Security Standards and Policies

We back up our words with meaningful actions

Our clients never have to sacrifice security for convenience. We value the relationships we have with our clients, which is why we take extreme care to protect their privacy and security. We’ve taken numerous steps to ensure our software is a source of control, and not a source of concern. We encourage you to explore our Security & Privacy Center to find out exactly what we’re doing to keep our clients, and their data, safe and secure. View our Privacy Policy

Image

Security and Privacy

We take numerous steps to ensure that your data is safeguarded and remains private. Read more about the technology and process safeguards we have in place, as well as our contractual obligations to our clients.

Read more

Best Practices for Clients

These security features have been designed exclusively for administrators. Implement these best practices when using Condo Control.

Read more

Client Data

We make money by selling our software, not by selling or sharing your data. Find out how we store and protect your data.

Read more

System Availability / Service Level Agreement (SLA)

You rely on our system to do your job so we do our best to ensure it is available 24/7. If we must perform maintenance that will impact your user experience, we will make sure to inform you about it in advance.

Read more

Business Continuity

We are prepared to handle the unexpected. Learn more about how we will respond if something doesn’t go according to plan.

Read more

Compliance

Our company is compliant with all relevant legislation and standards relating to privacy and anti-spam. Specific information can be found on our Compliance page.

Read more

Our multifaceted approach to data protection

There should be no mysteries about the security and privacy features we implement. It’s a layered process, and it’s a process that works well. This is how we safeguard our entire system so that your information remains safe.

Image
Technology Safeguards
  • Encryption. All data transfers are encrypted to prevent unauthorized third parties from gaining access to your data. In addition, your account password is stored using a technique called a “one-way hash”. This means that only you (not even Condo Control employees) know your password.
  • Firewalls. All access to the “back-end” functions of Condo Control is protected with a firewall to ensure that only authorized individuals have access.
  • Minimum password length and password lockout. Your Condo Control password must be at least 8 characters long. In addition, we will lock out your account and request that you to reset your password if 5 wrong passwords are entered. This is to prevent unauthorized users from guessing your password.
  • Notification of login from a new device. Every time your account is used on a new computer, you will receive an email notice. This ensures that you are aware if someone logs into your account without your permission.
  • Tracking of IP addresses. Whenever an end-user accesses Condo Control, we record their IP address so that we can identify where the request came from. This assists us in the event that a security-related investigation is required.
  • Two-factor authentication. We enable and use two-factor authentication wherever possible for back-end services used by Condo Control and it is also available for anyone who is accessing our platform.

Process Safeguards

  • Training. All employees of Condo Control are required to complete training on PIPEDA and related requirements to ensure they understand our obligations to protect your information.
  • Limited access. Only employees who have a relevant business need are given access to your personal information.
  • Our servers are hosted by Microsoft Azure Services, which are SOC 2 Type2 certified on an annual basis. Azure provides both our primary server environment as well as our failovers.

Contractual Obligations

  • Client agreements. Our service agreement, which all clients sign before commencing service, contains a section that outlines our confidentiality obligations to protect their information.
  • Employment agreements. Our employees agree to be bound by our privacy policy and must adhere to everything contained within it. Failure to comply with this policy is grounds for discipline up to and including termination of employment.
  • Subcontractor agreements. From time to time, we may work with third parties to conduct our business. Third parties will only be given access to client data if absolutely required, and in these cases, they will be contractually obligated to follow our privacy policy. Furthermore, we will conduct due diligence to ensure the contractor has sufficient safeguards in place to protect your information.

Simple security features made with our clients in mind

We encourage each one of our clients to take advantage of every feature that Condo Control has to offer. That includes the security features we have designed exclusively for them. We believe it’s important to give you the tools you need to take full control of your own account. All of our clients should follow these best practices when using Condo Control.

Image

Customize groups and permissions

Administrators have the authority to create separate groups for different roles, and make sure that people are in the correct groups for their role. That means all residents can be categorized into one group, and security staff can be added to a completely separate group.

You can confidently send sensitive information to a specific group without having to worry that it will end up in the wrong hands. You can even specify which Condo Control features your groups have access to, and how they can use certain features.

Groups can be created and edited under Setup > Groups. (include screenshots from setup of groups permissions listing for both a staff & resident groups)

When creating multiple groups, make sure that they are properly marked as “staff” or “resident” to avoid any confusion or mix-ups. As a precautionary measure, groups marked as “Resident” will never be able to access any of the administrative features or functions.

Minimize access to a need-to-know basis

Always give people the minimum access required to do their job, never more. If they need more access later, it’s always easy to expand your team’s access if necessary.

Always use individual accounts

We can’t emphasize this enough: Never use a shared account. Creating a joint or shared account for you and your colleague may seem harmless, but it can create issues if one person suddenly changes the password, and it makes it more challenging for you to track any changes made to the account.

Condo Control never charges for additional administrative accounts, so there’s no reason why you should feel obligated to share an account. When you’re the only one who manages your account, you maintain control of everything that happens within it, and it’s far less likely that you would be held accountable for something that you didn’t do.

Use two-factor authentication

Two-factor authentication, sometimes referred to as two-step verification, is a security process where the person who is trying to log in to an account or app must provide two different authentication factors to verify their identity. For example, a user will enter their password to log on to their account. Once they have entered the correct password, they will then receive a text message with a unique code (often, the user is asked to enter a valid cellphone number when first setting up the account). The account will prompt the user to enter that unique code. If the password and the code are both correct, the user is permitted entry to their account.

Two-factor authentication offers a higher level of security than a password alone. This process makes it harder for attackers to gain access to a person’s account because knowing the password is not enough to gain entry. Sometimes, an account will only require two-factor authentication if you’re logging in from a new device, such a computer that isn’t yours.

Two-factor authentication is available to all Condo Control users. We strongly encourage everyone to use it and add an additional layer of protection to their account.

Some information should never be shared

We are in the business of selling software, not client data. We promise to always use your information responsibly, and never share it with anyone who does not have the authority to see it. We may use your data to help us build better services and software for you.

Image

How we use your data

Our team will never use your residents’ personal information without your permission. However, we may use client data in aggregate to understand any prevailing usage patterns or needs of our customers. We will use that information as part of our product development process to create new or enhance existing features and services.

We do use your data in aggregate as well to find trends about how our software and services are being used. We may look at statistics about how you are using our software so that our customer success team can follow up with you to ensure you’re getting the most out of the software. For example, if we see that you’re not using the Service Request module, we may reach out to make sure you’re not experiencing any issues with that particular feature.

Why we collect personal data

In order to provide a full range of services to our clients, we require access to personal information about the owners and residents of the residential communities which we service. This information is required of all units, not just the units which use the system, in order to provide full functionality to a condo’s property management team. Many features, like reports, will not provide full and useful information if the entire list of units and owners is not loaded into the system.

Below is a table that lists the data elements that we collect, and how we use that data to provide our services.

In this table, the term “Administrative Users” refers to board members or property managers.

Upon commencing service with us, the board or property manager turns over current copies of the above personal information so that we may get all system functions up and running. By turning over this information to us, the board is providing their consent for us to use the information as outlined above.

In cases where owners provide updates to their own information through our online system, the online system explains how the information will be used.

Disclosure

We will never share or disclose your private information to anyone unless directed by a court order.

Retention

If you terminate your relationship with Condo Control, your information will be removed immediately inaccessible in our production system. The data may be retained in our backup files for up to 12 months after your subscription has ended. After that time, all of your information is completely removed from our system.

Backups

Our production databases are synchronized between our two datacenters in real time. In addition, database backups are made to a third site every 15 minutes. These backups are encrypted both during transmission and while at rest.

Location

Regardless of where are our clients live, all client data on the Condo Control platform is stored in Canada.

Sub-Processors

At Condo Control, we utilize certain sub-processors to assist in providing our services. A sub-processor is a third party data processor engaged by Condo Control, who has or potentially will have access to or process service data (which may contain personal data). Condo Control engages different types of sub-processors to perform various functions as explained below.

Due Diligence

Condo Control undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed sub-processors that will or may have access to or process service data.

Updates

As our business grows and evolves, the sub-processors we engage may also change. We will endeavor to provide the owner of the account with notice of any new sub-processors to the extent required under the DPA, along with posting such updates here. Please check back frequently for updates.

List of Current Sub-processors

Sub-processor Applicable Service External links for additional information relating to security
Microsoft Azure
  • VM hosting
  • File Storage
  • Full Text Search
  • Identity and Key management
Azure Security | Microsoft Azure
AWS
  • File Storage
  • Website Hosting
Cloud Security – Amazon Web Services (AWS)
Google
  • Mobile Device Management
Privacy and Security in Firebase (google.com)
New Relic
  • Web Applications Management
Security Overview | New Relic
DNS Made Easy
  • DNS Management
Privacy Policy (website-files.com)
Twilio
  • Text Messaging
Twilio Security | Security is the core of our platform
Sendgrid
  • Email Management
Security (sendgrid.com)
Elastic
  • Audit / History Management
Elastic Security and Compliance | Elastic
Fastly
  • Email Management
Security measures | Fastly Help Guides
Passkit
  • Apple & Google Wallet
Security - PassKit

People need downtime… but our software doesn’t

We truly appreciate that you’ve trusted Condo Control to help you carry out your essential tasks and procedures. We understand how big of a deal that is, and we strive to provide consistent, reliable service at all times. This section describes our commitment to you around up-time and system availability.

Image

Service level agreement (SLA)

Here’s our commitment to you: Condo Control will be available 99.95% of the time, which equates to less than 4.5 hours of downtime per year. So, what about the other 0.05%? If anything is happening with the software that will impact your user experience, we will post a notification about the incident on our status page. You can view the status of all of our services here, as well as subscribe to status updates. You can also view historical uptime for the site and mobile application.

Your time is valuable. If the service level we have committed to is not met, our clients can ask for a credit for the time they were unable to use the software.

Scheduled maintenance

We do require a small amount of time to perform maintenance work on the software. Maintenance is important as it keeps everything running smoothly. Notification of any planned maintenance will be posted on the status page at least 24 hours in advance of the work being done.

Planned maintenance will be conducted outside of core business hours. No scheduled maintenance will ever be performed on weekdays between the hours of 8:30 am – 6 pm Eastern Time. (We generally do maintenance earlier in the morning between 7 and 8).

We’re prepared for the unexpected

We’ve thought about the unexpected, and have taken several precautions to ensure we can continue to provide high quality service to our clients, no matter what.

Image

Redundancies

Our service is brought to you from multiple data centers. All data is synchronized, in real time, between our two sites. In the event that our primary site is disrupted, the service will automatically be switched to load from the backup site. This setup helps ensure that your service is not uninterrupted, even if there is an issue with the primary site.

We’re not satisfied with good enough. As an additional precaution, all of our client data is backed up to a third site every 15 minutes.

Backups

We retain backups of client data for 12 months rolling. This way, if anything is lost, we can always retrieve it.

Procedures

We conduct semi-annual business continuity tests to make sure we’re able to continue providing reliable service if there is ever an actual emergency. Every 6 months, we test to ensure that our back systems are running as expected; this way we can identify any issues before a disruptive event occurs.

Remote work capability

Our entire team has the capability to continue all operations remotely. We’ve taken steps to ensure everyone had the tools they needed to work from home, and in response to the COVID-19 pandemic, we have transitioned to a fully remote workforce with no disruption to our services. Even in turbulent times, our focus remains on our clients.

We take rules seriously

We follow the rules. Condo Control is compliant with all relevant legislation and standards for privacy and anti-spam. We take privacy rules and regulations seriously, and we make necessary adjustments every time a law is updated.

Image

Privacy Act

We are compliant with the Personal Information Protection and Electronic Documents Act, also known as PIPEDA. PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity. Businesses must follow the 10 fair information principles to protect personal information, which are listed in Schedule 1 of PIPEDA.

Our privacy policy specifically addresses all items required for compliance. For example, we will use your personal information to verify your identity, as required by PIPEDA, when you contact us with a request to make sure it is really you.

Anti-Spam Legislation

We are compliant with the Canadian Anti-Spam Legislation (CASL) and the U.S. CAN-SPAM Act. CASL protects consumers and businesses from the misuse of digital technology, including spam and other electronic threats. The U.S. CAN-SPAM Act is a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to stop receiving emails from a company, and bestows penalties for violations. Our company is fully compliant with all requirements, including unsubscribe management, proper labeling of all messages, and conformation from administrators before they can post an announcement.

We give residents the control to unsubscribe from Condo Control emails at any time. They can also customize their preferences so they can opt-out of certain notices without fully unsubscribing.

<

PCI compliance

Payment card industry (PCI) compliance is mandated by credit card companies to help ensure the security of credit card transactions. Payment card industry compliance refers to the technical and operational standards that businesses must follow to secure and protect credit card data provided by cardholders. We are not PCI compliant, because our partner, Stripe, is. Condo Control has integrated with Stripe so that residents can easily and conveniently pay for amenity bookings, buy items such as a replacement key or remote control, or pay a condo fee or invoice. Stripe manages and holds all card data submitted through Condo Control; we do not hold any payment card data.

Do you have additional questions about compliance?

If you have questions about compliance with any specific privacy laws that may apply to your state or country, please submit your inquiry here