Privacy Policy and Terms and Conditions

Lingotec Data Privacy and PHIPA Compliance Framework

Privacy Policy for Virtual Interpreting Services

Lingotec operates at the critical intersection of healthcare and communication, where the protection of Personal Health Information (PHI) is a non-negotiable mandate. Within the Canadian healthcare landscape, aligning global security standards with the stringent, provincial-specific requirements of the Personal Health Information Protection Act (PHIPA) is of strategic importance. This framework ensures that the delivery of virtual interpreting services does not merely meet, but exceeds the expectations of provincial health authorities, thereby safeguarding the integrity of the patient-provider relationship and ensuring the continuity of secure clinical workflows.

Scope and Application

This policy governs all employees, contractors, and any third-party vendors (collectively, "individuals" or "users") who access or interact with Lingotec resources. It applies to all identifiable data related to individuals as defined by our Internal Privacy Policy, ensuring that every entity within the Lingotec service chain is bound by privacy obligations regarding data handling and confidentiality.

Information Classification & Safeguards

Lingotec mandates a three-tier classification system to ensure all data is handled with appropriate technical rigor:

Public: Information that can be released without organizational implication.
Internal: Data intended for use within the organization.
Confidential: Highly sensitive data, including PHI/PII, requiring maximum protection.

Lingotec enforces a "Confidential by Default" standard; any unclassified data is treated with the highest security priority. To protect Confidential data, we mandate strong encryption (AES or RSA) for all data at rest. Beyond basic standards, Lingotec implements multiple levels of encryption where recommended to provide defense-in-depth. The exchange of confidential information via unsecured media is strictly prohibited.

Data Collection and Purpose Specification

Adhering to the principle of Data Minimization, by default, Lingotec does not collect, monitor or store any PHI. Interpreters are exposed only to the data strictly necessary to facilitate professional interpreting services. Such categories include:

Identity & Contact Information: Name, personal contact details, and home address.
Health and Medical Information: Relevant clinical data required for accurate interpretation.
Technical Identifiers: Unique user IDs and device-specific data, including Media Access Control (MAC) and Internet Protocol (IP) addresses, utilized for secure authentication and group account identification.

This data is processed under "Purpose Specification" guidelines, restricted to service delivery, regulatory compliance, and the safety of the workforce and clientele.

User Rights and Data Integrity

Individuals possess the right to ensure their personal data is accurate and current. Requests to access or update records must be directed in writing to the Privacy Department at info@lingotec.ca. To maintain the integrity of our security posture, Lingotec provides an "Absolute Right" of refusal for data access where such refusal is required or permitted by applicable law or regulatory requirements.

Retention and Destruction

Lingotec manages the data lifecycle through a meticulous retention schedule. Once the specified period concludes, Lingotec enforces terminal destruction. Digital data is eliminated via Digital Shredding using the DoD 5220.22-M algorithm to overwrite data with multiple passes. Physical media undergoes Physical Destruction via hydraulic crushing or mechanical shredding, ensuring data can never be retrieved or reconstructed.

These privacy controls are the foundation of patient trust in virtual care. By ensuring PHI is managed with technical precision, Lingotec provides a secure environment for the system interactions governed by our Terms of Service.

PHIPA Compliance, Training, and Certification

For the hospital Risk Management office, Lingotec's PHIPA-ready status is achieved by synthesizing HIPAA-aligned security with Canadian administrative controls (PIPEDA/PHIPA). We ensure that Personal Health Information is managed with the highest degree of regulatory rigor.

The "PHIPA-Ready" Security Architecture

Access Control: Lingotec enforces the "Principle of Least Privilege." Access is authorized solely based on specific job roles and unique User IDs, with automatic log-off after defined inactivity.
Encryption and Key Management: Web server certificates utilize 2048-bit keys or greater and expire annually. In a sophisticated security control, private keys are never stored on the same IT Resource as the information being protected. Furthermore, manual cryptographic operations require split knowledge and dual control, requiring at least two authorized personnel.
Audit Logging: Our logging systems provide automated tracking for review and compliance. We specifically log input validation failures, session management failures, and all higher-risk functionality, such as administrative access to sensitive data. These logs are promptly backed up to a centralized, restricted-access server.

Mandatory Training and Annual Recertification

Security is embedded in our management chain. All employees and contractors must undergo mandatory security awareness training at least annually. Beyond training, all users must annually acknowledge their understanding of all security policies. Compliance is further verified by respective supervisors, who conduct annual performance evaluations that include formal security objective reviews.

Incident Response and Data Breach Protocol

Lingotec utilizes a tiered Incident Management system (Tiers 1-3) to ensure expert remediation:

Notification Commitment: If a high-risk vulnerability or breach is identified, Lingotec will notify designated customer contacts within 24 hours.
Post-Mortem Requirement: A formal post-mortem involving a cross-functional team must be hosted within 72 hours of incident completion to identify root causes and prevent recurrence.

Audits and Accountability

Lingotec conducts annual risk-based internal audits of all policies and controls to ensure regulatory notification requirements are met. These mechanisms validate Lingotec's compliance with PHIPA and demonstrate a proactive security posture. We invite the hospital's Risk Management office to review our specific SOC 2 reports or independent audit findings upon request.

Terms of Service and Acceptable Use Agreement

These terms constitute the "Contractual Agreement" referenced in the Lingotec Personnel Security Policy. They are engineered to mitigate systemic risks to our technology infrastructure, ensuring that high-availability interpreting services remain uninterrupted for hospital staff and clinical environments.

Prohibited Usage of IT Resources

Lingotec prohibits any activity that compromises the integrity of our resources. Forbidden activities include:

Security Circumvention: Any attempt to bypass security measures or interfere with regular network operations.
Proprietary Disclosure: Revealing confidential information, including source code, financial data, or customer lists.
Software Misconduct: Unauthorized copying of licensed software or the installation of "pirated" products.
Portable Media Restrictions: The use of USB flash drives or any portable storage media is strictly prohibited unless specifically authorized by the IT Department to prevent the introduction of malware.

Mobile Device & BYOD Governance

Users granted the "Bring Your Own Device" (BYOD) privilege must comply with non-negotiable security safeguards:

Device Integrity: "Rooted" (Android) or "Jailbroken" (iOS) devices are strictly forbidden.
Operational Standards: Devices must run the latest OS versions and employ mandatory full-disk encryption.
Idle Lock Mandate: Devices must be configured to automatically lock with a password or PIN after fifteen (15) minutes of inactivity.
Remote Wipe Protocol: By connecting to the network, users grant the IT department the authority to remotely wipe the device. This protocol is triggered in the event of device loss, theft, termination, or if a user refuses a mandatory device inspection or decides they no longer wish to participate in the MDM policy.

Network and Remote Access Standards

All remote access to Lingotec systems must be encrypted via TLS 1.2+ or VPN/IPSec. Lingotec enforces Multi-Factor Authentication (MFA) for all applications used over the Internet. Furthermore, all established network sessions are automatically terminated after a defined period of inactivity to prevent unauthorized session hijacking.

Personnel Accountability and Misconduct

Our misconduct tiers ensure that personnel remain accountable to our security culture:

Level 1: Acts not aligned with good corporate behavior or procedural violations (Verbal or Written warning).
Level 2: Intermediate policy violations.
Level 3: Serious misconduct that compromises Lingotec's values, commitment to customers, or investor reputation. This includes failure to take corrective action on a written reprimand or serious violations resulting in reputational loss. Level 3 violations result in immediate dismissal.

These terms serve as a critical protective layer for hospital procurement teams, shifting the burden of individual device security away from the hospital and onto Lingotec's managed framework. This operational accountability flows directly into our PHIPA compliance protocols.