Security

Notify is built for the needs of government services. It has processes in place to:

  • protect user data
  • keep systems secure
  • manage risks around information

Data

On Notify, data is encrypted:

  • when it passes through the service
  • when it’s stored on the service

All data, including email addresses, phone numbers, and information in personalized messages are stored for 7 days within the system database. The exception is data files uploaded to the system. These are held for 30 days to allow for advanced scheduling of emails.

See the Privacy statement for more information on how personal information is handled by Notify.

Technical security

Other technical security controls on Notify include

  • implementation of security controls from
    • Treasury Board of Canada Secretariat (TBS) cloud guardrails
    • TBS security playbook
    • Canadian Centre for Cyber Security (CCCS) Information Technology Security Guidance (ITSG-33)
  • protective monitoring to record activity, and raise alerts about any suspicious activity
  • using JSON Web Tokens, to avoid sending API keys when your service talks to Notify

Protect sensitive information

Some messages include sensitive information like security codes or password reset links.

If you’re sending a message with sensitive information, you can choose to hide those details on the Notify dashboard once the message has been sent. This means that only the message recipient will be able to see that information.

User permissions and logging in

You can set different user permissions in Notify. This lets you control who in your team has access to certain parts of the service.

Two-factor authentication

To create an account on Notify, you’ll need to enter:

  • your email address and password
  • a code that Notify sends to your phone or email

Once you have logged in the first time, you can add a hardware-based security key to further increase the security of your account.

If you are having issues creating or accessing your account, email our support team at assistance@cds-snc.ca.

Information risk management

Our approach to information risk management follows TBS guidance. It assesses:

  • how Notify is built
  • the infrastructure Notify is built upon
  • support for the Notify service

This approach also applies to the service providers Notify uses to send messages.

How we manage risks on Notify

Things we do to manage risks on Notify include:

  • formal risk assessments based on TBS and CCCS guidance
  • residual risk statement preparation and active management of the risk treatment plan
  • security impact assessments

Authority to Operate

Notify has been assessed and authorized for operation by the CDS Chief Executive Officer, as the senior authorizing official for the service. This ATO will be re-assessed on at least an annual basis.

Data Categorization

You can use Notify to send messages designated up to and including “Protected A” per the Standard on Security Categorization.

Security Disclosure

Should an incident happen, we have a comprehensive incident response and customer notification procedures in place.

Should you suspect a security breach or have discovered a vulnerability in the service, email us at security@cds-snc.ca and we’ll investigate immediately.