Security Summary
This document describes the security, privacy, and governance measures applicable to doclinc services. It is provided on request to clients, prospects, and IT/compliance teams.
Version 1.1 β Last reviewed: May 2026
At a glance
- Documents hosted in Canada β AWS Canada Central
- AES-256 encryption at rest, TLS 1.2+ in transit
- Recipient authentication β controlled access
- Key event logging, without document content
- Automatic expiration and deletion of documents
- DPA and supplementary documentation available on request
Positioning
A solution designed for secure sharing of sensitive documents
doclinc helps organizations better manage the sending, receiving, and access to documents containing personal or sensitive information, replacing traditional attachments with a more controlled, traceable, and governable process.
| Sujet | Description |
|---|---|
| Document scope | This summary describes the security, privacy, and governance measures applicable to doclinc services, including doclinc for Outlook and associated document-sharing mechanisms. |
| Recommended use | Information document to be provided to a client, IT team, privacy officer, or compliance team as part of a vendor assessment. |
| Important limitation | Law 25 is not a certification. doclinc supports its clients' compliance, but each client remains responsible for its own policies, collection purposes, notices, consents, internal access, and applicable legal obligations. |
Architecture and hosting
Canadian infrastructure and controlled data flows
Documents and primary data processed by doclinc are hosted in Canada, in the AWS Canada Central region (Montreal). AWS infrastructure has independent SOC reports accessible to AWS customers via AWS Artifact.
| Component | Description |
|---|---|
| Application | Microsoft Outlook add-in and doclinc secure platform for sending, receiving, and tracking sensitive documents. |
| Primary hosting | AWS Canada Central for documents and primary data. |
| Document storage | Secure storage with encryption at rest and application-level access controls. |
| Recipient authentication | Access via secure link and authentication mechanism: SMS PIN, voice call, or other configured method. |
| Limited external services | Some services (SMS PIN or voice call delivery) may route limited data outside Canada. This data does not provide access to document content. |
Security measures
Technical and organizational controls
| ContrΓ΄le | Description |
|---|---|
| Encryption at rest | Stored data is protected by AES-256 encryption. |
| Encryption in transit | Communications are protected by TLS 1.2 or higher. |
| Access control | Document access is limited to authorized recipients according to parameters set by the sender or client organization. |
| Authentification | Recipients can be authenticated via SMS PIN, voice call, or other configured mechanism. |
| Administrative access | Administrative access is restricted by least-privilege principles and protected by strong authentication. |
| Employee access | doclinc employees do not have access to client documents in the course of normal operations. |
| Journalisation | Key events are logged (creation, access, authentication, upload, download, expiration, deletion). Logs are limited to metadata β no document content is retained in standard logs. |
| Limited retention | Documents are available for a limited period and automatically deleted after expiration, according to applicable parameters. |
Data lifecycle
Minimal collection, controlled access and deletion
doclinc aims to limit unnecessary retention of transmitted documents. Documents expire and are deleted according to the parameters applicable to the service and the client.
| CatΓ©gorie | Approche |
|---|---|
| Uploaded documents | Available for a limited period; automatic expiration and deletion. Default setting: 7 days (unless otherwise configured). |
| Unclaimed documents | Automatic deletion after expiration. Default setting: 7 days. |
| Secure links | Limited validity period according to application or contractual configuration. |
| Authentication data | Used solely for authentication purposes; retention limited to security, proof, and logging needs. |
| Transaction logs | Retained to support security, audit, support, and accountability. Duration to be confirmed per doclinc retention policy and client requirements. |
| Billing data | Retained per applicable accounting, tax, and contractual obligations. |
| Sauvegardes | Conservation selon la politique de sauvegarde et de reprise applicable. |
Compliance support
Relevant measures for Law 25, PIPEDA and GDPR
doclinc does not replace the client's internal governance. The solution provides mechanisms that help organizations better apply principles common to major personal information protection frameworks.
Quebec compliance
Support for accountability, security, limited retention, privacy incident management, and processing documentation principles.
Federal compliance
Support for collection limitation, reasonable safeguards, limited retention, and breach record-keeping principles.
European principles
Measures compatible with minimization, risk-appropriate security, limited retention, and traceability, without constituting GDPR certification.
Incident management
Collaboration process and client notification
In the event of an incident involving doclinc services, doclinc collaborates with the client to provide information reasonably necessary to assess scope, risk, and required mitigation measures.
| Γtape | Approche |
|---|---|
| Detection and qualification | Initial analysis to determine whether the event is a security incident or a privacy incident involving personal information. |
| Confinement | Reasonable measures to limit the scope of the event, preserve evidence, and reduce risks. |
| Risk assessment | Collaboration with the client to assess the sensitivity of the information, possible consequences, and the likelihood of harmful use. |
| Client notification | Notification within reasonable timelines after confirmation of an incident β target: 48 to 72 hours when possible. |
| External notification responsibility | The client generally remains responsible for determining and issuing notifications to regulatory authorities, affected individuals, or other applicable bodies. |
| Registre | doclinc maintains the information necessary for its own internal tracking and can provide the client with elements needed for its own incident register. |
Sub-processors
Vendors involved in service delivery
| Fournisseur | RΓ΄le |
|---|---|
| Amazon Web Services (AWS) | Hosting, storage, cloud infrastructure, and security services. Documents and primary data hosted in AWS Canada Central. |
| AWS β SMS / voice call | Delivery of PINs or one-time codes. May involve limited data transit outside Canada (phone number and temporary code only β no document content). |
| AWS β transactional messaging | Sending service notifications and reminders. Notifications do not contain document content. |
| Stripe | Billing, payment, and subscription management. Does not process client document content. |
| Microsoft 365 / Outlook | Environment used by the client to access the doclinc add-in. Distinct from a direct doclinc sub-processor for primary document storage. |
Client responsibilities
Technology does not replace internal governance
Purposes and minimization
Determine why documents are requested and limit collection to necessary information.
Notice and consent
Inform affected individuals and obtain applicable consents or legal bases when required.
Internal access
Determine which employees can send, receive, or view documents, and manage access accordingly.
Retention periods
Define durations based on its own legal, regulatory, and operational obligations.
Vendor assessment
Conduct the risk analysis, PIA, or any required assessment based on its organizational context.
Configuration
Use available security settings appropriately β authentication, expiration periods, and access controls.
Frequently asked questions
Quick answers for IT and compliance teams
Documentation available on request
Recommended supplementary documents
DPA β Data Processing Agreement
Roles, responsibilities, security measures, sub-processors, incidents, data location, audit rights, retention, and applicable law (Quebec).
Sub-processor list
List of vendors involved in service operations, their roles, and relevant data locations.
Retention schedule
Applicable durations for documents, links, logs, authentication data, billing, and backups.
Architecture and data flow sheet
Simplified diagram of flows between the Outlook user, doclinc, AWS, the recipient, and authentication services.
Security questionnaire responses
Standardized responses to common questions from IT, compliance, and procurement teams.
Official references
Sources used to frame the content
Questions or documentation requests?
To request a DPA, completed security questionnaire, or any supplementary documentation, contact our privacy officer.
