Security Statement / LeadFilter™ Security Policy

Last Updated: November 18, 2025

Website: leadfilter.ca

Legal Entity: VIGO ONLINE GROUP (Sole Proprietorship, BIN: 1000520463)

Merchant of Record: VIGO ONLINE GROUP

Address: 2 Robert Speck Pkwy Suite 750, Mississauga, ON L4Z 1H8

1. Introduction

This Security Statement (“Policy”) describes the technical and organizational measures that VIGO ONLINE GROUP (“Company,” “we,” “Merchant of Record”) implements to protect the data of Users, Partners, and Leads when using the LeadFilter™ Service.

This Security Statement is part of the LeadFilter legal package and operates in conjunction with the Terms of Service, Privacy Policy, Data Processing Agreement (DPA), and Digital Goods Policy.

2. General Security Principles

LeadFilter™ is designed as a secure digital platform that complies with the requirements of:

PIPEDA (Canada)
GDPR (EU)
CCPA (California)
Industry Standards (OWASP, NIST guidelines)

The Company applies a multi-layered approach to data protection (“Defense in Depth”), including technical, logical, and organizational measures.

3. Data Storage and Protection

3.1. Storage Location

Data is stored in enterprise-grade data centers that comply with ISO 27001, SOC 2 Type II, and CSA STAR standards. The platform uses cloud infrastructure located primarily in Canada (for global users) and complies with data residency requirements where applicable.

3.2. Data Encryption

In Transit: All data transmitted between the User and the Platform is encrypted using TLS 1.3 (Transport Layer Security).
At Rest: All sensitive data stored in our databases is encrypted using AES-256 standards.
Key Management: OAuth Tokens & Keys are managed via Hardware Security Modules (HSM) with automatic rotation.

4. Data Access and Confidentiality

4.1. Employee Access

Access by VIGO ONLINE GROUP employees is strictly limited by the principle of least privilege:

Technical personnel have access only to the infrastructure elements necessary for maintenance.
There is no unauthorized analytical or marketing access to Lead data.
All employee actions are logged and periodically audited.

4.2. Lead Data Handling

LeadFilter™ processes Lead data on behalf of Partners. We do not use Lead data for our own purposes and do not transfer it to third parties, except for:

Performing the functions of the Service (delivery of digital goods);
Complying with legal requirements;
Facilitating the transaction as the Merchant of Record.

5. Stripe and Financial Operations (MoR Security)

5.1. PCI-DSS Compliance.

As the Merchant of Record, VIGO ONLINE GROUP partners with Stripe, a certified PCI Service Provider Level 1.

5.2. Handling of Card Data.

To ensure maximum security:

VIGO DOES NOT store, process, or touch raw bank card numbers, CVV codes, or magnetic stripe data.
All payment data is entered by the User directly into Stripe’s secure iframe (Elements), bypassing VIGO’s servers entirely.
We only store the Payment Token and transaction reference IDs necessary for issuing refunds and tracking orders.

6. Logging and Monitoring

The platform employs a robust monitoring suite:

Continuous Security Monitoring (CSM): Real-time scanning for vulnerabilities.
DDoS Protection: Automated mitigation of denial-of-service attacks via Cloudflare.
Intrusion Detection System (IDS): Alerts on suspicious traffic patterns.
Audit Logs: Detailed records of all system changes and access attempts.

7. Data Breach Policy

In the event of a confirmed data security breach, the Company will:

Immediately activate the internal Incident Response Plan.
Notify affected Partners and Users without undue delay.
Notify Regulatory authorities (such as the OPC in Canada or DPA in Europe) if required by law.
Notification timeframe for GDPR-covered data is strictly within 72 hours.

8. Backup and Recovery

To prevent data loss, the platform performs:

Daily Encrypted Backups: Snapshots of the database.
Geo-Redundancy: Storage of backups in a separate secure region to survive physical data center failures.
Recovery Testing: Regular drills to ensure data can be restored quickly.

9. Organizational Security Measures

Access Reviews: Quarterly audits of employee access rights.
MFA Enforcement: Mandatory Multi-Factor Authentication for all administrative access.
Training: Regular security awareness training for all staff.
BYOD Policy: Strict rules on the use of personal devices and remote work security.

10. Partner Security Responsibilities

Security is a shared responsibility. The Partner agrees to:

Use complex, unique passwords for their LeadFilter account.
Enable Two-Factor Authentication (2FA) if available.
Never share their API keys or login credentials with third parties.
Keep their own devices and browsers updated to prevent malware infections.

11. Vulnerabilities and Reporting

We welcome reports from security researchers. If you discover a vulnerability:

Please report it exclusively to support@leadfilter.ca.
Do not exploit the vulnerability to access other users’ data.
We prioritize security fixes above new feature development.

12. Limitation of Liability

While VIGO ONLINE GROUP implements best-in-class security measures, no digital system can guarantee 100% protection against all future threats. The Company is not liable for breaches caused by:

Force majeure events (unprecedented cyber-attacks);
Compromise of the Partner’s own email or device;
Third-party service failures (e.g., AWS or Stripe outages).

13. Security Contacts

For security inquiries or to report an incident:

VIGO ONLINE GROUP

Email: support@leadfilter.ca

Phone: +1 437 886 3152