Security

GC Notify is built for the needs of government services. It has processes in place to:

  • protect user data
  • keep systems secure
  • manage risks around information

Data

On GC Notify, data is encrypted:

  • when it passes through the service
  • when it’s stored on the service

All data, including email addresses, phone numbers, and information in personalized messages are stored for 7 days within the system database. The exception is data files uploaded to the system. These are held for 30 days to allow for advanced scheduling of emails.

See the Privacy statement for more information on how personal information is handled by GC Notify.

Technical security

Other technical security controls include

  • implementation of security controls from
    • Treasury Board of Canada Secretariat (TBS) cloud guardrails
    • TBS security playbook
    • Canadian Centre for Cyber Security (CCCS) Information Technology Security Guidance (ITSG-33)
  • protective monitoring to record activity, and raise alerts about any suspicious activity
  • using JSON Web Tokens, to avoid sending API keys when your service talks to GC Notify

Protect sensitive information

Some messages include sensitive information like security codes or password reset links.

If you’re sending a message with sensitive information, you can choose to hide those details on the GC Notify dashboard once the message has been sent. This means that only the message recipient will be able to see that information.

User permissions and logging in

You can set different user permissions in GC Notify. This lets you control who in your team has access to certain parts of the service.

Two-factor authentication

To create an account on GC Notify, you’ll need to enter:

  • your email address and password
  • a code that GC Notify sends to your phone or email

Once you have signed in the first time, you can add a hardware-based security key to further increase the security of your account.

If you are having issues creating or accessing your account, email our support team at assistance@cds-snc.ca.

Information risk management

Our approach to information risk management follows TBS guidance. It assesses:

  • how GC Notify is built
  • the infrastructure GC Notify is built upon
  • support for the GC Notify service

This approach also applies to the service providers GC Notify uses to send messages.

How we manage risks on GC Notify

Things we do to manage risks include:

  • formal risk assessments based on TBS and CCCS guidance
  • residual risk statement preparation and active management of the risk treatment plan
  • security impact assessments

Authority to Operate

GC Notify has been assessed and authorized for operation by the CDS Chief Executive Officer, as the senior authorizing official for the service. This ATO will be re-assessed on at least an annual basis.

Data Categorization

You can use GC Notify to send messages designated up to and including “Protected A” per the Standard on Security Categorization.

Security Disclosure

Should an incident happen, we have a comprehensive incident response and customer notification procedures in place.

Should you suspect a security breach or have discovered a vulnerability in the service, email us at security@cds-snc.ca and we’ll investigate immediately.