Skip to content Skip to footer

Security and Privacy

Section 1 — Scope and Definitions

1.1 Document Scope

This Security & Privacy page describes, at a general and public level, the measures and principles applied by Valora Estate Concierge Inc. (“VALORA“) to protect the information and records processed within the scope of:

  • the use of the valoraestate.com website (“the Site“), including contact/quote forms and related communications;
  • the provision of post-mortem services (access & securing, on-site inventory, disposal/storage, liquidation, final report);
  • the provision of lifetime services (living estate file: estate inventory, document index, access and key register, update plan, handover protocol).

This page aims to explain how we approach security and privacy, without replacing our Privacy Policy (C2), which specifies the categories of personal information, purposes, disclosures to third parties, retention periods, and applicable rights.

1.2 Applicable Framework (Summary)

VALORA operates in Quebec. The protection of personal information held, used, or disclosed in the course of business operations is notably governed by the Act respecting the protection of personal information in the private sector (P-39.1) (often associated with “Bill 25” for its amendments).

Methodological note: security is implemented according to a logic of reasonable measures proportionate to the sensitivity of the information and the context of use, in accordance with the framework of the Private Sector Act.

1.3 Definitions (for reading this page)

For the purposes of this page:

  • Personal Information: information concerning a natural person that allows them to be identified, directly or indirectly (e.g., contact details, financial information, information related to an estate file, etc.), according to the meaning recognized in Quebec law applicable to the private sector.
  • Record: all information (documents, photos, inventory, reports, communications) relating to a mandate entrusted to VALORA (post-mortem or living estate file).
  • Confidentiality Incident: an event involving, for example, unauthorized access, unauthorized use, unauthorized disclosure, or loss of personal information. The Private Sector Act provides a management framework and, in certain cases, the obligation to notify or keep a register regarding incidents.
  • Supplier / Subcontractor: third party that may provide technological or operational services (e.g., hosting, storage, signing, transport, warehousing, specialized services) within the scope of a mandate, according to applicable authorizations and the governance provided in the record.
  • Security Measures: administrative, physical, and technological controls designed to protect the confidentiality, integrity, and availability of information (e.g., access control, logging, backups), described here in general terms.
  • Technological Means: notably a website, an online form, or an application, through which personal information may be collected; the CAI emphasizes the importance of clearly written and publicly accessible policies when collection occurs through these means.

Section 2 — Security Commitments (General Framework)

2.1 Guiding Principle: “Reasonable” and Proportionate Measures

VALORA implements security measures designed to ensure the protection of personal information collected, used, disclosed, stored, or destroyed. These measures are designed to be reasonable and proportionate, particularly based on:

  • the sensitivity of the information (e.g., financial information, estate documents, photos, inventories);
  • the purpose of use;
  • the quantity and medium (paper/digital) of the information;
  • the operational context (on-site, multi-stakeholder, urgency, etc.).

Important: “zero risk” security does not exist. Our commitment is part of a structured and proportionate approach, focused on prevention, detection, response, and continuous improvement.

2.2 Governance: Responsibilities, Policies, and Internal Practices

VALORA frames the protection of personal information through governance policies and practices aimed at ensuring its protection throughout its lifecycle. These policies and practices notably cover:

  • retention and destruction;
  • the roles and responsibilities of staff members;
  • internal mechanisms for handling complaints related to the protection of personal information.

VALORA also designates a personal information protection officer, whose identity and contact details must be made accessible (notably via the Site, where applicable).

2.3 Minimization and “Need-to-Know”

VALORA applies a discipline of minimization: collecting and using only the information necessary to perform the mandate, while avoiding over-collection. This approach is combined with a need-to-know principle:

  • limited access for individuals who need to access information to perform the mandate;
  • segmentation of information when relevant (e.g., separate access to sensitive documents);
  • framing of internal and external communications based on role and scope.

2.4 Traceability and Operational Discipline

In estate mandates, VALORA prioritizes a logic of traceability, notably through:

  • logging and registers when required by the mandate (e.g., site access, key handover);
  • structured deliverables (exportable inventory, indexed photo album, decision log), to reduce grey areas and improve governance.

This traceability aims for operational and evidentiary clarity, while remaining consistent with minimization (retaining only what is justified by the purpose of the mandate).

2.5 Security Culture: Awareness and Continuous Improvement

VALORA aims to maintain a security culture adapted to on-site realities and sensitive records, by:

  • raising staff awareness of best practices (confidentiality, communication prudence, document handling);
  • reviewing and adjusting practices when risks are identified;
  • a logic of continuous improvement (e.g., updating procedures as tools or threats evolve).

Section 3 — Access Controls, Identity, and Logging

3.1 Principle: “Least Privilege” and Separation of Roles

VALORA applies the principle of least privilege: each person accesses only the information necessary to perform their tasks, for the required duration. Accesses are structured by roles (e.g., field, coordination, administration) and adjusted according to the sensitivity of the record.

This approach is part of the obligation to protect personal information through reasonable security measures (particularly based on its sensitivity and context).

3.2 Identity Management and Authentication

When technological tools are used (e.g., storage, document sharing, signing, record management), VALORA prioritizes:

  • named identifiers (no shared accounts, where possible);
  • enhanced authentication mechanisms (MFA) when available and proportionate to the risk;
  • a discipline of identifier management (creation, deletion/deactivation, reset) to limit the risk of unauthorized access.

The exact measures vary depending on the tool and the scope of the mandate, but the logic remains: controlled, traceable, and reviewable access.

3.3 Access Controls for Records and Data (Digital)

VALORA structures access to records and documents according to:

  • rights per record (e.g., record A ≠ record B);
  • limitation of external sharing (e.g., controlled links, identified recipients);
  • separation, when relevant, between:
    • operational management documents (inventory, indexed photos, reports),
    • highly sensitive documents (e.g., certain financial information), with restricted access.

The objective is to avoid “implicit access” and maintain consistency between the purposes of the mandate and the access granted.

3.4 Physical Access Controls (On-site) and “Chain of Custody”

On-site, VALORA applies access control practices adapted to estate mandates:

  • key register (who holds what, handover/return dates, restrictions);
  • access log (who entered, when, why), when the context justifies it;
  • basic instructions aimed at reducing ambiguities when multiple people are involved.

These mechanisms aim to reduce grey areas regarding access and support traceability, while remaining proportionate to the record (avoiding unnecessary over-documentation).

3.5 Logging: Purpose, Minimization, and Duration

When logging is implemented (depending on the tool and the record), VALORA aims for useful logging:

  • to detect and understand unauthorized access or anomalies;
  • to support operational traceability (what was done and when).

Logs are retained based on a logic of necessity and minimization and should not become a disproportionate collection of information. The exact parameters (log type, duration) are adjusted based on risk, sensitivity, and context.

3.6 Access Review and Withdrawal

VALORA aims to:

  • review access when the scope changes (new milestone, new supplier, change of role);
  • withdraw or deactivate access when not required (end of mandate, staff change, etc.).

This discipline reduces the risks of residual access and supports overall compliance with the principle of information protection.

Section 4 — Encryption, Backups, and Continuity (Realistic Level, Without Over-Promising)

4.1 Principle: Protect Confidentiality, Integrity, and Availability (Proportionate)

VALORA aims to protect:

  • confidentiality (prevent unauthorized access),
  • integrity (prevent unauthorized alteration),
  • availability (maintain legitimate access when required),

through reasonable measures proportionate to the sensitivity of the information and the context of use.

4.2 Encryption: “In Transit” and “At Rest” When Available and Appropriate

When VALORA uses technological tools (e.g., storage, sharing, record management, signing), we prioritize solutions that offer, when available, protections such as:

  • in-transit encryption (secure communications between systems),
  • at-rest encryption (protection of stored data).

Important: the exact level of encryption depends on the tools chosen and the scope of the mandate. We avoid publicly disclosing precise technical parameters, while maintaining the objective of limiting information exposure and reducing the risk of unauthorized access, in accordance with the obligation to take reasonable security measures.

4.3 Backups: Objective of Reasonable Recovery

VALORA implements backup mechanisms adapted to the criticality of operational information (inventories, reports, documents, and deliverables), to reduce the impacts of accidental loss or an incident.

  • Backups are designed to allow for reasonable recovery of information, depending on the context and the tool used.
  • The terms (frequency, retention, scope) are determined based on volume, sensitivity, usage, and risks.

We avoid displaying quantified commitments (e.g., guaranteed deadlines) when this is not realistic for field operations; the objective remains proportionate resilience.

4.4 Restoration: Pragmatic Verifications

Where applicable to the tools selected, VALORA performs pragmatic verifications to ensure that backup and restoration mechanisms are usable (e.g., spot checks, verifications during major changes or as needed).

4.5 Business Continuity: Operational Priorities

In the event of tool unavailability or an incident, VALORA applies a proportionate continuity logic, based on:

  • prioritization of critical actions (e.g., access, inventory, deliverables required at milestone),
  • use of reasonable alternative mechanisms (e.g., fallback procedures, rescheduling, limited manual consolidation),
  • documentation of impacts when this affects deliverables or pace.

This approach aligns with the obligation to protect information and manage risk reasonably within the scope of activities.

4.6 Limitations (Reality Clause)

No security measure can eliminate all risk. VALORA is committed to adopting a structured and proportionate approach and to adjusting its practices as risks or tools evolve, in compliance with the applicable framework.

Section 5 — Incident Management (Cyber/Breach) and Register

5.1 Principle: Structured, Proportionate, Documented Response

VALORA applies an incident management approach aimed at:

  • detecting and qualifying the event (nature, scope, data concerned);
  • containing and limiting the impact (reasonable immediate measures);
  • correcting the cause or reducing the likelihood of recurrence;
  • documenting the incident and actions taken.

This approach is part of the obligations of the Private Sector Act regarding confidentiality incidents (definition, measures, keeping a register, notification when required).

5.2 Internal Process (Typical Steps)

Without claiming a heavy “enterprise” model, VALORA follows a pragmatic process:

  1. Reporting and Evaluation
    • receipt of a report (internal or external);
    • initial evaluation (urgency, systems concerned, potentially affected data).
  1. Containment / Immediate Measures
    • access limitation, account suspension, removal of a shared link, etc., as appropriate;
    • measures aimed at reducing the risk of harm.
  1. Analysis and Qualification
    • identification of personal information concerned;
    • analysis of the probable cause (e.g., human error, unauthorized access, loss, supplier incident).
  1. Remediation and Prevention
    • reasonable corrective actions (procedure, configuration, access, training, etc.);
    • adjustments to controls when relevant.
  1. Closure and Documentation
    • recording in the incident register;
    • lessons learned and follow-up actions.

5.3 Confidentiality Incident Register

VALORA maintains a confidentiality incident register, in accordance with applicable requirements. The register aims to keep a record of incidents and their handling, notably to support:

  • internal traceability;
  • compliance with the obligations of the Act;
  • continuous improvement of practices.

Note: the register may include elements such as the date, nature of the incident, affected information (categories), measures taken, and, where applicable, notifications sent, as required by the legal framework.

5.4 Notification to the CAI and Individuals: When and Why

When a confidentiality incident presents a risk of serious harm, the Private Sector Act provides for obligations to notify:

  • the Commission d’accès à l’information (CAI); and
  • the person concerned, subject to the terms provided by law (and applicable exceptions).

VALORA assesses the risk taking into account, notably:

  • the sensitivity of the information involved;
  • the anticipated consequences of its use;
  • the probability that it will be used for harmful purposes.

5.5 Mitigation Measures and Pragmatic Communications

Depending on the context, VALORA may implement reasonable measures to reduce the risk, for example:

  • deactivation of access, resetting of links/identifiers, limitation of sharing;
  • targeted notifications to concerned individuals on prudent actions to take (without unnecessarily alarming);
  • coordination with a technological supplier when the incident concerns them.

External communications are framed to be factual (what, when, plausible impact, measures taken) and to avoid unrealistic promises, while satisfying notification requirements when they apply.

5.6 “Incident / Privacy” Contact Point

VALORA maintains a contact point for:

  • reporting an incident or a privacy concern;
  • exercising rights related to personal information (see C2).

(The contact details of the officer are included in the appropriate documents, notably the Privacy Policy.)

Section 6 — Management of Suppliers and Subcontractors

6.1 Principle: Use of Suppliers, but Controlled Access

VALORA may use suppliers and subcontractors (e.g., hosting, storage, signing tools, messaging, operational services such as transport and warehousing, or specialized subcontracted services) when necessary to perform a mandate.

In all cases, the objective is to:

  • limit access to personal information to the strictly necessary (minimization);
  • frame access and use with reasonable measures;
  • maintain traceability and governance consistent with the mandate.

6.2 Typical Categories of Suppliers (Examples)

Depending on the mandates and tools selected, VALORA may use or coordinate suppliers, including:

  • Technology: hosting, storage and sharing, productivity tools, signing, CRM/record management (if deployed), analytics (if activated).
  • Field Operations: transport, warehousing, disposal and processing of goods (depending on channels), as well as ad hoc services.
  • Specialized Services: e.g., Preparation of tax returns by subcontract (in accordance with defined mandates and scope).

These examples are not exhaustive. The suppliers actually used depend on the mandate and operational choices.

6.3 Contractual Framework and Supplier Obligations

When VALORA entrusts a third party with the mandate to collect, store, use, or disclose personal information on its behalf, the Private Sector Act requires a written contractual framework, including notably:

  • the supplier’s obligation to implement security measures;
  • the obligation to notify VALORA in case of a confidentiality incident;
  • conditions on the disclosure of information (e.g., limitation, authorization);
  • requirements relating to the destruction or return of information at the end of the mandate.

6.4 Access Control and Operational Principles

In practice, VALORA applies a “reasonable” discipline to reduce exposure:

  • access limited to only the necessary persons/functions at the supplier;
  • document sharing via controlled mechanisms (identified recipients, limited links when possible);
  • withdrawal/deactivation of access when no longer needed (end of milestone, end of mandate);
  • framing of communications (avoiding sending sensitive data via uncontrolled channels).

6.5 Operational Subcontracting: Decisions, Approvals, and Proofs

When suppliers intervene on-site (e.g., storage, transport, disposal), VALORA frames the execution by:

  • a clear scope (what, when, how);
  • approvals when irreversible actions or significant disbursements are involved;
  • supporting documents, when available (slips, confirmations, receipts), and their integration into the record.

6.6 Transparency: Where it is Documented

Details on:

  • the categories of personal information,
  • the purposes,
  • disclosures to third parties,
  • and, where applicable, the possibility of transfers outside Quebec (if applicable)

are described in more detail in the Privacy Policy (C2), which must be accessible via the Site when collection occurs through technological means.

Section 7 — Data Outside Quebec (If Applicable): Principle and Governance

7.1 Principle: Transparency and Prudence

VALORA may, where applicable, use suppliers or technological solutions whose infrastructure or certain operations involve the disclosure of personal information outside Quebec (“transfer outside Quebec”). In such a case, VALORA aims for a prudent approach: limiting what is disclosed, framing the disclosure, and ensuring that the level of protection remains adequate given the sensitivity of the information.

7.2 Legal Framework: Assessment and Framing Before Disclosure

When personal information must be disclosed outside Quebec, the Act respecting the protection of personal information in the private sector provides for prior framing, including notably:

  • the assessment of privacy factors (including, among others, the sensitivity of the information, the purpose, protection measures, and the applicable legal framework in the destination State); and
  • the conclusion of a written agreement containing measures to ensure adequate protection.

Deliberately cautious wording: VALORA does not state here that transfers systematically occur; this section frames the case where a transfer would be necessary.

7.3 Minimization and Operational Choices

In the event that a transfer outside Quebec is required, VALORA aims to:

  • limit disclosure to information necessary for the purpose;
  • prioritize, when reasonable, configurations that reduce exposure (e.g., restricted access, record segmentation);
  • avoid over-collection and uncontrolled sharing.

7.4 Information to Concerned Individuals (Referral to C2)

Information on disclosure to third parties and, where applicable, on the possibility of disclosures outside Quebec is specified in the Privacy Policy (C2), which describes the categories of information, purposes, and disclosure practices.

Section 8 — Privacy Settings, Technologies, and Consents

8.1 Principle: Transparency and Control “When Relevant”

VALORA aims to use technologies and privacy settings sparingly: only when necessary for the operation of the Site, the management of requests (quotes and evaluations), or the execution of a mandate. When technologies can identify, locate, or profile an individual, transparency and prior information are essential.

8.2 Identification, Location, or Profiling Technologies (If Used)

If VALORA uses, on the Site or via digital tools, a technology allowing identification, location, or profiling, VALORA aims to:

  • inform concerned individuals in advance;
  • indicate the means offered to activate these functions (or, where applicable, configure or deactivate them), in accordance with the applicable framework.

8.3 Consent: “Transactional vs. Marketing” Logic

VALORA distinguishes between:

  • transactional communications (responding to a request, managing a mandate), which are necessary for the service relationship;
  • marketing communications (newsletter, offers), which require separate consent and appropriate withdrawal and unsubscribe mechanisms.

8.4 Cookies, Trackers, and Analytics (Referral to C5)

When the Site uses cookies/trackers (e.g., for statistics, performance, or conversion measurement), VALORA aims to:

  • clearly describe the categories of cookies/trackers and their purposes;
  • offer, when relevant, configuration choices (especially for non-essential cookies).

Details (categories, purposes, duration, preference management) are presented in the Cookie Policy (C5), accessible on the Site.

8.5 Communications and Document Sharing: Operational Prudence

To reduce exposure, VALORA prioritizes pragmatic practices:

  • avoid sending highly sensitive information via generic, uncontrolled channels;
  • use controlled sharing mechanisms when documents need to circulate (identified recipients, limited access when possible);
  • limit shared information to that necessary for the mandate (minimization).

Section 9 — Retention and Destruction

9.1 Principle: Retain Only What is Necessary

VALORA aims to retain information (including elements of a record: inventory, photos, reports, communications) only for the duration necessary for the purposes for which it was collected or used, notably:

  • processing a request (quote and evaluation);
  • executing a mandate and delivering agreed-upon deliverables;
  • ensuring reasonable administrative follow-up (invoicing, record management, relevant operational proofs).

This principle is part of a logic of governance and personal information protection within a company.

9.2 Retention Parameters: Adapted to Mandate and Risk

Retention duration may vary depending on:

  • the nature of the mandate (partial vs. full management);
  • the sensitivity of the information;
  • operational needs (e.g., deliverables, follow-up, traceability);
  • applicable legal obligations (if any).

VALORA avoids “indefinite retention by default”: the objective is justified and proportionate retention.

9.3 Secure Destruction and Disposal

When retention is no longer necessary, VALORA aims for secure destruction of information according to its medium:

  • secure deletion of digital copies and removal of access;
  • secure destruction of paper documents when applicable;
  • confirmation or internal documentation of disposal when relevant (depending on the type of record).

These practices aim to reduce the risk of unauthorized access and align with the obligation to take reasonable security measures.

9.4 Handover of Deliverables and File Closure

At the end of a mandate (or at the end of a major milestone), VALORA hands over the agreed-upon deliverables (e.g., final report, exportable inventory, document index) and applies a closure logic:

  • confirmation of handed-over items;
  • clarification of temporarily retained items (if applicable) and retention/destruction terms;
  • withdrawal of external access when not required.

Details (typical durations, exact terms, deletion requests, etc.) are specified in the Privacy Policy (C2) and, where applicable, in the terms of the mandate (C4).

Section 10 — Security & Privacy Contact

10.1 Officer and Contact Point

For any questions regarding security, privacy, or the protection of personal information, you may contact VALORA’s personal information protection officer.

The Act respecting the protection of personal information in the private sector stipulates that the person holding the highest authority within the company is responsible for the protection of personal information, unless this function is delegated in writing, and imposes related governance obligations.

Contact Information (to be inserted)

  • Name / Title: Marie-Josée Legault, PIO — VALORA
  • Email: legal@valoraestate.com
  • Mailing Address: [to be inserted]

10.2 Reporting an Incident or Concern

If you believe that personal information has been:

  • lost,
  • disclosed to a third party without authorization,
  • accessed without authorization,
  • or used inappropriately,

You may contact VALORA using the contact details above. VALORA will evaluate the information received and apply its incident management process, including maintaining a register and, where applicable, issuing required notifications when the risk of serious harm justifies it.

10.3 Requests Regarding Your Personal Information

To exercise rights or make a request concerning your personal information (access, rectification, withdrawal of consent where applicable, etc.), please consult the Privacy Policy (C2), which describes:

  • the categories of information collected,
  • the purposes,
  • disclosures to third parties,
  • and the request procedure.

Section 11 — Updates

11.1 Evolution of Practices and Document

VALORA may update this Security and Privacy page to reflect:

  • the evolution of its services (post-mortem / living estate file);
  • changes in technological tools or suppliers;
  • the improvement of its operational practices;
  • or the evolution of the applicable framework.

Any update aims to maintain clear and consistent information with the Privacy Policy (C2) and the Cookie Policy (C5), when these documents apply.

11.2 Dates

  • Effective Date: [to be inserted]
  • Last Updated: [to be inserted]

11.3 Where to Find the Current Version

The current version of this page is published on valoraestate.com and accessible via the footer of the Site.