A Team of Cybersecurity Experts
Everyone on ThreeShield's technical team is based in Canada, has passed a Canadian police background check, and has a combination of information security degrees, diplomas, and certifications.
This formal training combined with proven procedures, proactive monitoring and IT management, and oversight means that our clients experience a completely different level of IT reliability and support than they would from a typical "IT Guy" or "IT Managed Service Provider" that provides basic, reactionary IT support to put out fires.
Our Level 2+ support means that you don't have to talk to a dispatcher who then escalates your call through a few levels of support until you reach someone who knows what they're talking about.
Whoever answers your cybersecurity support call at (403) 538-5053 has experience, training, and a direct connection with your company. We don't outsource to a call center, so your team is consistent and likely sees the same weather you do (although we do have staff from BC, Alberta, and Ontario to make sure we cover your working hours).
Oversight and Leadership
One of our founders oversees all security engagements. Chris easily translates business requirements into security controls with help from his:
- MBA and Computer Science degrees,
- CISSP (Certified Information Systems Security Professional),
- CISA (Certified Information Systems Auditor),
- PCIP (Payment Card Industry Professional), and
- other security certifications.
His two decades of experience in information security includes energy companies, such as Syncrude Canada; the Office of the Auditor General of Alberta; banks, colleges, and universities in Alberta; large corporations like United Technologies, Pratt & Whitney Canada, Sikorsky; critical infrastructure; and large cloud-based entertainment infrastructure for Second Life and other organizations.
The Court of Queen's bench has certified Chris as an expert in the general area of cyber security and he serves as an Expert Witness in cases that involve information security vulnerabilities and privacy, including social media.
ThreeShield provides small and medium-sized enterprises the rare opportunity to benefit from his extensive experience at a fraction of the cost.
Our Internal Security Practices
During the assessment process, we request your configuration information, policies, and related documentation. We understand that this is sensitive information and protect it the same way that we protect our own. Here are some of the controls that we employ:
Encryption
Data in transit: All data in transit is encrypted using TLS 1.2 or higher (SSL support has migrated to TLS; threeshield.ca no longer supports SSL or outdated TLS versions)
Data at rest: All sensitive information is encrypted using AES. Your audit information is encrypted using an encryption key that is unique to your company if stored in our proprietary systems. If you elect to share data through our SharePoint system, it is also encrypted at rest and in transit as described here. All ThreeShield staff use MFA and conditional access for our access. However, access delegated to your company relies on your company's security configuration.
Removable media: All customer data on ThreeShield's removable media (including SD cards and USB drives) is stored within encrypted containers, so if it is ever misplaced or stolen, it will remain protected.
Passwords: Our secure internal client documentation request system uses multi-factor authentication that relies on a combination of your email, a cookie that we use to recognize your computer, and your computer's network. However, during the registration process, we request a password for you to use to confirm your identity in case you need to send us information from a new computer or network (used in combination with email verification). We never store the actual password. Instead, we use slow one-way salted hashing algorithms (PBKDF2 and Argon2). This means that even if our password database is compromised, your password will not be disclosed. If someone tries to "brute force" your password by reverse-engineering the hash, the amount of time it would take to crack it would be infeasible -- much longer than with other industry standards, such as SHA256.
Our email and accounting systems, which may contain your information are also protected by multifactor or 2-step authentication.
Bug Bounty
Please Contact us to enroll in our bug bounty program for Lavawall® and ThreeShield assets.
Note: third-party services and code (except for missing patches) are excluded from this program.
Information related to your systems for support and active management purposes may be held in ZenDesk and Microsoft systems.
Support Information
Information related to your systems for support and active management purposes may be held in ZenDesk and Microsoft systems.
Warranty
We take reasonable steps to maintain the security of the information that we collect, including limiting the number of people who have physical access to our database servers, as well as the aforementioned encryption, architecture, and other security controls that guard against unauthorized access. However, no data transmission over the Internet can be guaranteed to be completely secure. Accordingly, we cannot ensure or warrant the security of any information that you transmit to us, so you do so at your own risk.
Data Architecture
- Data disaggregation: in our proprietary systems, instead of storing all of your information in one place or in one record in our database, we store each item separately and do not directly associate it with your company.
- We use slow, salted PBKDF2 and/or Argon2 links to connect your information together. This means that even if our customer information database gets compromised, our encryption key store gets compromised, and information is somehow decrypted, it would take an infeasible amount of time to figure out which information belongs to which company -- right down to your phone number. This level of data disaggregation does not apply to support-related systems that we did not develop internally.
- If you elect to share information through SharePoint, it will be protected using Microsoft processes. We internally limit access to client information stored in SharePoint, have conditional access enabled for geographic and other risk-related attributes, and require all staff to use MFA.
Data Retention
- All of your data -- including backups -- will be deleted within 15 days of your request or contract termination
- All client data that hasn't been modified for 7 years will be deleted. Most of our clients receive annual in-depth assessments. Retaining information helps to decrease the cost in subsequent years and help to decrease the cost of additional ISO, PCI, NERC, and other compliance efforts. However, in the third year, information that hasn't been updated will be requested again. We also provide the option of deleting all data following each annual review.
- You always have access to all of your data and can modify or delete it whenever you like.
Employees
All employees and contractors with access to customer information are required to complete successful background checks, which includes information checks with local, provincial, Canadian Police Information Centre, and RCMP National repository criminal record systems.
All employees that provide training in schools, to children, or to seniors are required to complete successful vulnerable sector criminal background checks.
Our Privacy Policy
Your Information
We do not rent, sell, or trade any of your information with third parties.
We use third-party hosting and load balancing providers. Although your data is encrypted, it is possible that our hosts may have access to your information while it is temporarily decrypted in memory. Your information may also be stored in our hosted accounting and customer relationship management tools.
Cookies & content
We use cookies and/or other content from:
- threeshield.ca and threeshield.com as part of our authentication process and to understand our web traffic patterns
- CloudFlare to protect against web-based attacks
- Google Analytics and HotJar to help understand our web traffic patterns
- Google, Facebook, and Twitter to track results from advertising on these services
- ZenDesk to help us provide you with faster service through live chats
- Twitter to display our Twitter feed
If you pay a ThreeShield Information Security Corporation invoice by credit card, you may receive cookies from QuickBooks, Plooto, or other payment providers.
Advertising
We do not use third-party advertising products, such as Adwords, to advertise for third-parties on our website. However, we do advertise on other websites.
We do include links to our own products (sold through ThreeShield Information Security Corporation (Canada) and ThreeShield Information Security LLC (California)) and links to our partners, including Amazon, LastPass, KnowBe4, and Inspired eLearning.
Full Privacy Policy
This privacy policy has been compiled to better serve those who are concerned with how their “Personally identifiable information” (PII) is being used online. PII, as used in privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. Please read our privacy policy carefully to get a clear understanding of how we collect, use, protect or otherwise handle your Personally Identifiable Information in accordance with our website.
What personal information do we collect from the people that visit our website?
When ordering or registering on our site, as appropriate, you may be asked to enter your name, email address, postal address, postal code, phone number, customer satisfaction information, or other details to help you with your experience.
We may also maintain your purchase history, platform information, and experience through our website.
When you visit our website, we collect information about your computer, including your IP address, the type of operating system and browser you use, your computer's location, what pages you visit on our site and what links you click on, and the site that referred you to our website.
If you elect to pay be credit card, we may direct you to provide your credit card information to a PCI-certified third-party credit card processing company. We do not store, process, or transmit any of your credit card information on our own systems.
When do we collect information?
We collect information from you when you register on our site, place an order, subscribe to a newsletter, fill out a form or enter information on our site.
How do we use your information?
We may use the information we collect from you when you register, make a purchase, sign up for our newsletter or security notifications, respond to a survey or marketing communication, surf the website, or use certain other site features in the following ways:
process your transactions.
send periodic emails regarding your order or other products and services.
verify your identity
send you information security updates
respond to complaints
customer relationship management
delivery services
If it's a necessary part of any of these transactions, we may disclose your information to another company. For example, we provide your email address to MailChimp to send our security notifications and newsletters. We also pass on your name and address to a courier company to complete a delivery. If you elect to pay by credit card, you will enter that information directly into a third-party credit card processing company's website.
How do we protect visitor information?
Our websites are periodically scanned to detect vulnerabilities. Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential. In addition, all information sent to or from the website is encrypted via Transport Layer Security (the successor to Secure Socket Layer (SSL) technology).
We implement a variety of security measures when a user places an order enters, submits, or accesses their information to maintain the safety of your personal information. All passwords are stored using secure one-way hashes, so even if our databases are compromised, your password will not be easily accessible.
All transactions are processed through a gateway provider and are not stored or processed on our servers. Only authorized employees, agents and contractors (who have agreed to keep information secure and confidential) have access to this information. All emails and newsletters from this site allow you to opt out of further mailings.
For further information, please see our Internal Security Practices section.
Do we use 'cookies'?
Yes. Cookies are small files that a site or its service provider transfers to your computer's hard drive through your Web browser (if you allow) that enables the site's or service provider's systems to recognize your browser and capture and remember certain information. For instance, we use cookies to allow you to view information you have previously submitted. They are also used to help us understand your preferences based on previous or current site activity, which enables us to provide you with improved services. We also use cookies to protect our site from attack, power our chat tool, and help us compile aggregate data about site traffic and site interaction so that we can offer better site experiences and tools in the future.
We use cookies to:
Understand and save user's preferences for future visits.
Authenticate you for future visits
Compile data about site traffic and site interactions in order to offer better site experiences and tools in the future. We may also use trusted third-party services that track this information on our behalf.
We use third-party cookies to:
protect against web-based attacks (CloudFlare)
understand our web traffic and correct problems (Google Analytics, HotJar)
track the results from advertising with third parties (Google, Facebook, Twitter)
provide you with faster service through live chates (MyLiveChat)
display our Twitter feed (Twitter)
You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser (like Internet Explorer) settings. Each browser is a little different, so look at your browser's Help menu to learn the correct way to modify your cookies.
If users disable cookies in their browser:
If you disable cookies, some features will be disabled It will turn off some of the features that make your site experience more efficient and some of our services will not function properly.
However, you can still place orders
software license, orders, and automatic form completion.
Third Party Disclosure
We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information. However, we may use third parties to store your information. For example:
Encrypted on a third-party website hosting provider
In a hosted accounting or customer relationship management system
Third party credit card processing companies
We will also disclose your personal information if we are required by law to do so.
How do you get my consent?
When you provide us with personal information to complete a transaction, verify your credit card, place an order, request addition to our newsletter list, arrange for a delivery or return a purchase, or complete a web form, we assume you consent to our collecting it and using it for that specific reason only.
If we ask you for personal information for a secondary reason, like marketing, we will ask you directly for your consent and also provide you with an opportunity to say no. Saying no is called "opting out". By opting out, you can tell us not to collect the information and/or not to share it with other companies. You may only "opt in" to subscribe to our newsletter. That is, you must actively check the subscription box or enter your email address in the single-purpose security notification request form.
How do I opt out
Complete our contact form and request to opt-out.
Third party links
We do not use third-party advertising products, such as AdSense, to advertise for third-parties on our website. However, we do advertise on other websites using Adwords and other service providers.
We do include links to our own products (sold through ThreeShield.com) and links to our partners, including Amazon, LastPass, KnowBe4, and Inspired eLearning.
Google
Google's advertising requirements can be summed up by Google's Advertising Principles. They are put in place to provide a positive experience for users. https://support.google.com/adwordspolicy/answer/1316548?hl=en
We have not enabled Google AdSense on our main site, but we may do so in the future. Google AdSesnse is integrated into the help pages of some of our trial software. These pages are hosted by www.threeshield.com.
California Online Privacy Protection Act
CalOPPA is the first state law in the United States to require commercial websites and online services to post a privacy policy. The law's reach stretches well beyond California to require a person or company in the United States (and conceivably the world) that operates websites collecting personally identifiable information from California consumers to post a conspicuous privacy policy on its website stating exactly the information being collected and those individuals with whom it is being shared, and to comply with this policy. - See more at: http://consumercal.org/california-online-privacy-protection-act-caloppa/#sthash.0FdRbT51.dpuf
According to CalOPPA we agree to the following:
Users can visit our site anonymously. Our Privacy Policy is on this page. The link to the policy is in the footer and includes the word 'Privacy', and can be easily be found on this page.
Privacy Policy Change Notifications:
Our latest privacy policy will be posted on our about-us page (this page).
If you would like to be actively notified about any changes to this policy, please let us know through our contact form at https://www.threeshield.ca/email.
How does our site handle do not track signals?We don't honor do not track signals and do not track, plant cookies, or use advertising when a Do Not Track (DNT) browser mechanism is in place. We don't honor them because:
The only persistent tracking is through Google Analytics, which does not track individuals, but provides us with aggregate information. In addition, cookies are used to automatically apply software licenses. These are not used for tracking purposes, but ensure that paid licenses are applied automatically. We do track individual sessions through our real-time web chat service provided through MyLiveChat. While you are on the website, the pages that you visited in the threeshield.ca and threeshield.com domains are visible to our internal chat operators. If you do not engage a chat session, this information is not retained.
Does our site allow third party behavioural tracking?We may capture some anonymous behavioural information to understand how our web pages are viewed. We also allow third-party behavioural tracking to understand aggregate website usage through Google Analytics. While you are on the website, the pages that you visited in the threeshield.ca and threeshield.com domains are visible to our internal chat operators through the third-party tool, MyLiveChat. If you do not engage a chat session, this information is not retained.
COPPA (Children Online Privacy Protection Act)When it comes to the collection of personal information from children under 13, the Children's Online Privacy Protection Act (COPPA) puts parents in control. The Federal Trade Commission, the nation's consumer protection agency, enforces the COPPA Rule, which spells out what operators of websites and online services must do to protect children's privacy and safety online.
We do not specifically market to children under 13.
Fair Information PracticesThe Fair Information Practices Principles form the backbone of privacy law in the United States and the concepts they include have played a significant role in the development of data protection laws around the globe. Understanding the Fair Information Practice Principles and how they should be implemented is critical to comply with the various privacy laws that protect personal information.
In order to be in line with Fair Information Practices we will take the following responsive action, should a data breach occur: We will notify the users via email
Within 7 business days, we will notify the users via in site notification
Within 7 business days
We also agree to the individual redress principle, which requires that individuals have a right to pursue legally enforceable rights against data collectors and processors who fail to adhere to the law. This principle requires not only that individuals have enforceable rights against data users, but also that individuals have recourse to courts or a government agency to investigate and/or prosecute non-compliance by data processors.
CAN SPAM Act
The CAN-SPAM Act is a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have emails stopped from being sent to them, and spells out tough penalties for violations.
We collect your email address in order to:
Send information, respond to inquiries, and/or other requests or questions.
Process orders and to send information and updates pertaining to orders
We may also send you additional information related to your product and/or service.
Market to our mailing list or continue to send emails to our clients after the original transaction has occurred
To be accordance with CANSPAM we agree to the following:
NOT use false, or misleading subjects or email addresses
Identify the message as an advertisement in some reasonable way
Include the physical address of our business or site headquarters
Monitor third party email marketing services for compliance, if one is used.
Honor opt-out/unsubscribe requests quickly
Allow users to unsubscribe by using the link at the bottom of each email
If at any time you would like to unsubscribe from receiving future emails, you can
Follow the instructions at the bottom of each email.
Correcting or Deleting Information
If you would like ThreeShield to delete or change your personal or company information, please do so in your "my info" page, in your portal, or documentation request system. If you would like to change information not contained in these systems or do not have access to these systems, please use our contact form at https://www.threeshield.ca/email to send us your request. We will notify you of our actions within seven business days.
Questions or Concerns
If there are any questions regarding this privacy policy or any possible misuse of personal data, you may contact us using the information below:
Electronic Mail
Please use our contact form at https://www.threeshield.ca/email
Telephone
Calgary: 1-403-538-5053
Edmonton: 1-780-666-4363
Vancouver: 1-778-731-1339
Toronto: 1-289-724-8829
California: 1-510-214-6010
Postal Mail
105, 11500-29th St. SE,
Calgary, Alberta,
T2Z 3W9
Canada
You can also contact the Privacy Commissioner of Canada for assistance between the hours of 8:30 a.m. to 4:30 p.m. est, at:
Toll-free: 1-800-282-1376
Phone: (819)994-5444
Fax: (819)994-5424
TTY: (819)994-6591
or by mail at:
30 Victoria Street
Gatineau, Quebec
K1A 1H3
or on the web at:
http://www.priv.gc.ca
You can also contact your Provincial or Territorial Privacy Commissioner's office for more information:
Office of the Information and Privacy Commissioner of Alberta
410, 9925 - 109 Street, Edmonton, Alberta T5K 2J8
Phone: (780) 422-6860
Toll Free: 1-888-878-4044
Email: [email protected]
Web Site: http://www.oipc.ab.ca
Social and Environmental Impact
Community Involvement
In addition to being active members of the Information Security community, we proudly support Safe and Secure Online. This is a flagship online safety program that teaches children, parents, grandparents and whole communities how to protect themselves online and become responsible digital citizens. If you are interested in a free security awareness presentation at your school, library, or other organization, please contact us.
We donate 10% of our consulting fees to the non-profit charities and community associations that we serve in the city of Calgary with the objective of maintaining Calgary as an attractive city for headquarters and to raise families. However, our focus remains Safe and Secure Online because the security threats that businesses face often extend to employee homes. Security-conscience families in a vibrant city help to secure our clients.
Mission Statement
ThreeShield’s overall mission is to responsibly protect our fellow Canadians' information and promote prosperity for mid-sized organizations for current and future generations. This mission guides our service offerings.
This includes prioritizing information security services to the companies that need it most: the 99.7% of companies in Alberta that have under 500 employees, which employ 55% of Albertans. In addition to protecting companies from attackers, ThreeShield is committed to supporting Albertans by providing free security awareness training to children and their parents.
Equality & Community
ThreeShield Information Security Corporation is a for-profit company. However, shareholder profits and executive compensation don’t need to come at the expense of our employees. As part of this commitment, at least 50% of our pre-compensation income is reinvested into our employees and communities.
Truth and Reconciliation
ThreeShield acknowledges that:
our Calgary team members work on the traditional territories of the people of the Métis Nation of Alberta, Region 3 within the historical Northwest Métis Homeland and Treaty 7 region in Southern Alberta, which includes the Blackfoot Confederacy (comprising the Siksika, Piikani, and Kainai First Nations), as well as the Tsuut’ina First Nation, and the Stoney Nakoda (including the Chiniki, Bearspaw, and Wesley First Nations)
our Vancouver team members work on the unceded traditional territories of the xʷməθkʷəy̓əm (Musqueam), Sḵwx̱wú7mesh (Squamish), and səlilwətaɬ (Tsleil-Waututh) Nations
our Mississauga team members work on the treaty land and territory of the Mississaugas of the Credit First Nation, and the traditional territory of the Huron-Wendat, Anishinaabe and Haudenosaunee First Nations.
We respect the histories, languages, and cultures of First Nations, Metis, Inuit, and all First Peoples of Canada, whose presence continues to enrich our community.
Environmental Sustainability
Where possible, we minimize waste and energy use through the following:
Electronic audit forms to replace paper checklists
2-sided printing on recycled paper
Requirement to include public transportation in travel plans, where possible
We prioritize companies with under 500 employees. These organizations typically do not have the internal resources to protect their employee and customer information.
In addition to providing security awareness and compliance training for our clients, we provide free cyberbullying and information security training to keep children safe. ThreeShield pays its Certified Information Systems Security Professionals for up to four days of work per year to provide volunteer “Safe and Secure Online” training at Calgary schools, PTAs, churches, and other community organizations.
Performance
“SAFE AND SECURE ONLINE” VOLUNTEER TRAINING
👍 | | 183 elementary school students taught (goal > 50) |
👍 | | 16 teachers taught (goal: > 2) |
👍 | | 12 parents taught (goal: > 5) |
ENVIRONMENTAL IMPACT
👍 | | 100% of audit work papers were automated, encrypted, and paper-free. (goal > 75%) |
👎 | | 75% of client interview and inspection notes were electronic. (goal = 100%) |
INCLUSION
Our goal is to mirror the demographics of Calgary and Computer Science graduates.
👍 | | 29% of employees and contractors were female (goal: >18%) |
👍 | | 50% of management team were female (goal: 40-60%) |
👍 | | 43% of employees and contractors identified as visible minorities (goal: 25-45%) |
👍 | | 14% of employees and contractors spoke French (goal: > 5%) |
STAKEHOLDER FEEDBACK
Please provide environmental and social impact feedback through our contact form.
RANGE OF COMPENSATION
👍 | | Highest salary was 1.6x average hourly average paid to all employees and contractors (goal < 15x) |
Legal
ThreeShield Information Security Corporation is a Canadian federal corporation incorporated under the Canada Business Corporations Act and is registered in Alberta as an extra-provincial corporation.
GST Account #79028 2099 RT0001
Related companies include ThreeShield Information Security LLC (United States) and ThreeShield Information Security LTD (United Kingdom)