Your Documents Your Trust

Compliance, Security & Controls

ACI has extensive experience in handling documents of a sensitive nature. We understand and appreciate the confidentiality of our clients’ documents and the need for security and controlled access. Our premises are protected by a 24-hour, 7 day a week security monitoring system and strategically placed surveillance cameras. These systems ensure our customers of full security for their files throughout the entire production process.

All our personnel are required to sign a non-disclosure agreement at time of hiring and to undergo pre-employment security screening including criminal and credit background checks. This level of clearance establishes Reliability Status (RS) which grants the right to access Protected A, B and C documents and information for the Federal Government of Canada.

ACI has established stringent physical security standards in our production facilities. Our risk management program includes segregation of duties (SOD), delegation of authority, management of physical and logical access controls and encryption and password protection of sensitive data files. Our management of access controls employed to safeguard our clients’ data and images while in our care, have enabled us to provide an accurate, timely, reliable and secure document & data management service.

We understand the confidential nature of our client’s records and the issues surrounding the protection of the personal information which our clients have entrusted to us as agents. ACI is a PIPEDA and PHIPA compliant organization with designated privacy officers, written privacy policies and a staff privacy training program. ACI is compliant with Canadian General Standards outlined in the Microfilm and Electronic Images as Documentary Evidence (CGSB.72.11.99) as well as Electronic Records as Documentary Evidence (CAN/CGSB-72.34-2005) and is compliant with ISO19977 Security Standards and COACH and CHIMA guidelines.


CSAE 3416 Report (formerly CICA 5970)

ACI has obtained CSAE 3416 certification, which provides our customers with the assurance our service business is maintaining effective and efficient internal controls related to financial, informational, or security reporting.  This certification is the Canadian equivalent of the US Soc 1 Type 2 report.

The Personal Information Protection and Electronic Documents Act (PIPEDA)

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a new law that protects personal information in the hands of private sector organizations and provides guidelines for the collection, use and disclosure of that information in the course of commercial activity. The Act, based on ten privacy principles developed by the Canadian Standards Association, is overseen by the Privacy Commissioner of Canada and the Federal Court. As of January 1, 2004, all Canadian businesses are required to comply with the privacy principles set out by PIPEDA. The Act covers both traditional, paper-based and online business.

There are steps organizations must take to be privacy compliant. Under PIPEDA, personal information must be:

  • Collected with consent and for a reasonable purpose
  • Used and disclosed for the limited purpose for which it was collected
  • Accurate
  • Accessible for inspection and correction
  • Stored securely

PIPEDA defines personal information as “information about an identifiable individual” that includes any factual or subjective information, recorded or not, in any form. For example, the following would be considered personal information:

name, address, telephone number, gender; identification numbers, income or blood type; credit records, loan records, existence of a dispute between a consumer and a merchant, and intentions to acquire goods or services.

Under PIPEDA personal information does not include the name, business title, business address, or business telephone of any employee, i.e. information on a business card.

The legislation also covers sensitive personal information, which may include health or medical history, racial or ethnic origin, political opinions, religious beliefs, trade union membership, financial, information and sexual preferences.

The Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act (SOX) was signed into law on 30th July 2002, and introduced highly significant legislative changes to financial practice and corporate governance regulation. It introduced stringent new rules with the stated objective: “to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws”.

The act is actually named after its main architects, Senator Paul Sarbanes and Representative Michael Oxley, and of course followed a series of very high profile scandals, such as Enron. It is also intended to “deter and punish corporate and accounting fraud and corruption, ensure justice for wrongdoers, and protect the interests of workers and shareholders” (Quote: President Bush).

The Sarbanes-Oxley Act itself is organized into eleven titles, although sections 302, 404, 401, 409, 802 and 906 are the most significant with respect to compliance (Sarbanes Oxley section 404 seems to cause most concern) and internal control. In addition, the Act also created a public company accounting board.

Currently, the Sarbanes-Oxley Act requires Canadian companies that trade on U.S. stock exchanges to hire external auditors to audit their internal control systems and file a report of the findings.