Compliance – My Blog

Certifications

Data center & infrastructure certifications

Our hosting partner operates under an independently audited control framework spanning international privacy, security, and payment standards.

ISO/IEC 27001:2013 Information security management — includes ISO 27017, 27018, and 27701 (Privacy)

SOC 2 Type 2 AICPA SSAE No. 18 — security, availability, and confidentiality

SOC 1 Type 2 AICPA SSAE No. 18 / IAASB ISAE 3402 standards

PCI DSS Payment Card Industry Data Security Standard (AOC)

HIPAA & HITECH Type 1 — health information protection

PIPEDA Personal Information Protection & Electronic Documents Act

Canadian Tier 3 Fully redundant data center hosted in Canada

FOIPPA Freedom of Information & Protection of Privacy Act

Physical & Operational Security

Our office, our infrastructure, our people

Security is a layered discipline. Here's what protecting your data looks like inside Pro Collections.

On-site security and segregated physical access controls
Security cameras covering the entire office and every entry/exit point
Unique access cards (and PIN where required) distributed to every staff member
Pro Collections operates as a locked work environment
Criminal record checks performed on all staff
All staff sign NDA, confidentiality, and security-awareness agreements
Weekly cyber-security training plus PCI & PII training
Workstations encrypted with BitLocker
Password-controlled workstations with auto-locking sessions
Forced password rotation every 30 days
2FA required for VPN, Windows, and application access
Fully manageable firewall on latest stable build
Retired hard drives are electronically and mechanically shredded
Data made available to staff strictly on a "need-to-view" basis

Collection Platform

Built on Collect! — secured at every layer

Our collection software is hosted in a fully redundant Tier 3 cloud environment with continuous monitoring, encrypted transport and storage, and best-in-class access controls.

1

Cloud Layer

Nightly backups, real-time monitoring (Zabbix), endpoint protection (ESET), and periodic network & penetration tests.

2

Application Layer

Database- and column-level encryption, redaction, MFA, automatic audit logging, and role-based account access.

3

Code Layer

OWASP-aligned development practices with Veracode and other scanning systems used to remediate vulnerabilities.

4

Database Layer

Authentication, authorization, TLS/SSL at the channel layer, and protected service keys.

5

Intrusion Prevention

IP blacklisting after three failed login attempts, distributed monitoring, and real-time anomaly detection.

6

Encryption Everywhere

Data is encrypted at rest and in transit; SSL/TLS for all transport, with tokenization for payment data.

Governance

Policy and risk discipline

A mature program isn't only technical — it depends on the policies, audits, and continuity planning that sit behind it. Pro Collections maintains a documented framework covering every stage of the data-processing cycle.

Policy Framework

Annual risk assessment
Business continuity & disaster recovery plan (reviewed and tested)
Change management policy & procedure
Data privacy and protection policy
Physical security policy and procedures
Confidentiality & security-awareness policy
Firewall policy and periodic firewall review
Information classification & labeling guidelines
Information security incident response policy
Segregation of duties
Protection against malicious software

Compliance Watch

Built into our operating system, Compliance Watch generates system-level reports that help prevent policy violations and circumvention of work plans. It enforces provincial and federal law adherence, time-zone restrictions, call-attempt caps by province, cell-phone regulations, place-of-employment contact restrictions, and restricted call dates.

Need to review our controls in detail?

We're happy to walk procurement, legal, and InfoSec teams through our full program.

Request a Vendor Pack