Notify is built for the needs of government services. It has processes in place to:
- protect user data
- keep systems secure
- manage risks around information
On Notify, data is encrypted:
- when it passes through the service
- when it’s stored on the service
All data, including email addresses, phone numbers, and information in personalized messages are stored for 7 days within the system database. The exception is data files uploaded to the system. These are held for 30 days to allow for advanced scheduling of emails.
See the Privacy statement for more information on how personal information is handled by Notify.
Other technical security controls on Notify include
implementation of security controls from
- Treasury Board of Canada Secretariat (TBS) cloud guardrails
- TBS security playbook
- Canadian Centre for Cyber Security (CCCS) Information Technology Security Guidance (ITSG-33)
- protective monitoring to record activity, and raise alerts about any suspicious activity
- using JSON Web Tokens, to avoid sending API keys when your service talks to Notify
Protect sensitive information
Some messages include sensitive information like security codes or password reset links.
If you’re sending a message with sensitive information, you can choose to hide those details on the Notify dashboard once the message has been sent. This means that only the message recipient will be able to see that information.
User permissions and logging in
You can set different user permissions in Notify. This lets you control who in your team has access to certain parts of the service.
To create an account on Notify, you’ll need to enter:
- your email address and password
- a code that Notify sends to your phone or email
Once you have logged in the first time, you can add a hardware-based security key to further increase the security of your account.
If you are having issues creating or accessing your account, email our support team at firstname.lastname@example.org.
Information risk management
Our approach to information risk management follows TBS guidance. It assesses:
- how Notify is built
- the infrastructure Notify is built upon
- support for the Notify service
This approach also applies to the service providers Notify uses to send messages.
How we manage risks on Notify
Things we do to manage risks on Notify include:
- formal risk assessments based on TBS and CCCS guidance
- residual risk statement preparation and active management of the risk treatment plan
- security impact assessments
Authority to Operate
Notify has been assessed and authorized for operation by the CDS Chief Executive Officer, as the senior authorizing official for the service. This ATO will be re-assessed on at least an annual basis.
You can use Notify to send messages designated up to and including “Protected A” per the Standard on Security Categorization.
Should an incident happen, we have a comprehensive incident response and customer notification procedures in place.
Should you suspect a security breach or have discovered a vulnerability in the service, email us at email@example.com and we’ll investigate immediately.