1. Objective

Services Progressifs placements en soins de santé, "SP," is committed to ensuring, to the best of its abilities, the protection of entrusted personal information. SP undertakes to restrict access to personal and sensitive data to prevent compromise, ensuring no harm to its employees, clients, suppliers, or any individuals who have provided such information.

While zero risk is unattainable, it is understood that this internal policy aims to minimize the risks of personal information theft.

2. Scope of Application

2.1 Targeted Information

The policy applies to any information containing personal data of individuals, including employees, clients, suppliers, or third parties, enabling their identification. It extends to all servers, databases, and computer systems processing such data, including any devices regularly used for email, web access, or other professional tasks. Any user interacting with our information services is subject to this policy.

2.2 Non-Targeted Information

The policy does not apply to publicly classified information.

3. Policy

3.1 Principles

The personal information held by SP is essential to its ongoing activities. Therefore, SP acknowledges that these data must undergo constant assessment, appropriate use, and adequate protection.

3.2 Generalities

• Each user must read this data security policy and sign a declaration stating their understanding of the access conditions.
• Each user is identified by a unique user ID, holding them accountable for their actions.
• Each user must comply with the security measures in place on their workstation and any equipment containing data to be protected, without modifying their configuration or disabling them.
• Each user must immediately report to the responsible party for personal information any act of which they are aware, likely to constitute an actual or presumed violation of security rules, as well as any anomaly that could harm the protection of SP's personal information.
• User access logs may be used as evidence in a security incident investigation.
• Access should be granted on a least privilege basis, meaning each program and user will only receive the privileges necessary to perform their job.

3.3 Authorization for Access Control

Access to SP's resources and information technology services will be granted through a unique user account and a complex password.

3.4 Access to SP's Data in the Cloud

• All employees and suppliers with remote access to SP's data must be authenticated through Microsoft's two-factor authentication mechanism.
• SP has a 24/7 artificial intelligence monitoring service for suspicious activities on its users' workstations and data storage systems.
• SP's data is hosted on Microsoft servers located in Canada.

3.5 User Responsibilities

• All users must lock their screens whenever they leave their desks to reduce the risk of unauthorized access.
• Users must ensure no sensitive or confidential information is left around their workstations.
• Users must keep their passwords confidential and not share them.

3.6 Access to Applications and Information

• All SP employees and suppliers have access to the data and applications necessary for their professional roles.
• Employees and suppliers only access sensitive data and systems when necessary for professional reasons and with the approval of management.

3.7 Access to Confidential and Restricted Information

Access to data classified as "confidential" or "restricted" is limited to authorized personnel whose professional responsibilities require it, as determined by the Data Security Policy or management.

3.8 Data Retention

SP retains personal information for as long as necessary for the purposes described in this policy. These data will be retained to comply with legal obligations, among other reasons.