PIPEDA Privacy & Security Policy

Effective Date: January 1, 2026
Last Updated: March 1, 2026

1. Introduction

Awesome Numbers (“we”, “us”, “our”) is committed to protecting the privacy, confidentiality, and security of personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA).

This Privacy & Data Protection Policy explains how personal information is collected, used, stored, disclosed, and safeguarded in connection with RiskGATOR, our laboratory quality control and analytics software platform.

2. Scope and Application

This Policy applies to:

• Authorized users of RiskGATOR
• Customer administrators and representatives
• Visitors to our websites and support channels

Important clarification:
RiskGATOR is designed for laboratory quality control analytics.
RiskGATOR does not collect, store, or process patient-identifiable health information (PHI).

Customers are contractually prohibited from uploading patient identifiers unless explicitly authorized in writing.

3. Platform Architecture & Data Segmentation

RiskGATOR operates as two logically and technically distinct components:

3.1 RiskGATOR Configuration App (DPU)

• Purpose: Configuration, administration, audit, and data processing controls
• Hosting Provider: Amazon Web Services (AWS)
• Security Controls:
  • Role-based access control
  • Full audit trails for all configuration and administrative actions
  • Encryption in transit and at rest
• AWS Compliance:
  AWS maintains independent third-party certifications including SOC 1, SOC 2 Type II, SOC 3, ISO 27001, ISO 27017, ISO 27018, and others.
  AWS operates under a shared responsibility model, where AWS secures the cloud infrastructure and Awesome Numbers secures its application and data.

3.2 RiskGATOR Quality Engine

• Purpose: Analytical processing and reporting
• Hosting Providers:
  • Vercel (application hosting)
  • Supabase (managed PostgreSQL, authentication, and storage)
• Security Controls:
  • Authenticated access
  • Enforced authorization boundaries
  • Encrypted communications
• Supabase Compliance:
  Supabase maintains SOC 2 Type II compliance and applies standardized security controls across all projects under its shared responsibility model .

4. Personal Information We Collect

We collect only the minimum personal information required to operate the Service:

4.1 Account & Identity Information

• Name
• Business email address
• Organization name
• User role and permissions

4.2 Technical & Security Information

• IP address
• Login timestamps
• Audit logs of system actions
• Browser or device metadata

4.3 Support & Communications

• Support tickets
• Emails or other direct communications

4.4 Billing & Administrative Information

• Billing contact details
  (Payment information is processed by third-party payment processors and is not stored by us.)

5. Purpose of Collection

Personal information is collected solely for:

• User authentication and access control
• System security and audit logging
• Customer support
• Billing and administrative communications
• Compliance with legal and contractual obligations

We do not use personal information for unrelated purposes without consent.

6. Consent

By accessing or using RiskGATOR, users consent to the collection, use, and disclosure of personal information as described in this Policy.

Consent may be withdrawn at any time, subject to legal or contractual limitations.

7. Disclosure of Personal Information

We do not sell personal information.

Personal information may be disclosed only to:

• Authorized employees or contractors with a legitimate business need
• Infrastructure and service providers (e.g., AWS, Vercel, Supabase)
• Regulatory or legal authorities where required by law

All service providers are contractually required to protect personal information using appropriate safeguards.

8. Safeguards & Security Controls

We employ administrative, technical, and physical safeguards appropriate to the sensitivity of the information, including:

• Encryption in transit and at rest
• Role-based access control
• Secure authentication mechanisms
• Comprehensive audit logging
• Regular backups and monitoring
• Comprehensive audit logging of user actions and system changes, retained for one (1) year to support security monitoring, compliance, and incident investigation

Security controls are reviewed periodically to ensure continued effectiveness.

9. Retention of Personal Information

Personal information is retained only as long as necessary to fulfill the purposes for which it was collected and to meet legal, security, and contractual requirements.

Retention periods include:

• Account information: retained for the duration of an active account
• Audit logs and security logs: retained for one (1) year
• System backups: retained for one (1) year for disaster recovery and business continuity purposes, after which they are securely deleted
  
  

Retention periods are reviewed periodically and adjusted as required by operational or regulatory obligations.

10. Access and Correction

Individuals have the right to:

• Access their personal information
• Request corrections to inaccurate or incomplete information

Requests may be submitted to the Privacy Officer listed below.

11. Breach Response

In the event of a breach involving personal information that poses a real risk of significant harm, we will:

• Notify affected individuals
• Notify the Office of the Privacy Commissioner of Canada
• Maintain breach records as required under PIPEDA

12. Privacy Officer

Awesome Numbers has appointed a Privacy Officer responsible for PIPEDA compliance.

Privacy Officer:
Name: Kerry Allan
Title: Chief Operating Officer (COO)
Email: privacy@awesome-numbers.com

13. Policy Updates

This Policy may be updated from time to time. Updates will be posted on our website with a revised effective date.