Your Data. Protected. Always Accessible.

What to Archive

• →Signed copies of your privacy policy — every version, with effective dates
• →Annual PIPEDA compliance reviews and assessments
• →Vendor data processing agreements
• →Staff privacy training completion records
• →Board resolutions relating to data governance
• →Breach notification records (if any)

Critical Rule

What Your IRP Should Include

• →Incident classification matrix — what constitutes a "breach" vs. an "incident"
• →Escalation contacts — who to call, in what order, including after-hours numbers
• →Regulatory notification procedures — OPC reporting, provincial requirements
• →IT vendor emergency contacts — hosting provider, software vendors, Matrix IT
• →Insurance carrier contact and policy number
• →Legal counsel contact
• →Public communications template — statement for customers if required

Types of Historical Records to Archive

• →Completed project files — final deliverables, sign-offs, correspondence
• →Financial records — invoices, statements, tax filings (7-year retention)
• →Expired contracts — may still be referenced in disputes years later
• →Audit records — internal and external audit reports and findings
• →Corporate records — minutes, resolutions, filings

Documents to Store in Archive

• !Cyber insurance policy — policy number, carrier contact, claim procedure
• !Property & business interruption policy — essential after a physical disaster
• !Directors & Officers coverage — needed during regulatory actions
• →Corporate legal agreements — shareholder agreements, partnership documents
• →Lease and property agreements
• →Material vendor contracts

Live vs. Archived IRP

• →Compliance folder (Nextcloud): Current working version — updated regularly, accessible to all managers
• →Archive folder (Wasabi S3): Versioned historical copies — what was the IRP on a specific date

10 PIPEDA Fair Information Principles

• 1Accountability — designate a privacy officer; store designation document in compliance folder
• 2Identifying Purposes — document why you collect each type of personal data
• 3Consent — maintain consent records in the archive
• 4Limiting Collection — document what you collect and why
• 5Limiting Use — data handling procedures in compliance folder
• 6Accuracy — correction procedures documented
• 7Safeguards — StorageCloud360 itself is part of your safeguards evidence
• 8Openness — privacy policy in compliance folder, version controlled
• 9Individual Access — access request procedures documented
• 10Challenging Compliance — complaint procedure documented

Core BCP Components to Store in Compliance Folder

• →Business impact analysis — what functions are critical and in what order they must be restored
• →Recovery time objectives (RTO) and recovery point objectives (RPO) for each system
• →Alternate operating procedures — how to perform critical tasks without normal systems
• →Emergency contact directory — staff, vendors, emergency services
• →Supplier and vendor alternatives — who to call if primary vendor is unavailable
• →Communication plan — how to notify staff, customers, and regulators

HR Documents to Centralize

• →Employee handbook — current version with acknowledgement tracking
• →Acceptable Use Policy (AUP) for technology and data systems
• →Privacy training completion records
• →Security awareness training records
• →Remote work policies
• →BYOD (Bring Your Own Device) policies

How TOTP Works

• 1User enters username and password
• 2StorageCloud360 prompts for MFA code
• 3User opens their authenticator app (Google Authenticator, Authy, Microsoft Authenticator)
• 4They enter the current 6-digit code — valid for 30 seconds only
• 5Access granted only if both factors match

Protection Layers

• ✓Nextcloud built-in throttling — slows login responses after repeated failures, making attacks impractically slow
• ✓Cloudflare WAF — detects and blocks credential stuffing patterns before requests reach the server
• ✓Cloudflare bot management — identifies automated attack traffic by behavioural signatures
• ✓No public server IP — attackers cannot bypass Cloudflare by targeting the server directly
• ✓MFA as final barrier — even if a password is guessed, MFA blocks access

How Backup Codes Work

• →Generated at MFA setup — typically 10 single-use codes
• →Each code can only be used once, then expires
• →Store them securely — printed and locked, or in a password manager
• →If all codes are used, new ones can be regenerated by the account holder or admin

Why HSTS Matters

• →Prevents "SSL stripping" attacks where a man-in-the-middle downgrades HTTPS to HTTP
• →Once a browser has seen the HSTS header, it never sends unencrypted requests to that domain again
• →StorageCloud360 sets HSTS with a 180-day max-age, includeSubDomains, and preload flag

How Cloudflare Stops DDoS

• ✓Cloudflare operates 100+ Tbps of network capacity globally
• ✓Anycast routing distributes attack traffic across hundreds of data centres
• ✓Machine learning identifies attack patterns in real time
• ✓Because your server IP is hidden, attackers can't bypass Cloudflare and hit you directly

TLS 1.3 Improvements Over TLS 1.2

• ✓Faster handshake — 1-RTT instead of 2-RTT, reduced connection latency
• ✓Forward secrecy — session keys cannot be decrypted even if long-term keys are later compromised
• ✓Removed weak cipher suites — only the strongest algorithms permitted
• ✓Encrypted SNI — hides even the domain name from network observers in supported configurations

Key Features

• ✓Works offline — files available even without internet, sync when reconnected
• ✓Selective sync — choose which folders to sync locally vs. cloud-only
• ✓Real-time sync — changes appear on all devices within seconds
• ✓Virtual files (Windows) — browse all files without downloading them first

Why Mobile Access Matters for Incident Response

• ✓Full access to all files including Compliance and Archiving folders
• ✓Auto-upload photos and documents from your phone
• ✓Available free on iOS App Store and Google Play
• ✓Biometric login (Face ID / fingerprint) supported

The US Jurisdiction Problem

• ✗US CLOUD Act (2018) — allows US law enforcement to compel US-based companies to disclose data stored anywhere in the world, including Canada, without notifying the data owner
• ✗US Patriot Act — broad data access provisions applicable to US-headquartered companies and their subsidiaries
• ✗Google, Microsoft, and Amazon are all US companies — their cloud services are subject to US jurisdiction regardless of where the data centre is located

StorageCloud360 Sovereignty Model

• ✓Infrastructure operated in Canada, managed by a Canadian IT partner
• ✓Wasabi storage in Toronto, Ontario — Canadian data residency confirmed
• ✓No US parent company with jurisdiction over your data
• ✓Subject to Canadian law only — Privacy Act, PIPEDA, provincial regulations

Dedicated vs. Shared Infrastructure

• ✓Your VM (VM 116) is dedicated to your organization — no shared tenancy
• ✓Separate firewall VM (VM 103) on the same Proxmox cluster — network isolation
• ✓Your data is not co-mingled with other customers' data at any level
• ✗Google Drive: your data is on the same physical infrastructure as billions of other users
• ✗Shared platforms: a vulnerability in one tenant's account can potentially affect others

Why Open Source Matters for Security

• ✓Source code is publicly available — security researchers worldwide review it continuously
• ✓No hidden data collection, telemetry, or advertising-driven design decisions
• ✓Vulnerabilities are disclosed openly and patched rapidly — no security through obscurity
• ✓Independent security audits published publicly

Wasabi Archive Pricing

• →1 TB ≈ 500,000 Word/PDF documents
• →1 TB ≈ 250,000 photos at high resolution
• →1 TB ≈ 6 months of continuous HD security camera footage
• →Most compliance and document archives fit comfortably in 1–5 TB

vs. Google Drive / OneDrive Pricing

• ✗Microsoft 365 Business Basic: $7.20 USD/user/month for 1 TB per user — expensive at scale
• ✗Google Workspace: $12 USD/user/month — per user pricing means costs multiply with headcount
• ✓Wasabi: ~$10 CAD/TB/month total — no per-user component

Recommended Migration Approach

• 1Identify critical documents — compliance docs, IRP, insurance, BCP first
• 2Copy (not move) to StorageCloud360 — keep originals in place, add StorageCloud360 as a secondary home
• 3Establish new document workflow — new compliance docs created in StorageCloud360 first
• 4Gradually archive historical files — move completed projects to the Wasabi archive tier
• 5Evaluate primary platform — once critical documents are protected, assess whether to migrate fully

What Your BCP Should Document

• →List of files stored in primary vendor that are critical to daily operations
• →Which of those files also have copies in StorageCloud360
• →Alternative workflows if specific documents are unavailable
• →Who is responsible for notifying staff of the vendor outage and alternate access procedures
• →Maximum acceptable downtime for each critical document category

Mandatory Steps Under PIPEDA

• !Step 1 — Assess: Determine if the breach poses a "real risk of significant harm" to individuals
• !Step 2 — Report: If yes, report to the Office of the Privacy Commissioner of Canada (OPC) as soon as feasible
• !Step 3 — Notify: Notify affected individuals whose information was involved
• !Step 4 — Record: Maintain a record of every breach, even those that don't require reporting

First 4 Hours

• 1Isolate affected systems from the network immediately — unplug ethernet, disable Wi-Fi
• 2Do NOT power off encrypted systems — forensic evidence may be lost
• 3Access StorageCloud360 from an unaffected device — retrieve IRP and contact list
• 4Contact Matrix IT (your IT partner) — they lead the technical response
• 5Contact cyber insurance carrier — policy number stored in StorageCloud360
• 6Contact legal counsel
• 7Preserve evidence — photograph ransom note, document timeline
• 8Notify executive team

Hours 4–24

• 9Assess scope — which systems affected, what data involved
• 10Determine PIPEDA notification obligation — personal data involved?
• 11Do not pay ransom without legal and insurance guidance
• 12Begin recovery from clean backups with Matrix IT

Priority 1 Documents — Move First

• !Incident Response Plan
• !Business Continuity Plan
• !Cyber insurance policy and contact information
• !Key vendor emergency contacts
• !Regulatory compliance documentation

Template Language for Your BCP

What the OPC Looks For

• →Privacy policy — publicly available, current, accurate
• →Evidence that safeguards are in place — StorageCloud360 is part of this evidence
• →Consent records — how and when individuals consented to data collection
• →Breach notification records — all breach records since implementation
• →Access request handling — how you respond to individuals requesting their data

The 12 Essential Compliance Documents

• 1Privacy Policy (public-facing)
• 2Internal Data Handling Procedures
• 3Privacy Officer Designation
• 4Consent Forms / Records
• 5Breach Notification Procedure
• 6Breach Notification Record (log)
• 7Vendor Data Processing Agreements
• 8Staff Privacy Training Records
• 9Access Request Handling Procedure
• 10Data Retention and Destruction Policy
• 11Incident Response Plan
• 12Business Continuity Plan

Your 3-2-1 With StorageCloud360

• 3Three copies: Live data (primary) + Nextcloud (secondary) + Wasabi S3 archive (tertiary)
• 2Two media types: Primary server storage + Wasabi object storage (different architecture)
• 1One offsite: Wasabi Toronto data centre — physically separate from your premises AND your primary vendor

First 24 Hours

• 1Access StorageCloud360 from any phone or browser — retrieve BCP and emergency contacts
• 2Contact Matrix IT for server recovery coordination
• 3Contact insurance carrier (policy stored in StorageCloud360)
• 4Assess what data is in the Wasabi archive — identify what can be restored first
• 5Activate alternative operating procedures (documented in StorageCloud360 BCP)
• 6Communicate to staff using contact list from StorageCloud360

StorageCloud360 Offboarding Steps

• 1Contact Matrix IT or log into admin panel
• 2Navigate to Users and locate the departing employee's account
• 3Disable the account (preserves files and audit log)
• 4Review the audit log for their last 7 days of activity
• 5Check if any files were shared externally — revoke those shares
• 6Transfer ownership of any team files to a manager
• 7After 30 days, delete the account if no investigation is pending

What the Log Contains

• →File opened / previewed
• →File downloaded
• →File shared (internally or externally)
• →File deleted (including trashed)
• →Login events (success and failure) with IP address
• →Admin actions (account changes, permission changes)

How StorageCloud360 Supports PIPEDA

• ✓Principle 7 — Safeguards: StorageCloud360 itself is a documented technical safeguard for your personal data holdings
• ✓Principle 8 — Openness: Privacy policy stored in compliance folder, version-controlled with timestamps
• ✓Principle 1 — Accountability: Audit logs demonstrate that access to personal data is controlled and monitored
• ✓Breach Record-Keeping: Breach records can be maintained in the compliance folder with immutable timestamps

Recommended Structure

Compliance/ (team folder)
├── 01-Incident-Response/
│   ├── IRP-Current.pdf
│   ├── Emergency-Contacts.pdf
│   └── Breach-Notification-Templates/
├── 02-Privacy-PIPEDA/
│   ├── Privacy-Policy-Current.pdf
│   ├── Privacy-Officer-Designation.pdf
│   └── Breach-Records/
├── 03-Business-Continuity/
│   ├── BCP-Current.pdf
│   └── Vendor-Contacts.pdf
├── 04-HR-Policies/
│   └── Employee-Handbook-Current.pdf
└── 05-Insurance-Legal/
    ├── Cyber-Insurance-Policy.pdf
    └── Key-Vendor-Agreements/
        

Common Retention Requirements

• →Financial records: 7 years (CRA requirement)
• →Employment records: Varies by province — typically 3–5 years post-termination
• →PIPEDA breach records: 24 months from date of breach
• →Contracts: Until the contract ends + applicable limitation period (typically 2–6 years)
• →Corporate records: Permanently (minutes, resolutions)

Recommended Archive Structure

Archiving/ (Wasabi S3 bucket)
├── Compliance-Archive/
│   ├── 2024/
│   │   ├── Privacy-Policy-2024-01-01.pdf
│   │   └── Breach-Records-2024.pdf
│   └── 2025/
├── Financial-Archive/
│   ├── 2024/
│   └── 2023/
├── Legal-Contracts/
│   ├── Active/
│   └── Expired/
├── Projects/
│   └── [Project-Name]-Completed/
└── Corporate-Records/
    ├── Board-Minutes/
    └── Resolutions/
        

Essential IRP Sections

• 1Purpose and Scope — what events this plan covers
• 2Incident Classification — what is a "critical incident" vs. a "minor incident"
• 3Response Team Contacts — names, cell phones, and roles — printable one-pager
• 4Detection and Reporting — how incidents are identified and who is notified first
• 5Containment Steps — immediate actions to prevent spread
• 6Notification Obligations — when and how to notify OPC, affected individuals, and insurers
• 7Recovery Steps — how to restore systems, referencing StorageCloud360 archive as recovery source
• 8Post-Incident Review — what to document after the event

Basic Tabletop Exercise

• 1Scenario: "It's 9am Monday. Your primary server has been encrypted by ransomware. You have no access to any files on that server."
• 2Question 1: Where is your incident response plan? Can you access it right now from your phone?
• 3Question 2: Who do you call first? Do you have that number memorized or saved somewhere accessible?
• 4Question 3: What personal data was on that server? Do you have a record of this stored somewhere else?
• 5Question 4: When do you need to notify the OPC? What template do you use?
• 6Identify gaps — every question you can't answer is a gap StorageCloud360 can help fill

What Cyber Insurance Typically Covers

• ✓Forensic investigation costs after a breach
• ✓Legal fees and regulatory fines
• ✓Customer notification costs
• ✓Business interruption losses
• ✓Ransomware negotiation and ransom payment (some policies)
• ✓PR and crisis communications

What Insurers Are Starting to Require

• !MFA on all accounts with remote access — StorageCloud360 satisfies this
• !Documented backup and recovery procedures
• !Documented incident response plan
• !Offsite backups separate from primary infrastructure

The Cross-Border Transfer Issue

• !PIPEDA does not prohibit cross-border data transfers, but requires "comparable protection"
• !Transferring personal data to US providers means it may be subject to US legal process without your knowledge
• !The US CLOUD Act allows US authorities to compel disclosure from US companies regardless of where data is stored
• ✓Canadian-hosted data avoids this jurisdictional complexity entirely
• ✓Wasabi's Toronto region and Matrix IT's Canadian operations keep personal data under Canadian law

RROSH Assessment Factors

• →Sensitivity of the personal information involved
• →Whether the information was encrypted
• →Number of individuals affected
• →Whether the information is in the hands of a malicious actor
• →Likelihood of misuse

If RROSH is Present

• !Report to OPC: As soon as feasible after determining RROSH exists
• !Notify individuals: As soon as feasible — directly if practical
• !Record keeping: Maintain records for 24 months regardless of whether reporting was required

Definitions

StorageCloud360 Impact

• ✓Compliance documents in StorageCloud360: RTO = minutes (accessible from any browser immediately)
• ✓Wasabi archive: RPO = depends on how frequently you upload new archives — daily uploads = 24hr RPO

Recommended Structure

01-Incident-Response/
├── 🚨 START HERE - IRP-Quick-Reference.pdf
├── IRP-Full-Document.pdf
├── Emergency-Contacts-Printable.pdf
├── Breach-Notification/
│   ├── OPC-Report-Template.docx
│   ├── Customer-Notification-Template.docx
│   └── Breach-Record-Log.xlsx
├── Ransomware-Specific/
│   ├── Ransomware-Response-Steps.pdf
│   └── Ransom-Decision-Framework.pdf
└── Post-Incident/
    └── Post-Incident-Review-Template.docx
        

Step-by-Step MFA Setup

• 1Download an authenticator app on your phone — Google Authenticator, Microsoft Authenticator, or Authy
• 2Log into StorageCloud360 and go to Settings → Security
• 3Under "Two-Factor Authentication," click "Enable TOTP"
• 4Open your authenticator app, tap "+" or "Add account," and scan the QR code on screen
• 5Enter the 6-digit code from the app to confirm it's working
• 6Download and securely store your backup codes
• 7From now on, login requires password + the current code from your app

Installation Steps

• 1Go to nextcloud.com/install and download the desktop client for your OS
• 2Install and launch the app
• 3When prompted for server address, enter: your StorageCloud360 URL
• 4Log in with your username, password, and MFA code
• 5Choose which folders to sync — recommend syncing Compliance folder at minimum
• 6Files sync automatically in the background