Share sensitive documents without multiplying risk.
doclinc helps organizations support their privacy obligations by providing a secure, traceable document-sharing environment designed to limit unnecessary retention of sensitive documents.
doclinc helps its clients support compliance.
Our role is to provide a secure solution to send and receive sensitive documents. The client remains responsible for its internal policies, purposes of collection, notices to individuals and its own legal obligations.
Built-in security
Documents are protected through encryption, controlled access and recipient authentication to reduce the risks associated with traditional email attachments.
Traceability
Key events are logged to support audit, internal investigation and accountability needs.
Limited retention
doclinc is designed to avoid indefinite retention of transmitted documents, with expiration and automatic deletion after the applicable period.
Canadian hosting and AWS infrastructure.
Documents and core data processed by doclinc are hosted in Canada, in the AWS Canada Central Region located in the Montreal area.
| Item | doclinc approach |
|---|---|
| Primary hosting | Documents and core data are hosted in Canada on AWS Canada Central. |
| SOC 2 Type II | AWS infrastructure is supported by independent SOC reports available to AWS customers through AWS Artifact, subject to applicable terms. |
| Application certification | As of today, the doclinc application itself is not SOC 2 Type II or ISO 27001 certified. |
| Client audits | doclinc may undergo an independent audit or penetration test at a clientβs request, subject to mutually agreed terms. |
Limited transfers related to authentication
No client document is transferred outside Canada as part of primary document storage. For certain authentication mechanisms, such as SMS or voice call PIN delivery, limited data may transit through services located outside Canada, for example a phone number and one-time code.
These data elements do not provide access to the content of documents and are used solely for authentication purposes.
Controls designed to protect sensitive information.
doclinc combines encryption, controlled access, strong authentication, logging and automatic deletion to better govern sensitive document exchanges.
| Safeguard | Description |
|---|---|
| Encryption at rest | Stored data is protected using AES-256 encryption. |
| Encryption in transit | Communications are protected using TLS 1.2 or higher. |
| Access control | Access to documents is limited to authorized recipients based on the parameters set by the sender. |
| Authentication | Recipients may be authenticated using an SMS PIN, voice call PIN or another configured mechanism. |
| Administrative access | Administrative access is limited according to the principle of least privilege and protected by strong authentication. |
| Employee access | doclinc employees do not access client documents as part of normal operations. |
| Logging | Key events are logged: sending, access, authentication, upload, download, expiration and deletion. Logs do not contain document content; they are limited to metadata necessary for security, traceability, client support and applicable audit obligations. |
| Limited retention | Documents are available for a limited period and are automatically deleted after expiration. |
Better control over the document lifecycle.
Law 25 emphasizes accountability, protection of personal information, limited retention and management of confidentiality incidents.
Retention, expiration and deletion
doclinc is designed to help prevent sensitive documents from remaining indefinitely accessible in email inboxes, generic portals or uncontrolled links. Documents expire according to the applicable period and are automatically deleted after expiration.
Confidentiality incidents
In the event of an incident involving doclinc services, we work with the client to provide relevant information needed to assess the scope, the risk of serious injury and the required mitigation measures, subject to applicable contractual terms.
Principles compatible with Law 25, PIPEDA and the GDPR.
This page focuses primarily on Quebec Law 25. However, several technical and organizational safeguards implemented by doclinc are based on principles common to other privacy frameworks, including Canadaβs federal PIPEDA and the European GDPR: risk-based security, limited retention, access control, traceability and contractual governance of data processing.
| Principle | Law 25 (Quebec) | PIPEDA (Canada) | GDPR (European Union) |
|---|---|---|---|
| Collection limitation | Collection limited to identified purposes. | Collection limited to what is necessary for identified purposes. | Data minimization principle. |
| Security safeguards | Appropriate safeguards based on the sensitivity of the information. | Reasonable safeguards adapted to the context. | Risk-based security, including under Article 32. |
| Limited retention | Retention limited to applicable purposes, with destruction or anonymization when required. | Retention only as long as necessary. | Storage limitation principle. |
| Traceability and accountability | Accountability, documentation and confidentiality incident register. | Organizational accountability and recordkeeping for breaches of security safeguards. | Accountability and processing documentation where required. |
| Incident notification | Notice to the CAI and affected individuals when an incident presents a risk of serious injury. | Report to the Privacy Commissioner and notice to affected individuals when there is a real risk of significant harm. | Notice to the competent authority without undue delay and, where feasible, within 72 hours after becoming aware of the breach, unless an applicable exception applies. |
| Cross-border transfers | Assessment and safeguards required when personal information is disclosed outside Quebec. | Comparable protection expected when information is entrusted to a service provider or transferred outside the organization. | Transfers governed by applicable mechanisms, such as an adequacy decision or standard contractual clauses. |
A note on the GDPR
doclinc is not GDPR certified and does not appoint a Data Protection Officer (DPO) under European law. Organizations whose clients or partners are located in the European Union, and whose activities fall within the scope of the GDPR, remain responsible for their own compliance. doclinc may support those obligations through its DPA, traceability mechanisms and security safeguards.
Logs that support audits and accountability.
Event logs help document what occurred during a sensitive document exchange.
| Event | Purpose |
|---|---|
| Request creation | Document the origin of a document send or document request. |
| Secure link access | Confirm that a link was accessed. |
| Authentication | Document the secure access steps. |
| Upload or download | Confirm actions performed on documents. |
| Expiration or deletion | Demonstrate the end of document availability. |
A Data Processing Agreement available upon request.
doclinc can provide a Data Processing Agreement to contractually govern the processing of personal information performed in connection with its services.
| Clause | What the agreement may cover |
|---|---|
| Roles and responsibilities | Definition of the clientβs and doclincβs responsibilities in the processing of personal information. |
| Security safeguards | Description of the technical and organizational safeguards applied to doclinc services. |
| Incident notification | Commitment to notify within a reasonable timeframe after analysis and confirmation of the incident. |
| Sub-processors | Governance of providers required to deliver the service, such as hosting, billing or certain authentication mechanisms. |
| Location and transfers | Details on Canadian hosting of documents and limited transfers that may be related to authentication. |
| Reasonable audit | Reasonable audit rights subject to mutually agreed terms. |
| Retention and deletion | Conditions for retention, expiration and deletion of documents processed by doclinc. |
A secure solution does not replace internal governance.
doclinc provides the technology to share documents more securely. Each organization remains responsible for its own business, legal and operational decisions.
| Responsibility | Examples |
|---|---|
| Determine purposes of collection | Why documents or information are requested. |
| Limit information requested | Request only the documents necessary to process the file. |
| Inform individuals | Privacy policy, notice, consent or other applicable basis. |
| Manage internal access | Determine which employees may send, receive or consult documents. |
| Define retention periods | Establish retention periods based on the clientβs legal and operational obligations. |
| Assess vendors | Risk assessment, DPA, privacy impact assessment or other process required by the context. |
Quick answers for IT, compliance and leadership teams.
These answers can be used as part of a security questionnaire or vendor assessment process.
Is doclinc SOC 2 Type II certified?
As of today, the doclinc application itself is not SOC 2 Type II or ISO 27001 certified. doclinc is hosted on AWS infrastructure, whose independent SOC reports are available to AWS customers through AWS Artifact, subject to applicable terms.
Are documents hosted in Canada?
Yes. Documents and core data processed by doclinc are hosted in Canada on AWS Canada Central. Certain authentication mechanisms, such as SMS or voice call PIN delivery, may involve limited data transiting outside Canada.
Can doclinc employees access client documents?
No. doclinc employees do not access client documents as part of normal operations. Administrative access is limited according to the principle of least privilege and protected by strong authentication.
Can doclinc provide a DPA?
Yes. doclinc can provide a Data Processing Agreement covering roles and responsibilities, security safeguards, incident notification, sub-processors, data location, reasonable audit rights and document retention.
Does doclinc guarantee a clientβs full compliance with Law 25?
No. doclinc is a technology solution that helps organizations better govern sensitive document exchanges. Full compliance also depends on each clientβs policies, processes, notices, consents, internal access controls and governance practices.
Need to complete a security questionnaire?
Our team can provide a security summary, a Data Processing Agreement or tailored responses for your vendor assessment process.
Useful references: Commission dβaccΓ¨s Γ lβinformation du QuΓ©bec β confidentiality incidents and security safeguards; retention and destruction of personal information; key Law 25 changes. Office of the Privacy Commissioner of Canada β PIPEDA and organizational obligations. European Data Protection Board β GDPR. AWS β SOC Compliance, AWS Artifact and AWS Canada Central.
This page is provided for informational purposes only. It does not constitute legal advice. Clients should consult their legal advisors or privacy officer to assess their specific obligations.
