Security Standards and Policies
We back up our words with meaningful actions
Security and Privacy
We take numerous steps to ensure that your data is safeguarded and remains private. Read more about the technology and process safeguards we have in place, as well as our contractual obligations to our clients.Read more
Best Practices for Clients
These security features have been designed exclusively for administrators. Implement these best practices when using Condo Control.Read more
We make money by selling our software, not by selling or sharing your data. Find out how we store and protect your data.Read more
System Availability / Service Level Agreement (SLA)
You rely on our system to do your job so we do our best to ensure it is available 24/7. If we must perform maintenance that will impact your user experience, we will make sure to inform you about it in advance.Read more
We are prepared to handle the unexpected. Learn more about how we will respond if something doesn’t go according to plan.Read more
Our company is compliant with all relevant legislation and standards relating to privacy and anti-spam. Specific information can be found on our Compliance page.Read more
Our multifaceted approach to data protection
There should be no mysteries about the security and privacy features we implement. It’s a layered process, and it’s a process that works well. This is how we safeguard our entire system so that your information remains safe.
- Encryption. All data transfers are encrypted to prevent unauthorized third parties from gaining access to your data. In addition, your account password is stored using a technique called a “one-way hash”. This means that only you (not even Condo Control employees) know your password.
- Firewalls. All access to the “back-end” functions of Condo Control is protected with a firewall to ensure that only authorized individuals have access.
- Minimum password length and password lockout. Your Condo Control password must be at least 6 characters long. In addition, we will lock out your account and request that you to reset your password if 5 wrong passwords are entered. This is to prevent unauthorized users from guessing your password.
- Notification of login from a new device. Every time your account is used on a new computer, you will receive an email notice. This ensures that you are aware if someone logs into your account without your permission.
- Tracking of IP addresses. Whenever an end-user accesses Condo Control, we record their IP address so that we can identify where the request came from. This assists us in the event that a security-related investigation is required.
- Two-factor authentication. We enable and use two-factor authentication wherever possible for back-end services used by Condo Control and it is also available for anyone who is accessing our platform.
- Training. All employees of Condo Control are required to complete training on PIPEDA and related requirements to ensure they understand our obligations to protect your information.Limited access. Only employees who have a relevant business need are given access to your personal information.
- Limited access. Only employees who have a relevant business need are given access to your personal information.
- Physical access control. Our servers are in a secure data centre facility in downtown Toronto. This location is disclosed only to Condo Control employees. All premises have sufficient physical security measures in place to ensure the confidentiality of your data.
- SAS 70 certification. We use Amazon Web Services (AWS) as a backup hosting provider if our primary servers ever experience a failure. AWS is SAS 70 certified on an annual basis, and this certification is reviewed annually by a third party and ensures that appropriate controls are in place to limit the risk to your information. For full details, visit https://aws.amazon.com/, and click the “Security” link.
- Client agreements. Our service agreement, which all clients sign before commencing service, contains a section that outlines our confidentiality obligations to protect their information.
Simple security features made with our clients in mind
We encourage each one of our clients to take advantage of every feature that Condo Control has to offer. That includes the security features we have designed exclusively for them. We believe it’s important to give you the tools you need to take full control of your own account. All of our clients should follow these best practices when using Condo Control.
Customize groups and permissions
Administrators have the authority to create separate groups for different roles, and make sure that people are in the correct groups for their role. That means all residents can be categorized into one group, and security staff can be added to a completely separate group.
You can confidently send sensitive information to a specific group without having to worry that it will end up in the wrong hands. You can even specify which Condo Control features your groups have access to, and how they can use certain features.
Groups can be created and edited under Setup > Groups. (include screenshots from setup of groups permissions listing for both a staff & resident groups)
When creating multiple groups, make sure that they are properly marked as “staff” or “resident” to avoid any confusion or mix-ups. As a precautionary measure, groups marked as “Resident” will never be able to access any of the administrative features or functions.
Minimize access to a need-to-know basis
Always give people the minimum access required to do their job, never more. If they need more access later, it’s always easy to expand your team’s access if necessary.
Always use individual accounts
We can’t emphasize this enough: Never use a shared account. Creating a joint or shared account for you and your colleague may seem harmless, but it can create issues if one person suddenly changes the password, and it makes it more challenging for you to track any changes made to the account.
Condo Control never charges for additional administrative accounts, so there’s no reason why you should feel obligated to share an account. When you’re the only one who manages your account, you maintain control of everything that happens within it, and it’s far less likely that you would be held accountable for something that you didn’t do.
Use two-factor authentication
Two-factor authentication, sometimes referred to as two-step verification, is a security process where the person who is trying to log in to an account or app must provide two different authentication factors to verify their identity. For example, a user will enter their password to log on to their account. Once they have entered the correct password, they will then receive a text message with a unique code (often, the user is asked to enter a valid cellphone number when first setting up the account). The account will prompt the user to enter that unique code. If the password and the code are both correct, the user is permitted entry to their account.
Two-factor authentication offers a higher level of security than a password alone. This process makes it harder for attackers to gain access to a person’s account because knowing the password is not enough to gain entry. Sometimes, an account will only require two-factor authentication if you’re logging in from a new device, such a computer that isn’t yours.
Two-factor authentication is available to all Condo Control users. We strongly encourage everyone to use it and add an additional layer of protection to their account.
Some information should never be shared
We are in the business of selling software, not client data. We promise to always use your information responsibly, and never share it with anyone who does not have the authority to see it. We may use your data to help us build better services and software for you.
How we use your data
Our team will never use your residents’ personal information without your permission. However, we may use client data in aggregate to understand any prevailing usage patterns or needs of our customers. We will use that information as part of our product development process to create new or enhance existing features and services.
We do use your data in aggregate as well to find trends about how our software and services are being used. We may look at statistics about how you are using our software so that our customer success team can follow up with you to ensure you’re getting the most out of the software. For example, if we see that you’re not using the Service Request module, we may reach out to make sure you’re not experiencing any issues with that particular feature.
Why we collect personal data
In order to provide a full range of services to our clients, we require access to personal information about the owners and residents of the residential communities which we service. This information is required of all units, not just the units which use the system, in order to provide full functionality to a condo’s property management team. Many features, like reports, will not provide full and useful information if the entire list of units and owners is not loaded into the system.
Below is a table that lists the data elements that we collect, and how we use that data to provide our services.
In this table, the term “Administrative Users” refers to board members or property managers.
Upon commencing service with us, the board or property manager turns over current copies of the above personal information so that we may get all system functions up and running. By turning over this information to us, the board is providing their consent for us to use the information as outlined above.
In cases where owners provide updates to their own information through our online system, the online system explains how the information will be used.
We will never share or disclose your private information to anyone unless directed by a court order.
If you terminate your relationship with Condo Control, your information will be removed immediately inaccessible in our production system. The data may be retained in our backup files for up to 12 months after your subscription has ended. After that time, all of your information is completely removed from our system.
Our production databases are synchronized between our two datacenters in real time. In addition, database backups are made to a third site every 15 minutes. These backups are encrypted both during transmission and while at rest.
Regardless of where are our clients live, all client data on the Condo Control platform is stored in Canada.
A subprocessor is a third-party data processor who has or potentially will have access to client data. Condo Control uses various subprocessors to carry out certain functions, such as payments or file storage, on the Condo Control platform. In all cases, the subprocessor only receives the data required to carry out its designated function. Subprocessors will never be granted access to all of your client data on Condo Control.
Below is a list of the subprocessors engaged by Condo Control, and a description of each subprocessor’s function.
People need downtime… but our software doesn’t
We truly appreciate that you’ve trusted Condo Control to help you carry out your essential tasks and procedures. We understand how big of a deal that is, and we strive to provide consistent, reliable service at all times. This section describes our commitment to you around up-time and system availability.
Service level agreement (SLA)
Here’s our commitment to you: Condo Control will be available 99.95% of the time, which equates to less than 4.5 hours of downtime per year. So, what about the other 0.05%? If anything is happening with the software that will impact your user experience, we will post a notification about the incident on our status page. You can view the status of all of our services here, as well as subscribe to status updates. You can also view historical uptime for the site and mobile application.
Your time is valuable. If the service level we have committed to is not met, our clients can ask for a credit for the time they were unable to use the software.
We do require a small amount of time to perform maintenance work on the software. Maintenance is important as it keeps everything running smoothly. Notification of any planned maintenance will be posted on the status page at least 24 hours in advance of the work being done.
Planned maintenance will be conducted outside of core business hours. No scheduled maintenance will ever be performed on weekdays between the hours of 8:30 am – 6 pm Eastern Time. (We generally do maintenance earlier in the morning between 7 and 8).
We’re prepared for the unexpected
We’ve thought about the unexpected, and have taken several precautions to ensure we can continue to provide high quality service to our clients, no matter what.
Our service is brought to you from multiple data centers. All data is synchronized, in real time, between our two sites. In the event that our primary site is disrupted, the service will automatically be switched to load from the backup site. This setup helps ensure that your service is not uninterrupted, even if there is an issue with the primary site.
We’re not satisfied with good enough. As an additional precaution, all of our client data is backed up to a third site every 15 minutes.
We retain backups of client data for 12 months rolling. This way, if anything is lost, we can always retrieve it.
We conduct semi-annual business continuity tests to make sure we’re able to continue providing reliable service if there is ever an actual emergency. Every 6 months, we test to ensure that our back systems are running as expected; this way we can identify any issues before a disruptive event occurs.
Remote work capability
Our entire team has the capability to continue all operations remotely. We’ve taken steps to ensure everyone had the tools they needed to work from home, and in response to the COVID-19 pandemic, we have transitioned to a fully remote workforce with no disruption to our services. Even in turbulent times, our focus remains on our clients.
We take rules seriously
We follow the rules. Condo Control is compliant with all relevant legislation and standards for privacy and anti-spam. We take privacy rules and regulations seriously, and we make necessary adjustments every time a law is updated.
We are compliant with the Personal Information Protection and Electronic Documents Act, also known as PIPEDA. PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity. Businesses must follow the 10 fair information principles to protect personal information, which are listed in Schedule 1 of PIPEDA.
We are compliant with the Canadian Anti-Spam Legislation (CASL) and the U.S. CAN-SPAM Act. CASL protects consumers and businesses from the misuse of digital technology, including spam and other electronic threats. The U.S. CAN-SPAM Act is a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to stop receiving emails from a company, and bestows penalties for violations. Our company is fully compliant with all requirements, including unsubscribe management, proper labeling of all messages, and conformation from administrators before they can post an announcement.
We give residents the control to unsubscribe from Condo Control emails at any time. They can also customize their preferences so they can opt-out of certain notices without fully unsubscribing.
Payment card industry (PCI) compliance is mandated by credit card companies to help ensure the security of credit card transactions. Payment card industry compliance refers to the technical and operational standards that businesses must follow to secure and protect credit card data provided by cardholders. We are not PCI compliant, because our partner, Stripe, is. Condo Control has integrated with Stripe so that residents can easily and conveniently pay for amenity bookings, buy items such as a replacement key or remote control, or pay a condo fee or invoice. Stripe manages and holds all card data submitted through Condo Control; we do not hold any payment card data.
Do you have additional questions about compliance?
If you have questions about compliance with any specific privacy laws that may apply to your state or country, please submit your inquiry here