Security & Privacy — How We Handle Client Data (PIPEDA + GDPR)

Security & Privacy PracticesHow client data is handled at Ottawa SEO Inc.: access controls, retention rules, sub-processors, deletion-on-request process, and our compliance posture under PIPEDA and GDPR.What client data we holdFor each active engagement, we typically hold:- Read-only or limited admin access to Google Search Console, Google Analytics 4, Google Ads, Bing Webmaster Tools, and the client CMS. - Crawl data and log files for the client domain. - Strategy documents, audit reports, and change logs in our shared Notion workspace. - Communication history in Slack and email.We do not hold customer-personal-data from client systems unless explicitly required for a specific scoped piece of work, and never longer than that work requires.Access controls- **Two-factor authentication enforced** on every internal account (Google Workspace, Notion, Slack, password manager). - **Hardware security keys** for the founder and senior team accounts. - **Per-client password vaults** in 1Password Business with role-based access. - **Access review every 90 days** — anyone who no longer needs access loses it. - **Off-boarding within 24 hours** of any team member departure: credentials rotated, sessions invalidated.Sub-processorsWe use the following sub-processors for client work. Each is reviewed annually:- Google Workspace (US/Canada) — email and document storage - Notion (US) — documentation and project management - Slack (US) — internal communication - 1Password (Canada) — credential management - Ahrefs / Semrush — third-party data, no client data uploaded - Anthropic / OpenAI — research-only, no client data uploaded without explicit sign-offAny addition to this list is communicated to active clients in writing before we start using it.Retention & deletionClient data is retained for the duration of the engagement plus 24 months for reference and audit purposes. After that, it is deleted on a quarterly purge cycle.Clients may request earlier deletion at any time by emailing privacy@ottawaseo.com. Requests are honoured within 30 days, with written confirmation of what was deleted and where backups were purged.Compliance postureWe operate from Canada and our default posture is PIPEDA-compliant. For clients with EU customers we operate under GDPR-equivalent terms via a signed Data Processing Agreement. We are not currently SOC 2 certified — that is a roadmap item for 2027 and we will say so when it changes.Incident responseWe have not had a security incident affecting client data. If we do, we will disclose it to the affected client within 72 hours of detection, in writing, with a description of what happened, what data was affected, and what we are doing to remediate. We will not paper over an incident.Frequently asked questionsAre you SOC 2 certified?Not yet. Targeted for 2027. For clients who require it now, we sign DPAs and provide a written security questionnaire response.Where is data stored?Primarily in Canadian and US Google Cloud regions through Google Workspace and Notion. We can scope a Canada-only configuration on request.Related

Our methodology

Transparency report