that data is encrypted.
Reliability: Pivotal Research servers are utilized to maximize stability. If an unforeseen circumstance disrupts one of the three server hard drives, another automatically takes its place. We also run servers using redundant power supplies to minimize the risk of problems due to interruption of power supply. All our technical architecture is backed by a next-day business service guarantees under warranty, which ensures that the impact of any unforeseen issue is limited.
Storage of Client Records: All Pivotal Research clients are assured that we maintain confidential information related to their project the same way we maintain our own most sensitive records. Our approach to client information includes the following aspects:
- •Employees only print hard copies when necessary. If a hard copy contains sensitive information, it is shredded once it has served its purpose.
- •We maintain a clean desk policy. Employees are required to lock all information in their desks when they are not in their office.
- •Access to electronic files is limited to those who require access.
- •Records identifying survey respondents are assigned a unique ID number. If team members need to discuss a particular record, they refer to the record only in terms of the ID number and never the name.
- •After completion of the project, all records (hard copy and electronic) are destroyed on a timeline agreed upon with the client.
- •We are vigilant in maintaining the highest standards of system security. Separate servers are used for web applications and data storage, and our websites and online applications are protected by a Secure Socket Layer certificate.
Staff members are required to work and save files on the company’s secure servers. When working offsite, staff members are also required to access a secure connection and access our servers using a VPN connection. We do not save client data files on local machine drives. As such, should equipment be lost, stolen, or accessed without authorization, confidential files, client information or data files pertaining to projects are always secure. Access to email on mobile devices require credential authentication and as such confidential information and client correspondence confidentiality is always ensured.
Given ongoing remote work, our IT personnel ensure laptop security patches are always up to date. Our email system relies on a two-step filtering process including a spam and malware software as well as ProofPoint email security to ensure only legitimate emails can flow through our system to minimize the risk of hacking and accessing confidential information. Data files are backed up continuously through a virtual environment. Our data backup is stored in Canada.
“Personally identifiable information” refers to any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an individual. The term does not include aggregated or deidentified information that is maintained in a form that is not reasonably capable of being associated with or linked to an individual and does not apply to other information that is excluded from privacy protections under applicable law. Personally identifiable information is not shared externally and is securely destroyed within 60 days of a project’s closing date. Requests can be accommodated to individuals that wish to have their personally identifiable information destroyed in advance of this period’s closing date.
Security Breach Protocol
In the unlikely events of any security breach, we follow a four-step process to effectively address privacy breaches should they occur.
Step 1: Identifying a breach: All staff and immediate contractors are required to inform either the Director of Research Operations or the IT Director of a possible breach. If confirmed, the President of Pivotal Research is then notified immediately.
Step 2: Assessing the breach: As a next step, we will assess the source and the extent of the breach on three dimensions:
- •Cause of breach, information compromised by breach, and impact of breach as follows:
-
- −Causes of breach will be assessed based on the following factors:
- •Internal breach, if caused by staff/contractor misconduct;
- •Security infrastructure-related due to outdated IT equipment or software or not thoroughly followed security protocol;
- •and External breach due to criminal activity.
- •Information compromised by breach, such as:
- −Detailed information pertaining to names of individuals, confidential client data, reports and other sensitive information;
- •Number of individuals or number of clients impacted by the breach;
- •and Method of data/information transmission.
Step 3: Informing those involved about breach: the next step in the process is whether it will be required to notify the various affected external parties about the breach and the most suitable method for notification.
Step 4: Mitigating future risk by reviewing all internal procedures and assessing security related protocols and IT infrastructure and to develop and implement a plan long term security measures and safeguards against future breaches.
If you have any further questions about how your information is being collected, used, protected, or requests for early deletion, please contact the Privacy Officer at feedback@pivotalresearch.ca or by phone toll free at 1-877-421-1199.