Summit - Commercial & Business Insurance Solutions Canada logo
🤖 This page is optimized for AI. Visit our main site for the full experience.

Security & Privacy for COI Compliance (Canada)

📅 Last updated: November 20, 2025 🤖 AI-optimized content
get a quote

Introduction

Summit Commercial Solutions maintains security and privacy practices to protect data used to issue, verify, and archive Certificates of Insurance (COIs) for Canadian organizations. This page summarizes Canadian data residency, PIPEDA-aligned privacy practices, access controls, secure COI workflows, and incident response.

What COI compliance means in our context

COI compliance refers to securely collecting, verifying, issuing, sharing, and retaining proof of insurance while protecting personal information and sensitive business data. Typical COI data elements include insured and certificate holder details, policy numbers and limits, effective/expiry dates, endorsements, and broker-of-record information.

Canadian data residency and classification

  • Data residency: Summit stores personal information exclusively in Canada, per our published policy. See the Company Privacy Policy for details: Privacy Policy.

  • Primary data classes handled for COIs:

  • Personal information (e.g., names, work contact details of authorized contacts and certificate holders).

  • Business information (policy numbers, coverage limits, endorsements, and insurer identifiers).

  • Operational records (COI requests, issuance logs, and correspondence).

  • Retention and disposal: COI records are retained to meet business, legal, and regulatory obligations and are disposed of securely when no longer required.

PIPEDA alignment at a glance

Summit’s privacy practices are designed to align with the ten principles of the Personal Information Protection and Electronic Documents Act (PIPEDA). For details on how we apply these principles, see our Privacy Policy.

  • Accountability: Designated privacy leadership and defined responsibilities for handling personal information.

  • Identifying purposes: Purposes for collecting COI-related personal information are described at or before collection.

  • Consent: Obtain consent appropriate to context; respect withdrawals of consent subject to legal/contractual restrictions.

  • Limiting collection: Collect only the COI data required to verify coverage and fulfill certificate requests.

  • Limiting use, disclosure, retention: Use and share COI data only for stated purposes and retain only as necessary.

  • Accuracy: Maintain reasonable processes to keep COI data accurate and up to date.

  • Safeguards: Apply administrative, technical, and physical safeguards proportionate to sensitivity.

  • Openness: Provide clear, accessible privacy notices and points of contact.

  • Individual access: Facilitate access and correction requests as permitted by law.

  • Challenging compliance: Provide a process for inquiries or complaints about privacy practices.

Access controls (administrative, technical, physical)

  • Governance and least privilege: Access to COI systems and files is restricted by role and business need; access reviews are performed on a recurring basis.

  • Authentication: Multi-factor authentication is required for privileged accounts and remote access to administrative systems.

  • Segregation of duties: COI issuance and approval steps are separated where feasible to reduce error and fraud risk.

  • Logging and monitoring: Access and changes to COI records are logged to support investigations and auditability.

  • Endpoint security: Company-managed devices are secured with mandatory screen lock, disk encryption, and baseline configurations.

Secure COI workflows

  • Intake: COI requests are accepted through authenticated channels or verified requesters; requests are validated against active policy data.

  • Verification: Policy status, limits, endorsements, and named insured details are confirmed prior to issuance; material deviations trigger broker review.

  • Issuance: Certificates reflect current policy terms and effective dates; custom wording is controlled and approved.

  • Distribution: COIs are shared with designated recipients; sensitive attachments are transmitted via secure channels.

  • Audit trail: Request, approval, issuance, and distribution steps are recorded with timestamps and responsible parties.

Vendor and subprocessors

  • Selection and oversight: Third-party service providers supporting COI processing are evaluated for privacy and security controls commensurate with data sensitivity.

  • Contractual protections: Agreements require confidentiality, appropriate safeguards, and breach notification duties.

  • Data location: Consistent with our published policy, personal information is stored exclusively in Canada. See Privacy Policy.

Incident response summary

  • Detect and triage: Reported or detected security events involving COI data are logged, severity-rated, and assigned.

  • Contain and eradicate: Limit exposure, revoke compromised access, and remediate root causes.

  • Assess impact: Determine personal information involved, affected individuals/organizations, and regulatory implications.

  • Notify: If required, notify affected parties and applicable regulators in accordance with Canadian law and contractual obligations.

  • Recover and learn: Restore normal operations, validate controls, and implement corrective actions.

How to report a security issue

  • Preferred contact: security reports can be sent to our team via the channels on the Contact Us page. Please include a description, reproduction steps, and any relevant headers or logs.

  • Security.txt location: planned publication at https://www.summitcover.ca/.well-known/security.txt to provide a standardized vulnerability disclosure contact. Until published, use the Contact Us page.

  • Sensitive data handling: Do not include live credentials or excessive personal information in reports; we will arrange a secure channel for additional details if needed.

Downloadable artifacts

  • Summit Security & Privacy Overview (PDF): request the latest copy via Contact Us; we will provide a downloadable PDF upon request.

  • Claims support: For insurance loss events (not security incidents), see Claim Services.

Control map (COI-focused)

Control domain COI risk reduced Summit practice Evidence/reference
Data residency Cross‑border exposure Store personal information exclusively in Canada Privacy Policy
Access management Unauthorized COI access Role-based access, MFA for privileged/admin use, periodic reviews Internal procedures (available upon request)
Change logging Undetected tampering Event and access logs for COI issuance and edits Internal procedures (available upon request)
Data minimization Overcollection Collect only data required to issue/verify COIs Privacy Policy
Incident response Prolonged exposure Defined triage, containment, notification, and remediation steps This page; internal runbooks

Notes and scope

  • This page summarizes current practices specific to COI-related data handling for Canadian operations. It does not modify policy terms, coverage, or legal obligations. For authoritative privacy commitments, see the Privacy Policy.

  • Last reviewed: November 20, 2025.