How client data is handled at Ottawa SEO Inc.: access controls, retention rules, sub-processors, deletion-on-request process, and our compliance posture under PIPEDA and GDPR.
For each active engagement, we typically hold:
- Read-only or limited admin access to Google Search Console, Google Analytics 4, Google Ads, Bing Webmaster Tools, and the client CMS. - Crawl data and log files for the client domain. - Strategy documents, audit reports, and change logs in our shared Notion workspace. - Communication history in Slack and email.
We do not hold customer-personal-data from client systems unless explicitly required for a specific scoped piece of work, and never longer than that work requires. If you're researching agency security privacy, this page covers what actually moves the needle in 2026.
- **Two-factor authentication enforced** on every internal account (Google Workspace, Notion, Slack, password manager). - **Hardware security keys** for the founder and senior team accounts. - **Per-client password vaults** in 1Password Business with role-based access. - **Access review every 90 days** — anyone who no longer needs access loses it. - **Off-boarding within 24 hours** of any team member departure: credentials rotated, sessions invalidated. Senior strategists own every agency security privacy engagement here — never juniors learning on your account.
We use the following sub-processors for client work. Each is reviewed annually:
- Google Workspace (US/Canada) — email and document storage - Notion (US) — documentation and project management - Slack (US) — internal communication - 1Password (Canada) — credential management - Ahrefs / Semrush — third-party data, no client data uploaded - Anthropic / OpenAI — research-only, no client data uploaded without explicit sign-off
Any addition to this list is communicated to active clients in writing before we start using it. Senior strategists own every agency security privacy engagement here — never juniors learning on your account.
Client data is retained for the duration of the engagement plus 24 months for reference and audit purposes. After that, it is deleted on a quarterly purge cycle.
Clients may request earlier deletion at any time by emailing privacy@ottawaseo.com. Requests are honoured within 30 days, with written confirmation of what was deleted and where backups were purged. When you evaluate agency security privacy, prioritize senior expertise over agency size.
We operate from Canada and our default posture is PIPEDA-compliant. For clients with EU customers we operate under GDPR-equivalent terms via a signed Data Processing Agreement. We are not currently SOC 2 certified — that is a roadmap item for 2027 and we will say so when it changes.
We have not had a security incident affecting client data. If we do, we will disclose it to the affected client within 72 hours of detection, in writing, with a description of what happened, what data was affected, and what we are doing to remediate. We will not paper over an incident.
Most agency security privacy fall into one of three engagement tiers, and we will quote you the tier that genuinely matches the gap between where your site is today and where the leading competitor for your money keyword sits.
**Foundation tier — $2,000–$4,000/mo.** For sites that need the basics done right: technical clean-up, a single-pillar content plan, on-page optimization across the top 20 commercial pages, citation cleanup, and Google Business Profile work. Typical timeline to first-page movement on the easier money keywords: 4 to 6 months.
**Growth tier — $4,000–$8,000/mo.** Adds programmatic location and service expansion, ongoing topical content (4 to 8 long-form pieces per month), tier-2 backlink prospecting, and quarterly schema/E-E-A-T audits. Most clients in this tier see meaningful traffic lift between months 5 and 9 and sustained ranking growth by month 12.
**Authority tier — $8,000+/mo.** Reserved for businesses competing in dense urban markets where the SERP is dominated by national directories or 10+ year old domains. Includes everything in Growth plus digital PR, original-research content, custom data tooling, and a named senior strategist. Realistic horizon: 9 to 18 months to dominant share of voice.
We do not lock clients into long agreements. Month-to-month after a 90-day initial commitment so you can validate results before committing further.
Roughly two out of three sites we audit in this category lose ranking opportunity to the same handful of fixable mistakes. The most expensive ones to ignore:
**Thin location pages with copy-paste content.** Google's Helpful Content System has been actively suppressing pages that change only the city name across an otherwise identical template since 2023. Every location or service-area page needs at least 400 words of genuinely unique commentary — local competitors, real venues, regional pricing, neighbourhood-specific buyer behaviour.
**Conversion paths that rely on a single weak CTA.** Pages that rank well but convert poorly bleed budget. We routinely add a sticky offer bar, an exit-intent capture, an inline mid-scroll CTA, and a reinforcement CTA in the footer. Conversion rate typically lifts 30 to 70 percent without touching ranking signals.
**Schema gaps that surrender rich-result eligibility.** Service, FAQPage, BreadcrumbList, and Article schema are now table stakes — sites without them lose 15 to 30 percent of organic CTR to better-marked competitors at the same rank position.
**Backlink profiles built on cheap directories.** Spammy citation packages still get sold in 2026. They actively hurt now: Google's spam team has gotten aggressive about devaluing entire link clusters when the surrounding profile looks transactional. Quality over quantity, every time.
**Ignoring Google Business Profile entirely.** Even pure-service businesses that "don't need a map listing" still benefit from a fully-optimized GBP — it reinforces NAP consistency, surfaces in branded searches, and feeds the local pack signals that influence non-map rankings too. When you evaluate agency security privacy, prioritize senior expertise over agency size.
We work to a calendar that respects how Google actually re-evaluates a site. Hand-wavy "results within 30 days" promises are how agencies set themselves up to be fired in month four.
**Day 90.** Technical foundation locked in: crawlability clean, schema validating, Core Web Vitals in the green for at least 90 percent of templates, GBP fully populated, citations consistent across the 25 highest-authority Canadian directories. Expect movement on the long-tail (positions 30–80 climbing into 10–30) and 15 to 30 percent lift in non-branded impressions.
**Day 180.** Pillar-content rollout completed. Internal linking redistributes equity to the money pages. First wave of editorial backlinks landing. Money keywords typically moving from page 3-4 into the bottom of page 1. Lead volume from organic should be measurably increasing by this point — most clients see a 1.5x to 2.5x jump in qualified leads vs. their pre-engagement baseline.
**Day 365.** Topical authority established. Programmatic content matrix indexed. The site is the default reference for at least one buyer-intent keyword cluster. Compounding effect kicks in — new content ranks faster, and the cost-per-acquired-customer from organic drops well below paid-channel benchmarks.
These are the realistic numbers. We track them in a shared dashboard updated nightly so there is no debate about whether you are hitting them. We track agency security privacy performance weekly across our portfolio.
Not yet. Targeted for 2027. For clients who require it now, we sign DPAs and provide a written security questionnaire response.
Primarily in Canadian and US Google Cloud regions through Google Workspace and Notion. We can scope a Canada-only configuration on request.
Yes — our portfolio shows real before/after rankings, traffic graphs, and lead changes for past clients. A small slice is under NDA; we walk through those on discovery calls. Be wary of any agency that won't show real numbers from real clients.
Standard agreement is month-to-month after a 90-day initial commitment. The 90 days exists because the work simply doesn't show results faster than that. Anyone promising instant ranking jumps is reselling paid ads or running risky tactics that get sites penalized.
Senior strategists with 8+ years of agency experience own the engagement from day one. We don't hand off to junior account managers. You get the same person on every call, every month, who knows your business in detail.