Orbit Accountants Appendices

 

Appendix A — Definitions 

  • Breach: A breach of security safeguards that unauthorizedly accesses, uses, discloses, or loses Personal Information.
  • Client Records: Engagement information we handle on your behalf to provide Services, including documents and data you supply.
  • Confidential Information: Non-public information disclosed by a party that is marked or understood to be confidential.
  • Personal Information: Information about an identifiable individual under Canadian law.
  • Processing: Any operation performed on information (collection, use, disclosure, storage, etc.).
  • RROSH: Real risk of significant harm to an individual resulting from a Breach.
  • Service Provider: A third party engaged by Orbit to perform functions in connection with the Services or Site.

Appendix B — Illustrative Retention Schedule

  • Client Records: Minimum 7 years from the end of the fiscal year to which records relate or longer if required by law/professional standards.
  • Engagement communications: 7 years.
  • Billing & invoicing: 7 years.
  • Website analytics telemetry: per tool configuration.
  • Incident logs & Breach records: 24 months minimum from date of Breach, or longer if required by law.
    Note: Specific periods may be extended by legal hold or regulatory requirements.

Appendix C — Security Overview

  • Governance: privacy officer designated; access approved by role; periodic reviews.
  • Access controls: least-privilege, MFA where supported, strong passwords, periodic access review.
  • Encryption: in transit (TLS); at rest where supported by platforms.
  • Network & systems: endpoint protection; patching cadence; backups for critical data; vendor diligence.
  • People: confidentiality undertakings; acceptable-use guidelines; training.
  • Monitoring & logging: audit trails for key systems.
  • Incident response: documented plan; Breach assessment for RROSH; regulatory and individual notifications as required.
  • Sub-processing: due diligence and contractual safeguards with Service Providers.

Appendix D — Incident Notification Timelines 

  • Initial assessment: commence within 24 hours of detection.
  • Client notification (if RROSH likely): without unreasonable delay after confirmation and within 72 hours where feasible.
  • OPC notification & recordkeeping: as required by law.
  • Continuous updates: provide material updates as information becomes available.

Appendix E — Sub-processing Categories 

  • Secure document exchange & e-signature
  • Communications & ticketing
  • Accounting back-office tooling
  • Cloud storage & backup (Canada-hosted for Client Records)
  • Analytics (GA4; Matomo)
  • Payment processing

Appendix F — CASL Notices 

  • Commercial electronic messages are sent only with valid consent (express or time-limited implied). Messages identify Orbit and include a working unsubscribe. Requests to unsubscribe are processed without delay.