TL;DR
✔ We comply with all provisions of GDPR and PIPEDA
✔ We collect as little information as possible about you. If requested, we encrypt information that we don't require for automated functions in such a way that it can only be accessed using your password. (This is opt-in, since only companies with multiple authorized individuals will be able to recover this information if the password is reset.)
✔ We'll give you all of the information we can access about you; however, since we encrypt some of it with keys that are further hashed with a salted hash of your password, you will have to log in to access all of the information.
✔ We store your information in Canada, but send email from Ireland and route your traffic through Cloudflare.
✔ Your passwords, session keys, and cross-site request forgery mitigation tokens are all stored using salted slow hash algorithms. We hash your password on your computer before it hits the Internet so ThreeShield, Cloudflare, AWS, and any other companies that may have access to the traffic never have access to your password.
Your information is yoursIn compliance GDPR, PIPA, and PIPEDA, we will provide you all of the information that we store about you, respond to requests to change the information, and will delete it on request. However, in addition to encrypting our entire database at rest, some business contact and position information is encrypted to prevent ThreeShield Information Security Corporation staff from accessing it without your consent. As such, you will need to be able to log into your account to view, modify, or delete your information.
Data ResidencyAll information on the Canadian Lavawall® console is stored and processed on servers physically located in Canada. However, the data goes through Cloudflare between your computer and our servers. Depending on your location, Cloudflare may route your data outside of Canada. In addition, we use Irish email servers for all emails sent from the Lavawall® console. This includes the additional security verification emails and notifications.
Minimal InformationIn compliance with Canada's PIPEDA, Europe's GDPR, and various other privacy regulations, ThreeShield Information Security Corporation collects the minimum amount of personal data required to run the Lavawall® console. We also use one-way hash encryption techniques to allow us to secure your session from hijacking and cross-site request forgery without storing your IP address, cookie information, or browser fingerprint in a way that could be decrypted or accessed in connection with your account.
Third Parties
ThreeShield Information Security Corporation, Amazon Web Services, Cloudflare, Google, or one of our other security or hosting partners my include your IP address in web, firewall, or other logs. These logs do not include cookie or user information. However, these logs could be used to determine which Lavawall® and ThreeShield web pages you visited.
Additional information about Google is provided below.
GoogleWe use some Google services to understand traffic flow and to prevent abuse of the system as yet another security measure. This includes Google Analytics and Google reCAPTCHA. We have only implemented reCaptcha on login, signup, and other pages that don't have prior authentication. You can see if it is loaded on each page by looking for the blue and grey Recaptcha logo in the bottom right corner of your browser's window. ReCaptcha works by collecting hardware and software information, such as device and application data, and sending these data to Google for analysis. The information collected in connection with your use of the service will be used for improving reCAPTCHA and for general security purposes. It will not be used for personalized advertising by Google. By using the Lavawall® console, you consent to the collection and sharing of this data with Google.
Information SharingWe do not share any information that we collect other than for billing, collection, and operational purposes. However, we do use third-party cookies for data analytics and support purposes. These cookies are not associated with information that we collect on the Lavawall® or other ThreeShield Websites. However, third-party support tools allow you to optionally provide your name and email information for support purposes.
How We Avoid Querystrings From Identifying You
The unique querystring parameter that is included in links within the console is one of our cross-site request forgery protection techniques. That querystring parameters may be included in logs. However, that parameter is encrypted using a salted one-way hash in our database. As such, it cannot be directly queried without knowledge of other information stored in our database, a cookie on your computer that is hashed with the querystring parameter and not independantly stored in our database, your browser fingerprint, and other random information. In addition, we only store the salted hash of that parameter in our database for up to the last five pages that you visited within the console. For this reason, excessive use of the refresh or back buttons in your browser will force you to log back into the conosole.
Personal and Business Information
We collect business contact information, including your name, business address, telephone number, business function, and email address solely for the purpose of configuring the Lavawall® service communicating with you in relation to your use of the Lavawall® and related services, including billing, and customer relationship management. We may determine your country or approximate geographic location in order to provide geographically-appropriate information and for billing purposes. We do not collect other personal information except for personal email addresses and names from people who send us email from personal accounts.
TrackingWe store a cookie on your computer to keep you logged into the service. It expires after one year, is only accessible by Lavawall.com through secure web access by HTTPS with script access disabled. We also give your computer a unique identifier that lasts until you visit another Lavawall® console page. This identifier is passed through links and web forms and provides additional protection against some attacks that may be able to access your cookies.
IP AddressAlthough your IP address is not stored as part of your Lavawall® account, your IP address may appear in our web logs, which may include the unencrypted version of a random number that we assign to every page access in your account. This number is stored in our database using a one-way hash that is salted with many other factors. As such, it is very unlikely that your IP address would be tied to your account through this value. We also store IP addresses associated with failed login attempts. However, once you successfully log in from that IP address, it is dissassociated from your account. Finally, we do store IP addresses on the same network as your Lavawall® hardware devices as you request within the console.
Denied AccessWe do not deny products or services to individuals who fail to consent to the collection and use of the above Personal and Business Information beyond what is required for this console to work. However, since email addresses are used through some of our authentication methods, it is not possible to log into the Lavawall® console without authorizing the use of this information.
System InformationThe Lavawall device (as opposed to this console) collects information about data and systems on your network for security and PCI compliance purposes. This includes the MAC and IP addresses of systems on the network, open ports, DNS names, IP addresses and FQDNs of accessed sites (such as payment gateways), and frequency of access. The training system uses names and email addresses along with your busisness function (such as front desk cashier, IT, or managemetn) in order to customize training for your position.
Legal StuffWe might disclose personal or business information if we're required to do so to comply with court orders or when your actions violate one or more agreement that you have with us. However, we do not sell or otherwise provide your information to other companies for the marketing of their own products or services.
Questions or concerns?Contact our designated privacy officer through the ThreeShield contact form at
https://www.threeshield.ca/contact.