Your Data

Our service is provided from four regions in order to provide our customers with options where their data is stored, and to enable them to comply with data privacy location requirements.

Data storage regions

You can use ACL GRC from anywhere in the world and choose from one of four data centers to store your data:

United States Data Center Canada Data Center Europe Data Center Asia Data Center Australia Data Center

Physical data storage

Data is stored and replicated across state-of-the-art data centers operated by Amazon Web Services (AWS). Specifically, data is physically stored in RDS databases on AWS EBS storage blocks attached to dedicated Amazon EC2 server instances.

All equipment at the data centers is fully redundant. AWS data is replicated in real-time to:

  • geographically separated availability zones
  • redundant data centers through the AWS EC2 virtualized system infrastructure
  • the AWS S3 storage pool

Regional data storage

At the beginning of your subscription, you can choose your regional data storage to suit your physical, legal, security, or performance needs based on operational needs. All data is encrypted during transmission and at rest within the regional data storage facility.

Our system is provided from the following regions:

  • United States
  • Canada
  • Europe
  • Australia
  • Asia

Single-region single-system architecture (US hosted)

When hosted in the United States region, all data and backups are stored and transmitted exclusively within the United States - no exceptions.

Multi-region multi-system architecture (Non-US hosted)

When hosted in Canada, Europe, Asia, or Australia, all data and backups are stored exclusively within the single region.

Exceptions

All system users that are managed and stored in ACL Launchpad for all regions are stored exclusively in the United States. Only personally identifiable information in your licensed user profiles will be stored exclusively in the United States region, including:

  • First Name
  • Last Name
  • Email Address

For more information, see our Privacy Policy.

Data Retention

The system keeps all active or archived customer data continually when you have an active subscription, unless you choose to delete the data.

You can determine:

  • your own data retention controls for your active system
  • the period for the retention of your data
  • when you want to permanently delete data

System settings include the ability for designated system administrators to configure a time period after which archived project data is automatically and permanently deleted, but also allows the same on an ad hoc manual basis.

The vast majority of customers with active subscriptions rely on ACL to retain their data. However, you may choose to extract data for your own offline records as a secondary measure for data retention.

Note

As long as your subscription is active, this step is redundant and not necessary. As an example, if you maintain an active subscription for ten years, you will have ten years of data within the system (unless you choose to delete it).

Extracting or backing up data

There are several ways customers (authorized managers or administrators) can extract data at any time:

  • Project reports can be saved to your network in PDF or Excel format.
  • Entire projects can be extracted in a single compressed zip file, containing all system reports, native attachments, and an activity log for the audit trail.
  • The reporting application can be used to extract customer data in a variety of formats, including comma delimited, Excel, Word, or PDF, among other options.

Customers are responsible for ensuring that only appropriate users are accessing their system and are authorized to do so.

In the unlikely event that an authorized user within your organization maliciously deletes your data, ACL will work with you to investigate and restore the lost data from our system backup, providing the data deleted falls within the one year backup time frame.

Migrating data from another system

Migrating data from one customer data center to another can be a complex process. Although there is no automated process available, customers can:

  • Hire an ACL consultant to perform the migration tasks for their organization
  • Perform the migration themselves by completing the procedure below

Most customers do not migrate in-progress projects. Best practice is to leave in-progress projects in the existing source system and start new projects in the new system.

Note

This task can only be completed by Account Admins or Project Manager Admins.

Steps

  1. Conclude all projects in the current system.
  2. Perform a back up and export of the data.
    The data is extracted into a single compressed zip file.
  3. Archive the projects in the current system.
  4. Create new projects in the new system.
  5. Add objectives to each of the projects.
  6. Bulk upload risks and controls to each of the projects.
  7. Manually copy and paste the remaining information from source data and reports from the current system into the new projects in the new system.

Data privacy

ACL collects only the minimum personally identifiable information necessary for account and system administration purposes. Customer data is considered confidential information, and is handled securely by ACL personnel.

Customer data is never copied to ACL assets outside the production environment, including employee laptops.

Any troubleshooting that needs to be performed on customer data is performed in the customer's environment. When ACL personnel need access to a customer environment, a ticket is generated indicating that Support accessed the instance, why the interaction was necessary, and what work was performed.

Actions by ACL personnel on a customer's system are limited to resolving the customer need, and nothing more. Once a customer is satisfied with the result, and the ticket is closed, access is removed.

Our privacy practices are based on the principles of accountability, notice and consent, limited collection and purpose, security, accuracy and integrity, and access and correction. Our privacy policy is designed to meet applicable Canadian privacy frameworks such as PIPEDA (which meets the requirements of the EU Privacy Directive) and B.C. PIPA, as well as relevant international privacy standards including the APEC Privacy Framework and the EU-US Privacy Shield agreement.

For more information, see our Privacy Policy.

Data ownership

Customers own their data 100%, and are responsible for setting retention spans and for deleting unwanted content during the subscribed service and up to 30 days after termination or expiry of their subscription.

Customers have a responsibility to ensure their data is in compliance with applicable policies, regulations, and laws, and ACL has the responsibility to ensure customer data is secure.

For more information on the shared responsibility model, see Policies & Processes.