YOUR SECURITY AND PRIVACY
QMC Metering Solutions (“QMC”) exists to provide intelligent advanced metering solutions while respecting our customer’s privacy expectations. At QMC, we are dedicated to protecting your privacy and safeguarding the personal information you have entrusted to us.
By “personal information” we mean information about an identifiable individual. That’s what this policy is about – our collection, protection, use, disclosure, retention, and other processing of personal information and your rights relating to these activities.
- Identifying purposes
- Limiting collection
- Limiting use, disclosure, and retention
- Individual access
- Challenging compliance
Accountability and Challenging Compliance
QMC has named a Privacy Officer who is responsible for privacy at QMC. This includes our policies and procedures that are designed to keep your information safe. If you have any questions about our privacy practices or this policy, you can contact us at:
105 – 573 Sherling Place, Port Coquitlam, BC
Email: [email protected]
If you’re not satisfied with our response, you have the option of contacting the Office of the Privacy Commissioner of British Columbia:
Office of the Information and Privacy Commissioner for British Columbia 4th Floor, 947 Fort Street
QMC may collect, use, store, or disclose your personal information for the purposes described below. In order to provide you with services, which includes the following:
⁻ We collect information directly from you but may also collect information from third parties when you connect your QMC account to them. These integrations may pull data into or share data out of QMC. In some cases, we use a service provider to connect you to a third-party service
⁻ We may also collect your name and email address from third parties when you sign up and login to our site using single sign-on (SSO)
⁻ When you connect your QMC account with a third-party service, their terms and policies apply
⁻ To promote or offer your products or services, and to determine your eligibility for new services we may offer from time to time
⁻ To contact you for the purposes of service updates and system and account notifications
⁻ To provide you with support in connection with the services
⁻ To comply with any laws, regulation, court orders, warrants, inquiries, subpoenas or other legal processes or investigations, and to protect ourselves, other individuals, or property from harm.
We will never sell your personal information to other companies.
QMC takes a consent-based approach to the collection, use, and disclosure of personal information.
Submitting the personal information of others
If you submit the personal information of your customers or employees to us, you are responsible for informing such customers and employees about QMC, and for obtaining any necessary consent or authority from them.
Closing your QMC account
At any time, and without penalty, QMC users can withdraw their consent to the continued use or disclosure of their personal information by closing their QMC account. Please ensure that you complete
the account closure process which includes a confirmation email. Otherwise, your account may not be closed.
Email and communications consent
QMC only collects the personal information necessary to provide our services to you. The services you use will determine which information QMC collects. We’ll also provide you with the option of sharing additional information to enhance your QMC experience.
QMC may also use third-party services to supplement or enrich our understanding of our customers. This includes cross-referencing information like a name, business name, email address, or IP address in third- party databases, and using the information there to improve our understanding of you and your business.
QMC is not intended for children and we do not knowingly or intentionally collect information about individuals under the age of thirteen (13).
Where required, business partners may have access to information in your QMC account, including personal information, and may perform various tasks on your behalf. You take full responsibility for any collection, use, or disclosure of your personal information by our business partners.
Limiting Use, Disclosure, and Retention
We will use your personal information as described in this policy and we will share your personal information with third parties only as described in this policy.
We will retain your information for the period necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required by law or regulation. To be clear, that means that we’ll retain your personal information while you have an active account, and afterward if we need to do so to meet our legal obligations. If you choose to close your QMC account, we will destroy your personal information in accordance with our data retention policies.
QMC relies on you to provide us with information that is accurate and complete. We provide you the mechanisms and rely on you to keep your information up to date. You can request updates or corrections of any inaccuracies in your personal information at any time by contacting us at the contact information listed in the policy. We will respond to your request within a reasonable timeframe.
QMC uses a combination of reasonable and appropriate safeguards designed to protect your information. These safeguards are administrative controls (things like policies, procedures, and training), technical controls (things like encryption, firewalls, and secure coding frameworks), and physical controls (secured hosting environments).
We ensure that any third party acting on our behalf maintains reasonable and appropriate safeguards in respect of your personal information. Additional information about our third parties’ privacy practices is available upon request.
If you have questions about security on our site, you can contact us at [email protected].
You are also responsible for helping to protect the security of your personal information. For instance, never give out your email account information or your password for the services to third parties. Our team will never request your password or PIN, and we ask that you never post account or credit card numbers to our support channels.
This policy outlines our privacy practices. If you have questions about it, please contact our Privacy Officer. This policy is available publicly at https://qmeters.com/privacy.
You may access, update, and correct your personal information that’s in our custody or control at any time, subject to limited exceptions prescribed law. You can download or export data you input into the site at any time. Or, to correct inaccuracies, simply login to your account and make the necessary changes.
You can also request access, corrections, or updates to all of your personal information, including information that’s not available through your account, by contacting us as set out in the Challenging Compliance section of this document. We may request certain personal information for the purpose of verifying the identity of the individual seeking access to their personal information records.
Public Content and Social Media
From time to time QMC may have public forums and blogs. Any information submitted there may be read and collected by anyone.
You may request removal of personal information from forum or blog posts and comments by contacting us at [email protected].
If you provide us with a testimonial, with your consent, we may post it on our site or in other materials and media, along with your name. If you want your testimonial removed, please contact us at [email protected].
We may transfer (or otherwise make available) your personal information to third parties who provide services on our behalf. For example, we may use service providers to host our website and to process payments. Your personal information may be maintained and processed by these third parties in other
jurisdictions, like the U.S. When your information is in another jurisdiction, it will be subject to their laws. We only share the information that these service providers need to do their job and we don’t authorize them for any other use or disclosure of personal information.
We may use service providers to verify bank account information you provide to us in providing our services to you.
We may also use services provided by third-party platforms (such as social networking sites) to serve targeted ads on such platforms to you or others, and we may provide a hashed version of your email address or other information to the platform provider for such purposes. To opt-out of the sharing of your information with such platforms, please send an email to [email protected].
Visiting the Site and Using the Mobile Apps
In general, you can visit the site without telling us who you are or submitting any personal information. However, we and/or our service providers (such as Google Analytics) collect information such as how often users visit the websites, what pages they visit, and what other sites they used prior to visiting. The data collected is used to track and examine the use of the website and to prepare reports on its activities. We may use the data collected on the websites to contextualize and personalize the ads.
Cookies, Tags and Web Beacons
Technologies such as cookies, web beacons, tags, and scripts may be used by QMC, our advertising and analytics service providers (such as Google analytics), and affiliates to analyze usage trends, administer the site, and to gather demographic information about our user base.
PCI-DSS compliant: QMC is a Level 1 PCI-DSS compliant. This means that every year we have a third-party audit to validate our practices and make sure that we’re doing the right things for our customers.
Secure data transmission: When you load a page in your browser, or upload something to QMC, all of that information is encrypted while it’s moving over the internet. We lock up your data with up to 256-bit TLS encryption, the strength of protection you get with online banking and shopping. We also support a
wide variety of cyphers — another kind of code — for our communications, to ensure the highest level of encryption possible based on your browser.
Tokenization: QMC doesn’t store credit card numbers. Credit card information is sent directly from your browser to our payment processor, and QMC receives a secure token back. This token is a code that authorizes QMC to complete the activity securely and efficiently without storing or exposing your credit card information.
Secure data storage: Your data is stored on servers that have strict physical access protocols. The facilities are controlled with 24/7 monitoring and the technology is digitally protected.
Security testing: QMC uses many layers of security testing. We test our systems internally. We also bring in third-party security firms to perform vulnerability assessments and penetration tests against our systems.
Passwords are encrypted when they’re sent to our servers. We never store them without encrypting them first. In fact, all communications between our apps and our servers are encrypted using Transport Layer Security (TLS) (the replacement for Secure Sockets Layer (SSL)) the highest level of security protocols available. Beyond that, we don’t store any sensitive information, such as credit card numbers, on the device.
QMC has an internal risk system that uses a wide variety of tools and insights to protect our customers from fraud. We take a layered approach to risk detection for the highest level of protection and we monitor high risk and out-of-pattern behaviour to keep our platform safe.
Do you have additional questions about the security of QMC? Please contact us. We’d be happy to tell you more about the steps we take to ensure the security of your information.
QMC and General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA)
QMC’s internal policies are aligned with the objectives of GDPR and the CCPA. For example, under GDPR:
You have a right to close your account and have personally identifiable information deleted.
- You can close your QMC account, and when you do, we delete personally identifiable
You have a right to take your data with you.
- You own all of your data and you can export or request data files at any
You have a right to turn off direct marketing messages.
- We respect your email preferences and make it easy for you to opt
Companies must provide a ‘reasonable’ level of protection for personal data.
- As a company that handles financial information, including credit card transactions, QMC only uses data centers in secure facilities that meet the industry
We are working to meet GDPR and CCPA requirements and will keep you informed as we implement additional functionality to support your privacy rights.
Effective Date: 07/30/2021 10:33 AM
QMC INFORMATION SECURITY POLICY
QMC has a duty and responsibility to protect the information under its custody and control. Being able to access complete and accurate information is vital to QMC ’s ability to operate efficiently and successfully provide products and services to customers.
QMC also collects, stores, uses, and discloses confidential and personal information on private individuals, employees, partners, and suppliers and its own operations. QMC has a duty to safeguard such information when processing it.
This Information Security Policy (the “Policy”) outlines a principles-based strategy for QMC to provide service, protect corporate assets, and manage change. Together, the principles and this Policy provide the basis for organizational priorities, strategies, and actions. The Policy is a living document and will continue to be updated and improved as the security landscape evolves and QMC provides operational feedback on implementation.
This Policy generally aligns with the information security management systems standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (EC) as set forth in ISO 27001 and 27002. Implementing this Policy will, therefore, support QMC’s intention to comply with various aspects of these international data security standards.
The Information Security Committee has developed a set of Information Security Guiding Principles that align with and support QMC’s stated purpose: “QMC is a leading provider of end-to-end submetering solutions and data management for large institutions and commercial, multi- residential properties.”
The purpose of this Policy is to:
- Protect QMC ’s information against loss or theft, unauthorized access, disclosure, copying, use, modification, or destruction
- (each an “Information Security Incident”)
- Describe and clarify roles and responsibilities in respect of the creation, collection, use, storage, disclosure, and destruction of information
- Strengthen QMC ’s business continuity if information is compromised or lost
- Enhance QMC ’s compliance with applicable laws, regulations, and contractual obligations
- Ensure that QMC ’s procedures and processes prioritize the protection of the following aspects of information:
- Confidentiality –information is accessible only to authorized individuals
- Integrity – ensure the accuracy and completeness of information
- Availability –authorized users have access to all relevant information when required
This Policy establishes the framework for the management of information security within QMC.
This Policy and the procedures, processes, and other measures connected to it apply to all directors, officers, and employees of QMC, as well as third-party contractors and agents of QMC that have access to QMC ’s information or information systems (collectively known as “individual users”).
This Policy applies to all forms of information created, communicated, collected, used, stored, and disclosed in connection with QMC ’s operations, including:
- Documents, records, and other information in hard-copy or electronic form
- Documents, records, and other information transmitted by post, courier, fax, electronic mail, text messages, and other means
- Information stored in QMC servers, computers, laptops, mobile phones, and other information systems
- Information stored on any type of removable media, including memory sticks, digital cameras, discs, and other means.
This Policy is based on ISO 27002 and structured around the 11 main security category areas set forth therein. This Policy is supported and implemented by various controls intended to protect QMC’s information, including those set forth in standards, processes, procedures, and other measures (see below):
- Policies and standards define the processes
- Processes are operationalized through procedures
- Procedures are supported by tools and training
- Guidance documents provide operational advice
A failure to adhere to this Policy and the procedures and processes implemented therein may put
information at risk of an Information Security Incident. Information Security Incidents can result in a range of negative consequences, including damage to QMC’s brand, economic loss, non-compliance with legislative requirements, and liability to QMC and third parties.
An Information Security Incident could occur at any point in the life cycle of the affected information (i.e., at its creation, collection, use, processing, storage, disclosure, deletion, or destruction).
QMC will, therefore, regularly undertake risk assessments to identify, quantify, and prioritize risks associated with its information, and subsequently develop controls to mitigate such risks. QMC will undertake risk assessments using a consistent and systematic approach.
This Policy sets out QMC ’s approach to managing information security. This Policy is approved by management and is communicated to it’s Board of Directors, all employees of QMC, contractual third parties, and agents of QMC. The security requirements for QMC will be reviewed, at least annually, by the Executive Team and the head of the IT Security Provider. Any changes to the Policy shall first be approved by the Committee.
ORGANIZATION OF INFORMATION SECURITY
The Executive Team or delegate will review and make recommendations on the security policy, policy standards, procedures, incident management, and security awareness education.
QMC shall incorporate all applicable statutory, regulatory, and contractual requirements in this Policy, as well as its information security processes and procedures. QMC will also work to adhere to the ISO 27002 standards (the International Standards for Information Security) by:
⁻ Issuing guidance on what constitutes an Information Security Incident
⁻ Implementing processes and procedures that require all known or reasonably suspected Information Security Incidents to be reported and recorded
⁻ Security Incidents and vulnerabilities to QMC ’s information security systems to be reported to the IT Security Provider and subsequently investigated
⁻ Producing, maintaining, and testing business continuity plans
⁻ Preparing and administering information security education and training to all individual users as appropriate
⁻ Ensuring that individual users only have access to and use QMC’s information as required for
⁻ legitimate business purposes
⁻ Obtaining specialist external advice where necessary to maintain this Policy and any processes and procedures hereunder to address new and emerging threats and standards
⁻ The requirements of this Policy shall be reflected in QMC ’s processes, procedures and contractual arrangements
The controls listed under ISO 27002 can be grouped into the following categories:
⁻ Organizational controls: controls involving management, and the organization in general, and controls that reflect legal and regulatory obligations
⁻ Technical controls: controls involving or relating to technologies, IT
⁻ People controls: controls involving or relating to behaviors, activities, roles, and responsibilities of staff
⁻ Physical controls: tangible controls such as locks, and other environmental protection such as fire and intruder alarms
⁻ External party controls: controls involving or relating to parties outside QMC (e.g., service providers, vendors, third parties, contracted cloud services, etc.)
INFORMATION SECURITY RESPONSIBILITIES
Michael Cook, CFO is the designated owner of this Policy and is responsible for the maintenance and administration of this Policy and its related processes and procedures. Directors are responsible for ensuring that individual users are made aware of and comply with this Policy and its related processes and procedures.
Directors and managers are responsible for:
- Ensuring that all appropriate personnel including employees, contractors, and temporary personnel are aware of and understand this policy
- Creating appropriate performance standards and control practices within their areas to provide reasonable assurance that all users observe this policy
- Notifying the information Security Provider promptly whenever a contractor or temporary employee leaves BC Housing or transfers to another department, so that his/her access can be revoked or modified
- Immediately reporting to QMC’s IT Service Provider any improper access to files or directories The Director HR is responsible for:
- As part of the onboarding of all employees, for ensuring the awareness of and sign-off of the Information Security Policy and for notifying QMC IT Service Provider immediately of user transfers and terminations
All staff including contractors, temporary personnel, and third parties who connect to or use QMC’s computing and telecommunications services are responsible for following this Policy. Failure to comply may result in disciplinary action up to and including termination from employment for cause, termination of contract, and civil penalties and/or criminal sanctions, depending on the circumstances.
QMC’s assets (data, information, software, computer and communications equipment, and people) shall be accounted for and have an owner response for their maintenance and protection.
HUMAN RESOURCES SECURITY
QMC’s security policies will be communicated to all employees, contractors, and other third parties to ensure that they understand their responsibilities. QMC ’s job descriptions and terms and conditions of employment shall include the relevant individual
user’s security responsibilities. Background checks shall be carried out on new individual users to determine whether any particular
Information Security Incident risks may be identified.
PHYSICAL AND ENVIRONMENTAL SECURITY
QMC shall store its information using reasonable physical and environmental safeguards appropriate to their sensitivity. Areas in which QMC stores information will be secured by defined security perimeters with appropriate security barriers and access controls. As well, critical and sensitive information will be physically protected from unauthorized access, damage, and interference.
COMMUNICATIONS AND OPERATIONS MANAGEMENT
QMC will define responsibilities and implement processes and procedures regarding the management, operation, and ongoing security and availability of all data and information processing facilities.
Wherever appropriate, QMC shall segregate duties and build additional checks into operational processes and procedures to reduce the risk of negligent or deliberate Information Security Incidents. ACCESS CONTROL
QMC will control individual users’ access to QMC’s information. An individual user’s access to information and information systems will be set in accordance with QMC ’s business requirements. Access will be granted to employees, third parties and other individuals according to their business role and only to the extent necessary to permit them to carry out their duties. A procedure will be implemented to document and update individuals’ access privileges to QMC’s information.
Remote access is provided at the discretion of QMC to assist in corporate operations and the delivery of services. Unapproved remote access to QMC’s networks is not permitted. Only remote access provisioned and approved by the senior management may be used to connect to QMC systems. It is the responsibility of each user with remote access privileges to ensure that their access is not used by unauthorized parties.
To reduce the risk of unauthorized use of QMC’s resources through the compromise of a remote computer, each user who is granted remote access privileges is responsible for ensuring that any computer which connects to QMC has the latest operating system security patches installed and is protected by up-to-date antivirus software. QMC files and information must not be stored on a user’s home computer or any other computer that is not owned and managed by QMC.
Working files are not to be stored on workstations or laptop hard drives. All data must be stored in the appropriate location on QMC’s network to ensure that it is backed up and can be recovered in the event of a system failure, accidental deletion, or data loss.
If a user suspects any improper access to flies or directories, it must be reported to their manager or Director immediately.
Storage space on the file servers is limited and, therefore, users should not store non-work-related files (including pictures, music, videos) on QMC’s servers.
All files and information must be securely deleted from any hard drives or removable media that is being transferred to a new user or disposed of. Requests for secure data deletion should be submitted to QMC’s IT Service Provider.
INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT, AND MAINTENANCE
QMC shall identify relevant information security requirements and undertake information risk assessments prior to or during the development, implementation, or modification of QMC’s information systems so that information security risks are accounted for as early as possible. QMC shall implement reasonable and appropriate controls to mitigate any risks that are identified.
INFORMATION SECURITY INCIDENT MANAGEMENT
Everyone who is subject to this Policy shall report any known or reasonably suspected Information Security Incident or vulnerability to QMC ’s information systems to the IT Security Provider as soon as practicable.
QMC shall ensure that all officers, employees, contractors, and other third parties are made aware of the procedures for reporting of Information Security Incidents or vulnerabilities that may affect QMC ’s information systems.
QMC shall take all required and appropriate corrective actions in response to an Information Security
Incident, including providing any notifications to the Office of the Information and Privacy Commissioner, as well as affected individuals where appropriate or required by applicable law.
BUSINESS CONTINUITY MANAGEMENT
QMC will identify its critical business processes and implement measures to protect such processes from the effects of Information Security Incidents, natural disasters, and other major failures of information systems (“Major Disruptions”).
QMC has implement an enterprise-wide business continuity management process to minimize the impact on QMC of any major disruption, recover information assets from loss wherever possible, and ensure that critical business processes resume as quickly as possible.
Where a major disruption occurs, QMC shall undertake a business impact analysis to assess the consequences of such event.
QMC shall comply with all statutory, regulatory, and contractual obligations that affect the design, operation use, and management of its information systems.
RESPONSIBILITY FOR THIS POLICY
The Corporate CFO has overall responsibility for the effective operation of this policy, but has delegated day-to-day responsibility for overseeing its implementation to Julie Brunsch, QMC Compliance Administrator. All directors and managers have a specific responsibility to operate within the boundaries of this policy, take effective steps so that all employees understand the standards of conduct expected of them, and to act when behavior falls below its requirements. Managers will be given training so that they understand their accountabilities.
Effective Date: 07/30/2021 10:33 AM