Cybersecurity Policy | Loi 25


1. Purpose and Scope

This cybersecurity policy outlines the security practices and measures that Yas Petit Poulet follows to safeguard its digital assets, customer data, and systems while adhering to the provisions of Loi 25 in Québec, Canada. This policy applies to all employees, contractors, partners, and stakeholders who interact with Yas Petit Poulet's digital infrastructure hosted on the Shopify platform.

2. Information Classification and Handling

All information and data collected and stored by Yas Petit Poulet will be classified based on its sensitivity into categories such as personal, confidential, and public. Access controls, encryption, and appropriate handling procedures will be applied based on these classifications to ensure data protection and privacy.

3. Data Collection and Privacy

Consent: Yas Petit Poulet will obtain explicit consent from individuals before collecting and processing their personal information in accordance with Loi 25 and other relevant privacy regulations.
Data Minimization: Only necessary and relevant data will be collected and retained, minimizing the risk of data breaches and unauthorized access.

4. Access Control and Authentication

User Authentication: Strong authentication mechanisms, including multifactor authentication (MFA), will be implemented to control access to Yas Petit Poulet's Shopify account and associated systems.
Access Management: Access privileges will be granted based on the principle of least privilege, ensuring that users have only the necessary access rights to perform their tasks.

5. Data Protection and Encryption

Data Encryption: Personal and sensitive data will be encrypted both in transit and at rest within the Shopify platform using Shopify's built-in security features.
Secure Transmission: Data transmitted between Yas Petit Poulet and its users over the Shopify platform will be encrypted using secure protocols to prevent unauthorized interception.

6. Incident Response and Reporting

Incident Identification: Yas Petit Poulet will implement systems to detect and respond to cybersecurity incidents promptly. Employees are required to report any suspicious activities or security incidents immediately to the designated IT or security person, Elyas Salame.
Incident Reporting: In the event of a data breach or security incident, Yas Petit Poulet will comply with the mandatory reporting requirements outlined in Loi 25.

7. Security Awareness Training

All employees and relevant stakeholders will undergo regular cybersecurity training to enhance their understanding of potential threats, best practices, and incident reporting procedures.

8. Risk Management

Regular Assessments: Yas Petit Poulet will conduct regular risk assessments to identify potential vulnerabilities and threats related to its use of the Shopify platform. Mitigation measures will be implemented to address identified risks.

Vulnerability Management: Yas Petit Poulet will stay informed about security updates and patches provided by Shopify and apply them promptly to ensure protection against known vulnerabilities.

9. Compliance Monitoring

Audits: Yas Petit Poulet will periodically assess its cybersecurity practices, including its use of the Shopify platform, to ensure compliance with Loi 25 and other relevant regulations.

10. Third-Party Security

Vendor Assessment: Prior to integrating third-party services with the Shopify platform, Yas Petit Poulet will assess the cybersecurity practices of these vendors to ensure data protection and regulatory compliance.

11. Policy Review and Updates

This policy will be reviewed and updated periodically to stay aligned with changing cybersecurity threats, technology advancements, and regulatory requirements.

12. Enforcement and Consequences

Failure to comply with this cybersecurity policy may result in disciplinary action, up to and including termination, and legal action as per Loi 25 and applicable laws.