Newsletter image

Subscribe to our Newsletter

Join 10k+ people to get notified about new posts, news and updates.

Do not worry we don't spam!

Choose language

Français Français English English Español Español
Select theme:
  • Home
  • Data Governance

Data Governance

Effective April 16, 2026 — Compliant with Quebec's Law 25 and PIPEDA.

1. Introduction

This document describes how Orfolio manages data throughout its lifecycle, from collection to deletion, ensuring transparency, security and regulatory compliance.

2. Infrastructure and data residency

  • Primary hosting: Microsoft Azure Canada (Toronto).
  • All personal data is stored exclusively in Canada.
  • Multi-tenant architecture with strict logical isolation between accounts.

3. Access control

Principle of least privilege applied at all levels:

  • Administrators: limited access to system configuration, no direct access to user content.
  • Support: restricted access to troubleshooting with explicit logging.
  • Developers: staging access only; production requires MFA and audit logging.
  • DPO: overall oversight of policies and incidents.

Two-factor authentication (2FA) is mandatory for all administrative accounts.

4. Monitoring and audits

  • All administrative actions and data access are logged with timestamps.
  • Logs retained for a minimum of 6 months, reviewed regularly.
  • Automatic alerts on any unauthorized access attempt.
  • Continuous automated vulnerability scanning.

5. Backups and disaster recovery

  • Database backups: weekly.
  • User content backups: weekly.
  • Backup retention: 30 days, redundant storage in Canada.

6. Incident notification

In the event of a data breach, Orfolio commits to:

  • Notifying affected users within 72 hours.
  • Reporting the incident to the Commission d'acces a l'information du Quebec (CAI).
  • Providing clear information about the nature of the breach and measures taken.

7. Retention and deletion

  • Active subscribers: subscription duration + 30 days.
  • Inactive accounts: 6 months without activity → deletion.
  • Billing records: 7 years.
  • Audit logs: 12 months.

Permanent deletion (production + backups): within 30 days of request.

8. Third-party providers

All third parties sign a data processing agreement (DPA) ensuring Law 25 compliance:

  • Microsoft Azure — cloud hosting.
  • Stripe — payments (PCI-DSS).
  • OpenAI, Claude AI (Anthropic), Google (Gemini), DeepSeek — AI generation (user's choice).

No data is sold, rented or shared with advertisers.

9. Your rights

Access, rectification, erasure, portability (JSON/CSV), consent withdrawal. Processing time: 30 days.

Contact: rgpd@orfolio.ca

10. Contact

Data Protection Officer — Studio Orfolio
Montreal, QC, Canada
Email: rgpd@orfolio.ca

Last updated: April 16, 2026