ConformVaultConformVault

Privacy Policy

Product of: Les Entreprises SecuAAS Inc.
NEQ: 1177504777
Domain: conformvault.com
Last updated: 2026-03-04

1.1 Introduction

Les Entreprises SecuAAS Inc. (hereinafter "SecuAAS", "we", "our") operates the ConformVault platform (conformvault.com), a SaaS encrypted file storage and transfer service designed for businesses. This privacy policy describes the personal information we collect, the purposes for which we use it, the third parties with whom we share it, and the rights you have.

This policy applies to all ConformVault users, whether they are account holders, guest users, or site visitors.

1.2 Person Responsible for the Protection of Personal Information (PRPPI)

In accordance with Law 25 (An Act to modernize legislative provisions as regards the protection of personal information, S.Q. 2021, c. 25), SecuAAS has designated a person responsible for the protection of personal information:

  • Name: Olivier, Founding President
  • Email: dpo@secuaas.com
  • Address: 336, rue Jeanne d'Arc, Quebec City (Quebec), Canada

1.3 Personal Information Collected

We collect the following categories of personal information:

Identification information:

  • First and last name
  • Email address
  • Phone number

Technical information:

  • IP address
  • Browser type and operating system
  • Access and activity logs on the platform
  • Session identifiers

Business information:

  • Organization name
  • Associated domains

Documents and files:

  • Any document transmitted by the client through the platform. These files are end-to-end encrypted (E2E). SecuAAS does not have access to the plaintext content of files.

1.4 Purposes of Collection

We use your personal information for the following purposes:

  • Provide, maintain, and improve ConformVault services
  • Create and manage your user account
  • Authenticate your identity and secure access to your account
  • Process payments through our processor Stripe
  • Communicate with you regarding your account or our services
  • Ensure the security and integrity of the platform
  • Comply with our legal and regulatory obligations
  • Produce aggregated and anonymized usage statistics

1.5 Subcontractors and Third Parties

We share your personal information with the following third parties, strictly within the scope of providing our services:

OVH Canada (Beauharnois)Infrastructure hostingBeauharnois, QuebecNo Stripe Inc.Payment processingUnited StatesYes — transient Google LLC (Analytics)Audience measurementUnited StatesYes — transient Anthropic (Claude API)AI featuresUnited StatesYes — transient Google (Vertex AI / Gemini)AI featuresUnited StatesYes — transient OpenAIAI featuresUnited StatesYes — transient Microsoft (Exchange / SharePoint)Internal communicationsUnited States / CanadaYes — transient

Each subcontractor involving a transfer outside Quebec has been subject to a Privacy Impact Assessment (PIA) in accordance with section 17 of the Act respecting the protection of personal information in the private sector.

1.6 Transfers Outside Quebec

Certain processing involves a transient transfer of personal information to servers located outside Quebec, primarily in the United States. These transfers are carried out in accordance with section 17 of the Act respecting the protection of personal information in the private sector, as amended by Law 25.

Before each transfer, we conducted a PIA taking into account:

  • The sensitivity of the information transferred
  • The purpose of the transfer
  • The contractual and technical protection measures in place
  • The legal framework applicable in the destination territory, including the risk related to the CLOUD Act (18 U.S.C. § 2713) and FISA Section 702

Mitigation measures applied:

  • Minimization of data transmitted to third-party APIs
  • TLS 1.3 encryption in transit
  • No persistent storage of personal information by AI API providers (transient processing only)
  • Data protection contractual clauses with each subcontractor
  • Primary hosting exclusively in Quebec (OVH Beauharnois)

1.7 Data Retention

We retain your personal information as long as necessary for the purposes for which it was collected:

  • Account data: Duration of subscription + 12 months after account closure
  • Encrypted files: Deleted at the client's request or upon account closure
  • Security logs: 24 months
  • Billing data: According to applicable tax obligations (minimum 6 years)
  • Audience measurement data: 14 months (Google Analytics)

1.8 Your Rights

In accordance with applicable legislation, you have the following rights:

  • Right of access to your personal information
  • Right of rectification of inaccurate information
  • Right to withdraw consent for consent-based processing
  • Right to erasure (right to be forgotten) within the limits provided by law
  • Right to portability of your information in a structured and commonly used technological format
  • Right to file a complaint with the Commission d'accès à l'information du Québec (CAI)

To exercise your rights, contact our PRPPI at dpo@secuaas.com. We will respond within 30 days.

1.9 Privacy Incident

In the event of a privacy incident presenting a risk of serious harm, SecuAAS will:

  • Take reasonable measures to reduce the risk of harm
  • Notify the Commission d'accès à l'information du Québec (CAI)
  • Notify the affected individuals
  • Record the incident in a register maintained for this purpose

1.10 Changes

We reserve the right to modify this policy. Any substantial change will be communicated by email or via a notification on the platform at least 30 days before it takes effect.

Les Entreprises SecuAAS Inc. — Quebec, Canada
Last updated: 2026-03-04

1

Cookies & Law 25 Compliance

ConformVault only uses essential cookies for authentication and security. Our internal analytics system is 100% compliant with Quebec's Law 25: no IP addresses, no tracking cookies, no digital fingerprinting, and no personal information is collected or stored.

Law 25 — No personal information collected. Hosted in Quebec.

Learn more in our Cookie Policy and Law 25 Compliance.