AuraWorld Logo
AuraWorldHome

Legal

Security Policy

Effective Date: June 23, 2026  ·  Last Updated: June 23, 2026

1. Overview

AuraWorld Services Inc. is committed to maintaining robust security practices across all operational domains — including our physical logistics operations, digital systems, and the handling of confidential client data. This Security Policy outlines the safeguards we apply to protect our infrastructure, personnel, and the sensitive information entrusted to us by our clients across our Water Delivery, Food Services, and Printing & Branding service lines.

2. Physical Security

2.1 Facilities

  • All AuraWorld operational facilities (warehouses, print production centers, food preparation areas) are secured with access control systems including key card entry and video surveillance.
  • Unauthorized access to operational areas is strictly prohibited and enforced through physical barriers and monitoring.
  • Food preparation and water bottling facilities comply with applicable Health Canada and provincial public health inspection standards.

2.2 Personnel Screening

  • All AuraWorld employees and contractors undergo criminal background checks prior to onboarding.
  • Staff who access client premises for delivery or service are issued verified AuraWorld identification badges.
  • Delivery personnel follow strict chain-of-custody protocols for water and food deliveries.

2.3 Secure ID Card & Document Printing

  • Secure print jobs (ID cards, access badges, confidential documents) are processed in restricted print areas with limited personnel access.
  • All secure print materials are tracked from production through to delivery using a documented chain-of-custody process.
  • Waste and rejected secure print materials are cross-cut shredded and disposed of in compliance with applicable data destruction standards.

3. Information Security

3.1 Data Classification

AuraWorld classifies data into four tiers:

Public

Marketing materials, general website content.

Internal

Operational procedures, internal communications.

Confidential

Client records, contracts, billing information.

Restricted

Secure print job data, payment credentials, personal identification information.

3.2 Access Controls

  • Access to client data systems is governed by the principle of least privilege — employees receive only the access required to perform their job function.
  • Multi-factor authentication (MFA) is required for all internal systems and client portal administrative access.
  • Access rights are reviewed quarterly and revoked immediately upon employee departure.

3.3 Data Encryption

  • All data in transit is encrypted using TLS 1.2 or higher.
  • Sensitive data at rest (including client PII and payment records) is encrypted using AES-256.
  • Payment card data is processed exclusively through PCI-DSS Level 1 compliant payment processors. AuraWorld does not store raw card data.

3.4 Network Security

  • Internal networks are segmented to isolate operational systems from customer-facing systems.
  • Firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) are deployed across all networked environments.
  • Penetration testing is conducted at minimum annually by an independent third party.
  • Vulnerability scanning is performed on a continuous basis with critical patches applied within 72 hours of release.

4. Operational Security

4.1 Supplier & Vendor Management

  • All third-party vendors with access to AuraWorld systems or Client data must execute Data Processing Agreements (DPAs) and demonstrate adequate security posture.
  • Critical suppliers are subject to annual security assessments.

4.2 Employee Training

  • All employees complete security awareness training upon onboarding and annually thereafter.
  • Staff handling Restricted data complete role-specific data handling training.
  • Phishing simulation exercises are conducted quarterly.

4.3 Business Continuity & Disaster Recovery

  • AuraWorld maintains a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) reviewed annually.
  • Critical client data is backed up daily with geographically redundant storage.
  • Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) are defined per system and tested bi-annually.

5. Incident Response

AuraWorld maintains a formal Incident Response Plan (IRP). In the event of a confirmed security incident:

  • Detection & Containment: Incidents are triaged within 1 hour of detection by our security team.
  • Client Notification: Affected clients will be notified within 72 hours of a confirmed breach involving their data, in compliance with PIPEDA breach reporting obligations.
  • Regulatory Notification: Where required, the Office of the Privacy Commissioner of Canada and applicable authorities will be notified.
  • Post-Incident Review: A root cause analysis and remediation report is prepared within 14 days of incident closure.

To report a suspected security incident or vulnerability, contact: solutions@auraworld.ca

6. Compliance

AuraWorld aligns its security practices with the following frameworks and standards:

  • PIPEDA (Personal Information Protection and Electronic Documents Act)
  • ISO/IEC 27001 principles for information security management
  • PCI-DSS for payment card data handling
  • NIST Cybersecurity Framework (CSF) guidelines
  • Health Canada food safety and water quality regulations

7. Policy Review

This Security Policy is reviewed annually and updated in response to material changes in our operations, technology, or the threat landscape. Questions regarding this policy may be directed to solutions@auraworld.ca.

Privacy PolicyTerms of ServiceSLA Policy